8 February, 2012 Leave a comment
I’ve recently had some fun setting up load-balanced IIS 7.5 (Server 2008 R2) servers to use Kerberos with the Default Web Site running under an AppPool which uses a domain account.
Now that my monitors have been replaced, I’ve got my new keyboard and have glued my mouse buttons back on, I thought I’d share some resources that helped.
First, Ken Schaefer’s series on Kerberos itself, to remind me how it works:
- IIS and Kerberos. Part 1 – What is Kerberos and how does it work?
- IIS and Kerberos. Part 2 – Service Principal Names
- IIS and Kerberos. Part 3 – A simple scenario
- IIS and Kerberos. Part 4 – A simple delegation scenario
- IIS and Kerberos Part 5 – Protocol Transition, Constrained Delegation, S4U2S and S4U2P
- IIS and Kerberos Part 6 – New in IIS 7
- IIS and Kerberos Part 7 – A simple cross Forest scenario
- IIS and Kerberos Part 8 – a simple cross Forest/Domain delegation scenario
- IIS and Kerberos Part 9 – Cross Forest Delegation scenario with UPN suffix routing
Then Brian Murphy-Booth (a.k.a. Brian Booth) ‘s excellent tool DelegConfig:
- DelegConfig (Kerberos/Delegation Configuration Reporting Tool)
- Download DelegConfig v2 Beta
- Fun with the Kerberos Delegation Web Site
- Addendum: Making the DelegConfig website work on IIS 7.
The last one of those has four sections: Installing IIS; Installing the web application; Configuring Network Service as the AppPool Identity; and Configuring a domain based user account as the AppPool Identity. This last section held the key for me: I’d remembered everything else from a previous smashing-my-face-into-the-desk exercise except unchecking “Enable Kernel-mode authentication” in the Advanced Settings on the Windows Authentication entry of the Authentication feature. Talk about hidden away…
So, now it all works. Today. If I’m feeling brave, I’ll restart everything tomorrow morning and see if it’s still working. 🙂
I realised that the instructions in Addendum: Making the DelegConfig website work on IIS 7 refer to the Classic .NET AppPool. My servers are built with an unattended build process so my starting point was an R2 server with IIS installed and the .NET Framework 4.0. I created my own App Pool called DefaultWebSiteAppPool [there’s a time for originality and there’s a time for sticking to the bleedin’ obvious] with .NET Framework version v4.0.30319 and Managed Pipeline Mode: Integrated with the identity set to my domain account.