IIS6/Kerberos/Application Pools/Integrated Security...

IIS6/Kerberos/Application Pools/Integrated Security...

am 11.05.2007 00:20:00 von kevindk

So after some serious "fun" trying to get Kerberos to work for me I think I
have determined that my configuration is going to require NTLM. Here's the
situation. We have a load balanced server farm backed by 3 different
servers, say A, B, and C. Each of these servers is configured via host
headers to respond to say domain.com, use only IWA, and hosts several
application pools running with different domain accounts for different
applications to use.

I've tried adding SPNs, but to no avail. so I configured IIS to only
respond to NTLM authentication requests and things have started to work. My
question is this: in this setup is NTLM the only configuration available to
me or am I missing some other setting or scenario?

Re: IIS6/Kerberos/Application Pools/Integrated Security...

am 12.05.2007 06:25:46 von Ken Schaefer

Hi,

Kerberos can work in an NLB scenario. However similar rules apply to a
single server situation:
a) IIS must be able to decrypt the service ticket. Since you don't know
which server the request will end up with, you need to use a domain user
account to run the web app pool, not a machine specific account
(localsystem, network service etc)

b) ensure you don't have duplicate SPNs registered (e.g. if you added an SPN
under a user account, ensure that it's not registered under the machine
account)

c) an SPN incorporates all the resources at a FQDN (e.g.
www.yourapplication.com). You can not have different parts of that web
application in different web app pools that run under different user
accounts (e.g. /myApp1 and /myApp2 run under different account), because the
DC doesn't know which account's password to encrypt the service ticket wth.

See:
IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx

Cheers
Ken

"kevindk" wrote in message
news:FA2E940A-3F3B-4559-A1C2-A8EB67ECC5E6@microsoft.com...
> So after some serious "fun" trying to get Kerberos to work for me I think
> I
> have determined that my configuration is going to require NTLM. Here's
> the
> situation. We have a load balanced server farm backed by 3 different
> servers, say A, B, and C. Each of these servers is configured via host
> headers to respond to say domain.com, use only IWA, and hosts several
> application pools running with different domain accounts for different
> applications to use.
>
> I've tried adding SPNs, but to no avail. so I configured IIS to only
> respond to NTLM authentication requests and things have started to work.
> My
> question is this: in this setup is NTLM the only configuration available
> to
> me or am I missing some other setting or scenario?

Re: IIS6/Kerberos/Application Pools/Integrated Security...

am 14.05.2007 18:28:07 von kevindk

Ken, thanks for the info... that was my problem... multiple app pool IDs on
the same fqdn.

Sounds like I'm stuck with NTLM!

"Ken Schaefer" wrote:

> Hi,
>
> Kerberos can work in an NLB scenario. However similar rules apply to a
> single server situation:
> a) IIS must be able to decrypt the service ticket. Since you don't know
> which server the request will end up with, you need to use a domain user
> account to run the web app pool, not a machine specific account
> (localsystem, network service etc)
>
> b) ensure you don't have duplicate SPNs registered (e.g. if you added an SPN
> under a user account, ensure that it's not registered under the machine
> account)
>
> c) an SPN incorporates all the resources at a FQDN (e.g.
> www.yourapplication.com). You can not have different parts of that web
> application in different web app pools that run under different user
> accounts (e.g. /myApp1 and /myApp2 run under different account), because the
> DC doesn't know which account's password to encrypt the service ticket wth.
>
> See:
> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/ 512.aspx
>
> IIS and Kerberos Part 2 - What are Service Principal Names?
> http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/ 606.aspx
>
> IIS and Kerberos. Part 3 - A simple scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/ 1054.aspx
>
> IIS and Kerberos Part 4 - A simple delegation scenario
> http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/ 1282.aspx
>
> Cheers
> Ken
>
> "kevindk" wrote in message
> news:FA2E940A-3F3B-4559-A1C2-A8EB67ECC5E6@microsoft.com...
> > So after some serious "fun" trying to get Kerberos to work for me I think
> > I
> > have determined that my configuration is going to require NTLM. Here's
> > the
> > situation. We have a load balanced server farm backed by 3 different
> > servers, say A, B, and C. Each of these servers is configured via host
> > headers to respond to say domain.com, use only IWA, and hosts several
> > application pools running with different domain accounts for different
> > applications to use.
> >
> > I've tried adding SPNs, but to no avail. so I configured IIS to only
> > respond to NTLM authentication requests and things have started to work.
> > My
> > question is this: in this setup is NTLM the only configuration available
> > to
> > me or am I missing some other setting or scenario?
>
>