IIS 6.0 Integrated Authentication

Hi All,

I've been struggling with getting IIS 6 to use Kerberos but it looks like it
keeps failing back to NTLM. I'm attempting to use delegation on my IIS
server to allow for admin pages where we can create user accounts, new group
policies, change passwords, etc. using regular ASP with VBScript. When I use
WFetch to test a Kerberos request, I get the following in the response:

You do not have permission to view this directory or page using the
credentials that you supplied because your Web browser is sending a
WWW-Authenticate header field that the Web server is not configured to
accept.

and

HTTP Error 401.2 - Unauthorized: Access is denied due to server
configuration.


I've taken the following steps to setup Integrated Authentication with
Delegation:

- Set the computer account for the web server in Active Directory to "Trust
this computer for delegation to any service (Kerberos Only)
- Configured the entire web site for Integrated Authentication with no
other authentication methods turned on
- Set an SPN for the web server for HTTP/servername

Any help on getting this to work would be appreciated.

--
Joseph T. Corey MCSE, Security+
Systems Administrator
jcorey@cmu.edu

Re: IIS 6.0 Integrated Authentication

Joseph,

To enable Kerberos follow these steps (some you already have):

1 - Set the WebSite with "Integrated Windows Authentication"
2 - Set an SPN like http/machine.some.location domain\account
3 - The name "machine.some.location" must be set in DNS pointing to
one of the machine IP addresses so the browser can resolve the SPN
when accessing it.
4 - The "domain\account" must be set to the account with which you're
running the AppPool to which the WebSite is associated. This account
is the one performing the delegation action.
5 - Set the WebSite you're accessing with a host header equal to
"machine.some.location" pointing the IPAddress in (3) or to the "All
Unassigned" option.
6 - In AD go to the "domain\account" you've set above and in the
delegation tab select the radio button in the middle (cannot recall
the name of it, but its something like "Use Kerberos for all
services??")
7 - Finally, if you're using IE, go to "Internet Options->Advanced"
and check the option "Enable Integrated Windows Authentication". (see
[*] for the reason why)

Having done all this, I think you're set! :)
If you still find problems, then there is a great paper on
troubleshooting Kerberos available on Microsoft:
http://www.microsoft.com/technet/prodtechnol/windowsserver20 03/technologies/security/tkerbdel.mspx

[*] When delegating, the account being delegated needs to allow the
delegation of its token. When you set this option in your IE you're in
fact stating that "if the webserver, by any chance, needs to delegated
my account, then go ahead ... I'll allow".

Tiago Halm