Kerberos / Delegation Worksheet

Finally getting back to this topic...  I created a worksheet for one of my customers that detailed the configuration of Kerberos & delegation.  There are really two tracks that need to be followed:  1) Confirm that authentication works on the client, front-end server, and back-end servers, and 2) Confirm that Active Directory, trust relationships and DNS are all configured correctly.

This list certainly isn't inclusive of all delegation scenarios but it should be helpful.

Track 1 : Client and Server Authentication

Area

Checklist

Client PC
  • Client is Windows 2000/2003/XP
  • Integrated Authentication is enabled within IE
  • No proxy between client and server
  • Destination website is in Local Intranet zone (preferred) or Trusted Sites Zone
  • IE Security zone policy allows Automatic Login in current zone
  • Client time is within five minutes of server’s time, time zone not withstanding
  • Client and Server are in the same forest or domain, or there is a trust relationship in place between the two.

 

Front End Server
  • Integrated Authentication is the only authentication method checked on the website
  • Enable Success auditing on logon events on the server
  • If FrontPage 2002 Server Extensions are installed, ensure that hotfix MS06-017 is also installed
  • Confirm that the NTAuthenticationProviders setting in the metabase is set to ‘Negotiate,NTLM’
  • Ensure that web applications have <identity impersonate=”true”> in their web.config
  • Determine which service or application needs to be able to impersonate a user
  • Determine the security context that the service operates within
  • IIS 5:  Determine the owner of the aspnet_wp.dll process
  • IIS 6:  Use the identity of the Application Pool that the website runs under.
  • In both cases, SYSTEM, Local Service, and Network Service (2003 only) imply that the security context is the computer account for this server
  • Determine if host headers are used for a website
  • If the application runs under the computer account, the service can create its own SPNs, as long as host headers aren’t used
  • Determine what SPNs need to be created
  • Determine which servers will trust this server for delegation
  • Use search.vbs to ensure that the SPNs do not exist within AD
  • Use Adsiedit.msc to add the SPNs to the proper account
  • Client time is within five minutes of server’s time, time zone not withstanding
  • Client and Server are in the same forest or domain, or there is a trust relationship in place between the two.

 

Back End Server
  • Client time is within five minutes of server’s time, time zone not withstanding
  • Client and Server are in the same forest or domain, or there is a trust relationship in place between the two.

Track 2: Delegation & AD Settings

AD Delegation

  • Create all applicable SPNs before configuring delegation
  • Use Active Directory Users and Computers (dsa.msc) to enable delegation:
  •  For Active Directories at the 2003 Native functional level, view the properties the computer or service account and click the Delegation tab.  
  • Check the box labeled “Trust this Account for…”
  • Select Kerberos only
  • Click the Add button, browse to find services that trust this account for delegation
  •  For Active Directory other than 2003 Native, find the computer or user account and check the “Account is trusted for… “ box.

 

Trust Relationships
  • Cross-domain Kerberos authentication requires two Windows 2003 functional-level forests.
  • Create the appropriate forest trusts
  • DNS
  • Each domain’s DNS needs to have conditional forwarders to the other domain’s servers

Some of the formatting blew up between Word & CS, so apologies for the table being a bit hard to read.

Published 06-26-2006 7:02 AM by jdevries