3

Imagine a website that shows the value of a remote registry key, live, such as the version of the anti-virus definitions on a remote PC. To be clear, there are 3 computers involved, the web server acting as a go-between.

The website uses Windows Authentication, so from a browser on Windows, your AD credentials are passed through and IIS authenticates the user (in ASP.NET, the user token is attached and can programmatically checked).

We're running on IIS 7.5 with kernel-mode authentication, does an SPN need setting-up in AD to allow the Kerberos part of the Windows Authentication to happen??

The site runs under an Application Pool under AD account DOMAIN\AV1, this account is a member of a group that has rights to the computers on the LAN.

The code in the site does not perform impersonation, for it doesn't want to assume the ID of the site user (who doesn't have remote reg rights), so it simply makes a remote registry call.

Does the web server machine account or the DOMAIN\AV1 account need an SPN to negotiate and perform Kerberos auth to the remote computers??

Luke Puplett
  • 939
  • 2
  • 16
  • 24

1 Answers1

2

Yes, you cannot authenticate in Kerberos without an SPN. A checklist for setting up the SPN for the machine account is here:

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

If it is only a single web server, the standard two SPN's for the machine account. If it is a web farm, you probably want to opt for a domain account and ensure that account has the required SPN's.

When you state "The code in the site does not perform impersonation", you need to keep in mind that if the IIS machine account is not performing the access to the remote systems, it needs to be delegated the capability to authenticate on behalf of other accounts such as the DOMAIN\AV1 account. If you are using unconstrained delegation, the configuration is straightforward.

You may want test with the DelegConfig tool that you can drop onto a web site and configure an application folder for. It provides a simple GUI that performs the necessary checks for you.

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Greg, these are great links. Do you know about requirements for the outbound side of things? My service authenticating against remote PCs? Sounds like no SPN is needed. – Luke Puplett Aug 19 '13 at 15:47
  • 1
    If you mean the systems that you are connecting to, no you would not need an SPN for the remote system. – Greg Askew Aug 19 '13 at 15:52