1

I am setting up Kerberos and I have some strange issues. I am testing it with two users one who has a valid SPN and are trusted for delegation (user1) and one who does not have a valid SPN and is not trusted for delegation (user2). The tests are performed on the server and on a client. The users are set at application pool level. This is how it is working at the moment

From the server:
Using IP to access Application running under user1: Negotiate and chooses NTLM
Using domain name to access Application running under user1: Kerberos
Using IP to access Application running under user2: Negotiate and chooses NTLM
Using domain name to access Application running under user2: Negotiate and chooses NTLM

From the client:
Using IP to access Application running under user1: Kerberos
Using domain name to access Application running under user1: Kerberos
Using IP to access Application running under user2:Logon Process:Kerberos, Unknown user name or bad password
Using domain name to access Application running under user2:  Logon Process:Kerberos, Unknown user name or bad password

Is it possible to solve this so that I only need to use setspn for the users that actually need delegation but get kerberos/NTLM to work with the other users that don't need delegation? So that I can use setspn for the user accounts that needs delegation and just use the other accounts without having to configure them? It seems like the Kerberos packages don't find there way to the server for users to since it is working with NTLM when I am testing on the server but not when I am testing from the client.

user17562
  • 147
  • 4

1 Answers1

2

Delegation does not work with NTLM, and for delegation to work with Kerberos, you need to set the SPN for the machine and (if used) the service account used to host the app pool.

Typically, an SPN is assigned to the machine name(s) that is hosting the application, and the user account that is used for the "Identity" tab of the IIS application pool that is associated with your web site. You typically need to use an non-user (service) account in the Identity tab of the application pool if your application needs to access resources on other computers, while impersonating the users that are logged on to the IIS application.

SPN's and Trusted for Delegation aren't required for users that simply need to logon and use the IIS application.

An account that is Trusted for Delegation can impersonate other user accounts without their password or even a security token. This is a security-critical function and should never be done for a regular user account.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • I have no problem with delegation and it is working with user1 as it should do. The problem is that I do not need delegation for user2 and I do not care if it therefore will use Kerberos or NTLM, the problem now is that no application running in the application pool where user2 is set is working since I have not used setspn for user2. My question is, it possible to configure all app pool accounts that don't need to use delegation to work, without having to use setspn for all of those accoutns? – user17562 Dec 30 '09 at 18:35
  • 1
    I think it depends what the application is doing. You may want to test forcing the web site to use NTLM only, to see if it works in that scenario. http://support.microsoft.com/kb/215383 – Greg Askew Dec 30 '09 at 19:17
  • Thank you fort the answer, I did follow that page and I am using Negotiate,NTLM. The problem is that the setting is port based and I need to run all application on port 80. So I must just Negotiate,NTLM for all applications. My hope was that it would use Kerberos for those applications running under a application pool user that have a valid spn and to use NTLM for the rest. But it seems like if you look at my test cases that it always tries to use Kerberos when the client is connecting but that the packages can't find their ways to the server when no valid spn is set. – user17562 Dec 31 '09 at 06:19
  • What code are you using to determine if the client is authenticating with Kerberos or NTLM? – Greg Askew Dec 31 '09 at 13:59
  • http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434 – user17562 Jan 03 '10 at 08:34
  • There does seem to be an authoritative reference in this kb article that an SPN is required for the account used if you need to use Kerberos for authentication: http://support.microsoft.com/?id=871179 "To use Kerberos authentication, a service must register its service principal name (SPN) under the account in the Active Directory directory service that the service is running under." – Greg Askew Jan 03 '10 at 13:39
  • I guess your right, I thought that it would be possible for the Negotiate,NTLM setting to fall back to NTLM if Kerberos wouldn't work. Thank you for putting so much time into this. – user17562 Jan 04 '10 at 15:02