Enabling Kerberos Constrained Delegation for a stand-alone Web Interface instance (4336757)

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Enabling Kerberos Constrained Delegation for a stand-alone Web Interface instance
Description

This article outlines the steps required to enable Kerberos Constrained Delegation on an Active Roles stand-alone Web Interface instance. This is also known as pass-through authentication for Kerberos or a Kerberos Double Hop.

Enabling this configuration is also required if it is desired to disable NTLM authentication when the Active Roles Administration Service and Active Roles Web Interface are on the same host.

NOTE: The built-in HTTP Redirect option in the IIS Manager is not compatible with this functionality. Authentication attempts will fail when connecting to the root Default Web Site if an HTTP Redirect is enabled. Instead, connect directly to the desired site or leverage an alternate redirect method which supports Kerberos authentication redirection. For more information, please contact Microsoft or consult TechNet.
Resolution
WORKAROUND

NOTES:
- Any Windows 10 machine that will be using the Web Interface will require Constrained Delegation. Windows 10 when joined to a domain will block Unconstrained Kerberos Delegation. Please see the following Microsoft Article here.
- Unconstrained delegation requires that the HTTP service principal names be configured for any URL used to access the Active Roles Web Interface. This includes the Active Roles Web Interface machine name as well as any alias or load-balanced URL used to access the Active Roles Web Interface.
- Troubleshooting this configuration is best done by enabling Kerberos logging on all relevant servers and clients by following this Microsoft solution.
- The Active Roles service account must not have the Account is sensitive and cannot be delegated flag set in Active Directory.
Part 1

Configure the Active Roles service account SPN (Service Principal Name)

Open a command prompt as administrator and run the following commands:
Note: Change the names as required.

setspn -S ARAdminSvc/ActiveRolesServiceHost.domain.com domain\ActiveRolesServiceAccount
setspn -S ARAdminSvc/ActiveRolesServiceHost domain\ActiveRolesServiceAccount

Part 2

If the AppPool is running under the context of a user, the SPN must be configured:
Note: Change the names as required.

setspn -S HTTP/iishost.domain.com domain\AppPoolServiceAccount

setspn -S HTTP/iishost domain\AppPoolServiceAccount

The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the Active Roles SPN on the Active Roles Service Account.

Configure Delegation
1. Open Active Directory Users and Computers
2. Open the properties of the ApplicationPoolIdentity
3. Click on the Delegation tab
4. Click Trust this user for delegation to specified services only
5. Also click Use Kerberos only
6. Click Add
7. Search for and select the appropriate Active Roles service account
8. Click Select All
9. Click Ok
NOTE:

In some environments it may also be necessary for the Active Roles Web Interface host to have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.

Examples:

To confirm the SetSPN settings, run:

setspn -l domain\account

Example results:

IIS AppPool account in AD:

After all SPN's have been added to Active Directory, reboot the host machines to load the Active Directory changes.

For the IIS machine, these must be configured:
1. If the Application Pool user is not a Domain Admin, the user right Log on As a Batch Service must be granted (either via Local Security Policy or via GPO)
2. The user must be added to the local Administrators group
Part 3

Configure IIS server hosting Active Roles Web Interface
1. In Internet Information Server (IIS), navigate to the website, such as ARWebAdmin
2. Double-click Authentication
3. Ensure only Windows Authentication and ASP.NET Impersonation are enabled (and using default settings)
4. In the Windows Authentication option, select Providers and ensure NTLM is not listed (remove it if it exists)
5. Reboot the Web Interface host
Part 4

If you have any access issues, ensure the follow options are set in the browser.

Microsoft Internet Explorer:
1. Configure IE (Internet Explorer) settings to allow Automatic Logon in Intranet Zone
2. In IE settings, add the domain as a trusted site. Navigate to Security | Local Intranet
3. Click Sites and then Advanced
4. Add in the Domain, such as *.mydomain.com
Google Chrome:

Set/Add this string registry key either manually for via GPO:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

Name: AuthServerAllowlist

Value: *.mydomain.com

This value accepts a comma-separated list.

Microsoft Edge:

Set/Add this string registry key either manually for via GPO:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]

Name: AuthServerAllowlist

Value: *.mydomain.com

This value accepts a comma-separated list.

Mozilla Firefox:

By default, Kerberos support in Firefox is disabled. To enable it:
1. Open about:config in the address bar
2. Specify the addresses of the web servers for which it is desired to allow Kerberos authentication in the following configurations as a comma-separated list:
network.negotiate-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris

If end-users access the Active Roles Web Interface using a NetBIOS name, it is also necessary to disable the mandatory entering of the FQDN server address in the Mozilla Firefox address bar by enabling the network.negotiate-auth.allow-non-fqdn setting.