-
标题
HOW TO: Configuring Kerberos Constrained Delegation on a standalone Active Roles Web Interface when using a gMSA -
说明
It is possible to run Active Roles in a configuration where the Active Roles Service Account, the IIS App Pool Service Account, and the SQL Service Account are all configured as a Group Managed Service Account (gMSA). It is also possible to use a mix of gMSA and standard credentials.
NOTE: There are expected product limitations when running the Active Roles Service Account as a gMSA.
-
解决办法
Part 1: Configure the Active Roles service account SPN (Service Principal Name)
setspn -S ArAdminSvc/ActiveRolesServiceHost.domain.com GMSAName$setspn -S ArAdminSvc/ActiveRolesServiceHost GMSAName$Example: To configure the SPN for a server named ActiveRoles01 in the domain.local domain which is using a gMSA named ARGMSA:setspn -S ArAdminSvc/ActiveRoles01.domain.local ARGMSA$setspn -S ArAdminSvc/ActiveRoles01 ARGMSA$Part 2: Authentication paths
There are two authentication paths which must be configured:
Active Roles Web Interface -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
Active Roles Web Interface -> Active Roles Administration Service -> Microsoft SQL Service
The service account running the IIS AppPool on the Active Roles Web Interface host must have constrained delegation access to the ArAdminSvc SPN on the Active Roles Service Account. In addition, the service account running the Active Roles Administration Service must have constrained delegation access to the MSSQLSvc SPN stored on the account running the Microsoft SQL Service.
When configuring delegation for a gMSA, there is no standard Delegation tab in Active Directory Users and Computers like there is for a Computer or User account. Instead, it is necessary to update two attributes on the gMSA manually using Active Directory Users and Computers or the Active Roles Console, if Active Roles is already configured.
msDS-AllowedToDelegateTo needs to be updated with the SPN of the delegated service.
So, the msDS-AllowedToDelegateTo attribute on the IIS gMSA needs to have entries for both the MSSQLSvc and ArAdminSvc SPN's.
The msDS-AllowedToDelegateTo attribute on the Active Roles gMSA needs to have entries for the MSSQLSvc SPN.
Example:
It may also be necessary to adjust the userAccountControl attribute value on the gMSA as well. This is used to control the authentication protocol used.
The value for just Kerberos is 4096, and the value to use any authentication protocol it is 16781312. For constrained delegation, set the value to 4096.
In some environments, it may be necessary to use a different value if advanced functionality is desired. For more information on possible values for the userAccountControl attribute, please see this Microsoft resource or contact Microsoft for more information.
IMPORTANT: After all SPN's have been added to Active Directory, reboot the host machines to load the Active Directory changes.
Part 3: Configure IIS server hosting Active Roles Web Interface
- In Internet Information Server (IIS), navigate to Application Pools, right-click on ARWebAppPool and choose Advanced Settings
- Ensure that Load User Profile is set to True
- In Internet Information Server (IIS), navigate to the website, such as ARWebAdmin
- Double-click Authentication
- Ensure only Windows Authentication and ASP.NET Impersonation are enabled (and using default settings)
- Reboot the Web Interface host.
Part 4: If you have any access issues, ensure the follow options are set in the browser.
Microsoft Internet Explorer:
- Configure IE (Internet Explorer) settings to allow Automatic Logon in Intranet Zone
- In IE settings, add the domain as a trusted site. Navigate to Security | Local Intranet
- Click Sites and then Advanced
- Add in the Domain, such as *.mydomain.com
Google Chrome:- Set/Add this string registry key either manually for via GPO:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
Name: AuthServerAllowlist
Value: *.mydomain.com
This value accepts a comma-separated list.
Microsoft Edge:- Set/Add this string registry key either manually for via GPO:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
Name: AuthServerAllowlist
Value: *.mydomain.com
This value accepts a comma-separated list.
By default, Kerberos support in Firefox is disabled. To enable it:- Open about:config in the address bar
- Specify the addresses of the web servers for which it is desired to allow Kerberos authentication in the following configurations as a comma-separated list:
- network.negotiate-auth.trusted-uris
network.automatic-ntlm-auth.trusted-uris
If end-users access the Active Roles Web Interface using a NetBIOS name, it is also necessary to disable the mandatory entering of the FQDN server address in the Mozilla Firefox address bar by enabling the network.negotiate-auth.allow-non-fqdn setting.