Configuring Kerberos Authentication on IIS Website

RDP on Web Server

Return to the vSphere Web Client,

  1. Click the Intranet VM.
  2. Click the Summary tab.
  3. Click the Gear icon on the Intranet Screen.
  4. Click Launch Remote Console.

NOTE: A new browser tab will open and the VMware Remote Console will load after a few seconds.

1. Login to the Intranet VM

The VMware Remote Console may take a few seconds to launch.  Once the VMware Remote Console launches,

  1. Press the Ctrl+Atl+Delete button to open the login page.
  2. Enter VMware1! for the password
  3. Click the Login button, or press ENTER.

2. Launch IIS

Launch IIS

Click the IIS Manager icon from the toolbar

3. Configure IIS WebSite

Configure Authentication Method

Open IIS (Internat Information Server) located on the Task Bar at the bottom

  1. Click on Arrow Down to expand the INTRANET node
  2. Click on Arrow Down to expand the Sites node
  3. Click on IT Site
  4. Double Click on Authentication

3.1. Enable Windows Authentication Method

Set Windows Authentication
  1. Select Windows Authentication.
  2. Click on Enable.

NOTE: Make sure Anonymous Authentication, ASP.NET Impersonation and Basic Authentication are Disabled. When you install IIS for the first time, Anonymous Authentication is always enabled by default.

3.2. Configure Authentication Providers

Access to List of Providers

After Enable Windows Authentication Method you will be able to setup the Authentication Providers.

Click Providers to open the list of Providers available for Windows Authentication.

3.3. Configure Providers

Configuring Providers

Negotiate and NTLM have already been configured as the two enabled providers available. In a new IIS installation that won't be the case and you will need to install the providers as part of the IIS installation, and add those here.  These tasks are beyond the focus of this lab and have been configured for you.

Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM, which means username and password will be used.

It is mandatory that Negotiate comes first in the list of providers, check and confirm that Negotiate is first and NTLM second.

Click X to close the Window.

3.4. Configure Kernel-mode Authentication

Access Advanced Setings
  1. Click on Windows Authentication
  2. Click on Advanced Settings...

 

3.5. Enable Kernel-mode Authentication

Enable Kernel Mode
  1. Check Enable Kernel-mode authentication
  2. Click OK

Leave Extended Protection Off for this lab, however in a production environment you should configure this option, as it enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks. You can find more information about Extended Protection here.

4. Configure IIS Application Pool

On this step you are configuring the Application Pool to launch from a specific account (corp\iis_it) that is already created.

4.1. Configure Identity for an Application Pool

Config Application Pools
  1. Select Application Pools
  2. Select IT on the list of Application Pools
  3. Click Advanced Settings

4.2. Update the Application Pool Identity

Set new Identity

In this step we will set CORP\iis_it as the account to be used to launch the Pool.

Select the "..." for Identity under Process Model

4.3. Select Custom Account

Set the account
  1. Select Custom account
  2. Click Set...

4.4. Set Custom Account Credentials

Set Credentials
  1. Enter corp\iis_it for User name
  2. Enter VMware1! for Password
  3. Enter VMware1! for Confirm password
  4. Click OK

4.5. Confirm Custom Account for Application Pool Identity

Confirm Credentials

Click OK to confirm that corp\iis_it is the account to be used by this pool.

4.6. Confirm the Updated Application Pool Identity

Confirm
  1. corp\iis_it is now set as the account
  2. Click OK

4.7. Configure Application Pool to use Identity Credentials

Access Configuration Editor
  1. Click on the IT Web Site
  2. Double click on Configuration Editor

4.8. Select Windows Authentication

Select Authentication Configuration
  1. Open the Section list.
  2. Select system.webServer / security / authentication / windowsAuthentication.

4.9. Update Windows Authentication Configuration

Select Pool to use Credentials
  1. Click the dropdown arrow for useAppPoolCredentials.
  2. Select True for useAppPoolCredentials.
  3. Click Apply.

When you set useAppPoolCredentials to true you are telling IIS that it needs to use its application pool identity (which you set for CORP\iis_it) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

4.10. Reset IIS

Open Command Prompt for the Intranet VM within the VMware Remote Console and type the command to Reset IIS

  1. Open Command Prompt from the taskbar.
  2. Enter iisreset and press ENTER.
  3. Confirm IIS successfully stops and then starts again.

4.11. Minimize Intranet VM

Click on the icon to minimize Intranet VM