Configuring Kerberos Authentication on IIS Website
Return to the vSphere Web Client,
- Click the Intranet VM.
- Click the Summary tab.
- Click the Gear icon on the Intranet Screen.
- Click Launch Remote Console.
NOTE: A new browser tab will open and the VMware Remote Console will load after a few seconds.
1. Login to the Intranet VM
The VMware Remote Console may take a few seconds to launch. Once the VMware Remote Console launches,
- Press the Ctrl+Atl+Delete button to open the login page.
- Enter
VMware1!
for the password - Click the Login button, or press
ENTER
.
2. Launch IIS
Click the IIS Manager icon from the toolbar
3. Configure IIS WebSite
Open IIS (Internat Information Server) located on the Task Bar at the bottom
- Click on Arrow Down to expand the INTRANET node
- Click on Arrow Down to expand the Sites node
- Click on IT Site
- Double Click on Authentication
3.1. Enable Windows Authentication Method
- Select Windows Authentication.
- Click on Enable.
NOTE: Make sure Anonymous Authentication, ASP.NET Impersonation and Basic Authentication are Disabled. When you install IIS for the first time, Anonymous Authentication is always enabled by default.
3.2. Configure Authentication Providers
After Enable Windows Authentication Method you will be able to setup the Authentication Providers.
Click Providers to open the list of Providers available for Windows Authentication.
3.3. Configure Providers
Negotiate and NTLM have already been configured as the two enabled providers available. In a new IIS installation that won't be the case and you will need to install the providers as part of the IIS installation, and add those here. These tasks are beyond the focus of this lab and have been configured for you.
Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM, which means username and password will be used.
It is mandatory that Negotiate comes first in the list of providers, check and confirm that Negotiate is first and NTLM second.
Click X to close the Window.
3.4. Configure Kernel-mode Authentication
- Click on Windows Authentication
- Click on Advanced Settings...
3.5. Enable Kernel-mode Authentication
- Check Enable Kernel-mode authentication
- Click OK
Leave Extended Protection Off for this lab, however in a production environment you should configure this option, as it enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks. You can find more information about Extended Protection here.
4. Configure IIS Application Pool
On this step you are configuring the Application Pool to launch from a specific account (corp\iis_it) that is already created.
4.1. Configure Identity for an Application Pool
- Select Application Pools
- Select IT on the list of Application Pools
- Click Advanced Settings
4.2. Update the Application Pool Identity
In this step we will set CORP\iis_it as the account to be used to launch the Pool.
Select the "..." for Identity under Process Model
4.3. Select Custom Account
- Select Custom account
- Click Set...
4.4. Set Custom Account Credentials
- Enter
corp\iis_it
for User name - Enter
VMware1!
for Password - Enter
VMware1!
for Confirm password - Click OK
4.5. Confirm Custom Account for Application Pool Identity
Click OK to confirm that corp\iis_it is the account to be used by this pool.
4.6. Confirm the Updated Application Pool Identity
- corp\iis_it is now set as the account
- Click OK
4.7. Configure Application Pool to use Identity Credentials
- Click on the IT Web Site
- Double click on Configuration Editor
4.8. Select Windows Authentication
- Open the Section list.
- Select system.webServer / security / authentication / windowsAuthentication.
4.9. Update Windows Authentication Configuration
- Click the dropdown arrow for useAppPoolCredentials.
- Select True for useAppPoolCredentials.
- Click Apply.
When you set useAppPoolCredentials to true you are telling IIS that it needs to use its application pool identity (which you set for CORP\iis_it) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.
4.10. Reset IIS
Open Command Prompt for the Intranet VM within the VMware Remote Console and type the command to Reset IIS
- Open Command Prompt from the taskbar.
- Enter
iisreset
and pressENTER
. - Confirm IIS successfully stops and then starts again.
4.11. Minimize Intranet VM
Click on the icon to minimize Intranet VM