Configuring Kerberos Delegation

You will now configure Kerberos Delegation for the IIS IT service account that has been assigned to handle Kerberos Delegation for the IIS website.

1. Active Directory Setup

From the Main Console (NOT the Intranet VM opened in the VMware Remote Console!),

  1. Click the Windows button.
  2. Type active directory to search.
  3. Click Active Directory Users and Computers.

1.1. Find IIS IT User


We already create a service account (IIS_IT) that will be used for Kerberos delegation on your web application.

You can see the account created through the Active Directory Users and Computers management console from the Main Console:

  1. Click Users
  2. Look for the Name IIS IT

1.2. Configure Service Principal Name (SPN) for Service Account

The next step includes the registration of Service Principal Name (SPN) entries for the name the website has to respond, in this case IT.CORP.LOCAL.

The SPN can be associated with the Web Server machine name or with the Service Account under which the Application Pool's web server will be running, it can be Local System, Network Service or a domain account.

In case the IIS website needs to be available only by the name of the server on which it is located (for this lab are https://it.corp.local) you would not need to create additional SPN entries as these already exist in the server account IIS_IT in Active Directory. Since the DNS name we are using is IT.CORP.LOCAL and the Web Server machine is INTRANET, you will create a SPN entry  HTTP/IT.CORP.LOCAL for the user account CORP\IIS_IT.

NOTE: Another important point, for Kerberos authentication to succeed in a Load Balanced scenario, the Web servers must use an alternate credential that's shared by all members of the array. The credential must also be associated with the array-specific SPNs. This shared credential may be either a computer account or a service account and must be known by every Web server within the array.

Load Balance is not part of this exercise, however you can obtain more information about this scenario here

1.3. Assign Service Principal Name to Service Account

Setspn for HTTP/it.corp.local
  1. Click the Command Prompt icon from the taskbar on the Main Console (do not return to the Intranet VM in the VMware Remote Console).
  2. Enter the command setspn /s HTTP/it.corp.local CORP\iis_it and press ENTER.
  3. Confirm the command ran successfully, noted by the Updated object output.

With this command, you are giving permission to CORP\IIS_IT to decrypt Kerberos tickets, when users accesses these addresses and authenticate sessions.

1.4. Assign Delegation Rights to the Service Account

Select IIS IT User
  1. Click on the Active Directory Users and Computers icon from the Main Console taskbar
  2. Right-click on the IIS IT user.
  3. Click on Properties.

1.5. Update Delegation Settings

Set User account for Delegation
  1. Click on Delegation tab.
  2. Select Trust this user for delegation to specified services only.
  3. Select Use any authentication protocol.
  4. Click on Add.
Launch Computer search

Click on Users or Computers.

1.7. Search for the Intranet Object Name

Search Intranet computer
  1. Enter intranet on the Enter the object names to select.
  2. Click OK.

1.8. Select the HTTP Service

Select HTTP protocol
  1. Select http for the INTRANET computer on the list of Available Services.
  2. Click OK.

1.9. Add HTTP Service for the Delegation

Add HTTP as Service
  1. Confirm that http for INTRANET computer was added to the list of services to which the IIS_IT account can present delegated credentials. The computer value will be refresh next time you come back to the Delegation tab, instead of INTRANET you will see INTRANET.CORP.LOCAL.
  2. Click OK.

The CORP\IIS_IT account is now authorized to delegate the user logged in credentials to any HTTP service on the INTRANET machine. This setting varies on the type of SPN you have registered and might fall under any one of the below categories.

2. Create a Keytab file

Creating Keytab file

Keytab is the token that will be used to connect to Active Directory and request an authentication ticket without a login password.  Keytab files contains a pair of Kerberos principals and encrypted keys which allows authentication using Kerberos without the need to enter a password.  Keytabs can only be generated through Windows Server OS.

To generate the Keytab file, access the Command Prompt from the Main Console again (do NOT return to the Intranet VM).

  1. Click on the Command Prompt icon from the Main Console.
  2. Enter the following command:
    ktpass -princ HTTP/[email protected] -mapuser [email protected] -mapOp set -pass VMware1! -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\it.keytab and press ENTER

After you execute this command a file named  it.keytab will be created in C:\. This file will be used later during the configuration of the Identity Bridging on the Unified Access Gateway.

Each parameter we passed to the ktpass toll is explained below:

  • -princ - Specifies the principal name in the form HTTP/[email protected] that you created in the previous steps.
    WARNING: This parameter is case sensitive and there is no validation to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file.
  • -mapuser - Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.
  • -map0p - Specifies how the mapping attribute is set. In this case, set sets the value for Data Encryption Standard (DES) - only encryption for the specified local user name.
  • -crypto - Specifies the keys that are generated in the keytab file.
  • -ptype - Specified the principal type. KRB5_NT_PRINCIPAL is the general and recommended principal type.
  • -out - Specifies the path and name of the Kerberos version 5 .keytab file to generate.

3. Download IdP Metada from VMware Identity Manager

Access vIDM Console

As part of this exercise, you will configure a VMware Identity Manager tenant and make a web application available to your users that allows them to access the https://it.corp.local intranet site with Kerberos and Identity Bridging through the Unified Access Gateway.  Some setup of VMware Identity Manager has already been configured for you to focus the scope of this lab.

Return to Google Chrome on the Main Console,

  1. Click the New tab button.
  2. Enter https://vidm.corp.local and press ENTER.
    NOTE: This is the hostname that points to the VMware Identity Manager appliance that is deployed within vSphere that you powered on earlier in this exercise.
  3. Select System Domain.
  4. Uncheck Remember this setting.
  5. Click Next.

3.1. Enter the Admin Credentials

vIDM Credentials
  1. Enter admin for the Username.
  2. Enter VMware1! for the Password.
  3. Click Sign in.

3.2. Access Catalog Settings

vIDM Console
  1. Click Catalog.
  2. Click Settings.

3.3. Download the Identity Provider Metadata

Download IdP metadata
  1. Click on SAML Metadata
  2. Right Click on Identity Provider (IdP) metadata
  3. Click on Save link as...

You will need this file during the Identity Bridging configuration in an upcoming step to establish trust between the VMware Identity Manager tenant and the it.corp.local intranet site.

3.4. Save the Identity Provider Metadata

Save the IdP file
  1. Click the Downloads folder.
  2. Check the file name for the metadata is set to idp.xml.
  3. Click Save.

3.5. Close the Catalog Settings

Click the Close button to close the Catalog Settings screen.