Configuring Kerberos Authentication on IIS Website
Return to the vSphere Web Client,
- Click on Intranet VM
- Click the Summary tab.
- Click on the Intranet VM Screen to launch the VMware Remote Console (VRC)
1. Choose Open VMware Remote Console (IF NEEDED)
If prompted to open the link in the VMware Remote Console, click Open VMware Remote Console.
2. Connect to Server (IF NEEDED)
If prompted to supply the credentials to connect to the server,
administratorfor the Username.
VMware1!for the password.
- Enable the Remember by credentials option.
- Click Connect.
3. Login to the Intranet VM
After the VMware Remote Console finishes launching,
- Press the Ctrl+Atl+Delete button to open the login page.
VMware1!for the password
- Click the Login button, or press
5. Configure IIS WebSite
Open IIS (Internat Information Server) located on the Task Bar at the bottom
- Click on Arrow Down to expand the INTRANET node
- Click on Arrow Down to expand the Sites node
- Click on IT Site
- Double Click on Authentication
5.1. Enable Windows Authentication Method
- Select Windows Authentication
- Click on Enable
NOTE - Make sure Anonymous Authentication, ASP.NET Impersonation and Basic Authentication are Disabled. When you install IIS for the first time, Anonymous Authentication is always enabled by default.
5.2. Configure Authentication Providers
After Enable Windows Authentication Method you will be able to setup the Authentication Providers.
Click Providers to open the list of Providers available for Windows Authentication.
5.3. Configure Providers
Negotiate and NTLM have already been configured as the two enabled providers available. In a new IIS installation that won't be the case and you will need to install the providers as part of the IIS installation, and add those here. These tasks are beyond the focus of this lab and have been configured for you.
Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM, which means username and password will be used.
It is mandatory that Negotiate comes first in the list of providers, check and confirm that Negotiate is first and NTLM second.
Click X to close the Window.
5.5. Enable Kernel-mode Authentication
- Check Enable Kernel-mode authentication
- Click OK
Leave Extended Protection Off for this lab, however in a production environment you should configure this option, as it enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks. You can find more information about Extended Protection here.
6. Configure IIS Application Pool
On this step you are configuring the Application Pool to launch from a specific account (corp\iis_it) that is already created.
6.1. Configure Identity for an Application Pool
- Select Application Pools
- Select IT on the list of Application Pools
- Click Advanced Settings
6.2. Update the Application Pool Identity
In this step we will set CORP\iis_it as the account to be used to launch the Pool.
Select the "..." for Identity under Process Model
6.3. Select Custom Account
- Select Custom account
- Click Set...
6.4. Set Custom Account Credentials
corp\iis_itfor User name
VMware1!for Confirm password
- Click OK
6.5. Confirm Custom Account for Application Pool Identity
Click OK to confirm that corp\iis_it is the account to be used by this pool.
6.6. Confirm the Updated Application Pool Identity
- corp\iis_it is now set as the account
- Click OK
6.7. Configure Application Pool to use Identity Credentials
- Click on the IT Web Site
- Double click on Configuration Editor
6.8. Select Windows Authentication
- Open the Section list
- Select system.webServer / security / authentication / windowsAuthentication
6.9. Update Windows Authentication Configuration
- Click the dropdown arrow for useAppPoolCredentials.
- Select True for useAppPoolCredentials.
- Click Apply.
When you set useAppPoolCredentials to true you are telling IIS that it needs to use its application pool identity (which you set for CORP\iis_it) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.