Configuring Kerberos Delegation

You will now configure Kerberos Delegation for the IIS IT service account that has been assigned to handle Kerberos Delegation for the IIS website.

1. Active Directory Setup


We already create a service account (IIS_IT) that will be used for Kerberos delegation on your web application.

You can see the account created through the Active Directory Users and Computers management console from the Main Console:

  1. Click the Active Directory Users and Computers icon from the taskbar on the Main Console (NOT from the Intranet VM opened through vSphere)
  2. Click Users
  3. Look for the Name IIS IT

1.1. Configure Service Principal Name (SPN) for Service Account

The next step includes the registration of Service Principal Name (SPN) entries for the name the website has to respond, in this case IT.CORP.LOCAL.

The SPN can be associated with the Web Server machine name or with the Service Account under which the Application Pool's web server will be running, it can be Local System, Network Service or a domain account.

In case the IIS website needs to be available only by the name of the server on which it is located (for this lab are https://it.corp.local) you would not need to create additional SPN entries as these already exist in the server account IIS_IT in Active Directory. Since the DNS name we are using is IT.CORP.LOCAL and the Web Server machine is INTRANET, you will create a SPN entry  HTTP/IT.CORP.LOCAL for the user account CORP\IIS_IT.

Another important point, in case you are building a webfarm with load balancing or the website address differs from the host name, you will have to connect additional SPN entries to a server or user account. This is not the case for this lab.


1.2. Assign Service Principal Name to Service Account

Setspn for HTTP/it.corp.local
  1. Click the Command Prompt icon from the taskbar on the Intranet VM.
  2. Enter the command setspn /s HTTP/it.corp.local CORP\iis_it and press ENTER.
  3. Confirm the command ran successfully, noted by the Updated object output.

With this command, you are giving permission to CORP\IIS_IT to decrypt Kerberos tickets, when users access these addresses and authenticate sessions.

1.3. Assign Delegation Rights to the Service Account

Select IIS IT User

Return to the Active Directory Users and Computers management console.

  1. Click on the Active Directory Users and Computers icon from the Main Console taskbar
  2. Right-click on IIS IT
  3. Click on Properties

1.4. Update Delegation Settings

Set User account for Delegation
  1. Click on Delegation tab
  2. Select Trust this user for delegation to specified services only
  3. Select Use any authentication protocol
  4. Click on Add
Launch Computer search

Click on Users or Computers

1.6. Search for the Intranet Object Name

Search Intranet computer
  1. Enter intranet on the Enter the object names to select
  2. Click OK

1.7. Select the HTTP Service

Select HTTP protocol
  1. Select http for INTRANET computer on the list of Available Services
  2. Click OK

1.8. Add HTTP Service for the Delegation

Add HTTP as Service
  1. Confirm that http for INTRANET computer was added to the list of services to which the IIS_IT account can present delegated credentials. The computer value will be refresh next time you come back to the Delegation tab, instead of INTRANET you will see INTRANET.CORP.LOCAL
  2. Click OK

With that CORP\IIS_IT account is authorized to delegate the user logged in credentials to any HTTP service on the INTRANET machine. This setting varies on the type of SPN you have registered and might fall under any one of the below categories.

2. Create a Keytab file

Creating Keytab file

Keytab is the token that will be used to connect to Active Directory and request an authentication ticket without a login password. Keytab can only be generated through Windows Server OS.

In this step, from your Domain Controller (ControlCenter VM) you will generate the Keytab file.

  1. From the ControlCenter VM, click on the Command Prompt icon
  2. Enter the following command
    ktpass /princ HTTP/[email protected] /mapuser [email protected] /mapOp set /pass VMware1! /crypto all /ptype KRB5_NT_PRINCIPAL /out C:\it.keytab and press ENTER

After you execute this command a file named  it.keytab will be created on C:\ - This file will be used later during the configuration of the Identity Bridging on Unified Access Gateway.

Note, understanding each parameter on the ktpass tool.

  • /princ - Specifies the principal name in the form HTTP/[email protected] that you created on previous step during the Active Directory Setup.
    • Warning: This parameter is case sensitive and there is no validation to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file.
  • /mapuser - Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.
  • /map0p - Specifies how the mapping attribute is set, in this case -Set sets the value for Data Encryption Standard (DES) - only encryption for the specified local user name.
  • /crypto - Specifies the keys that are generated in the keytab file.
  • /ptype - Specified the principal type, KRB5_NT_PRINCIPAL is the general principal type (recommended).
  • /out - Specifies the name of the Kerberos version 5 .keytab file to generate.

3. Download IdP Metada from VMware Identity Manager

Access vIDM Console

Return to Google Chrome on the Main Console,

  1. Click the New tab button.
  2. Enter on Google Chrome Browser to access VMware Identity Manager Console.  Press ENTER.
    NOTE: This is the hostname that points to the vIDM appliance that is deployed within vSphere that you powered on earlier.
  3. Select System Domain.
  4. Uncheck Remember this setting.
  5. Click Next.

3.1. Enter the Admin Credentials

vIDM Credentials
  1. Enter admin for the Username
  2. Enter VMware1! for the Password
  3. Click Sign in

3.2. Download Identity Provider metadata

vIDM Console

Click on Catalog

3.3. Access Catalog Settings

Access Settings

Click on Settings

3.4. Download the Identity Provider Metadata

Download IdP metadata
  1. Click on SAML Metadata
  2. Right Click on Identity Provider (IdP) metadata
  3. Click on Save link as...

You will need this file during the Identity Bridging configuration.

3.5. Save the Identity Provider Metadata

Save the IdP file
  1. Verify the Downloads folder is selected
  2. Check the file name for the metadata is set to idp.xml
  3. Click Save

3.6. Close the Catalog Settings

Click the Close button to close the Catalog Settings screen.