Configuring Kerberos Delegation

You will now configure Kerberos Delegation for the IIS IT service account that has been assigned to handle Kerberos Delegation for the IIS website.

1. What is Kerberos Delegation?

Kerberos Delegation means a system and user is configured to request Kerberos tokens on behalf of another user.

Since Unified Access Gateway is not joined to the domain we need to add AD Domain Kerberos support to UAG. This is done with the help of generating a Keytab file. This file contains necessary security tokens/hashes for UAG to interact with AD. The Keytab file contains the information about the user delegated to request Kerberos tokens on another users behalf.

Microsoft recommends that each internal Web Application has its own delegated user and therefore different Keytab file, technically you can have one delegated user and Keytab file for many different internal apps, but you are taking the risk in case the Keytab file is compromised to give access to all internal apps. When you have one user / Keytab file per application this allows you to disable access to only one system at a time.

While creating the user and keytab file for each application requires more administration it has its clear security benefits.

REALM is often something you hear talking about Kerberos. A REALM is basically your trust boundaries. In AD Kerberos that is your clients, AD servers and application servers all joined to the domain. Each one trusts each other since they are all part of the same Kerberos REALM.

Environment configuration:

  • AD Domain also Kerberos REALM: CORP.LOCAL
  • Internal web server computer name: INTRANET
  • Internal web server URL: http://it.corp.local
  • Internal web application (Kerberos enabled): http://it.corp.local/itbudget
  • URL to be used on VMware Browser to access the internal web site through Unified Access Gateway:
  • User to be used for Kerberos delegation: iis_it (UPN: [email protected])

2. Active Directory Setup


We already create a service account (IIS_IT) that will be used for Kerberos delegation on your web application.

You can see the account created through the Active Directory Users and Computers management console from the Main Console:

  1. Click the Active Directory Users and Computers icon from the taskbar on the Main Console (NOT from the Intranet VM opened through vSphere)
  2. Click Users
  3. Look for the Name IIS IT

2.1. Configure Service Principal Name (SPN) for Service Account

The next step is to assign an Service Principal Name (SPN) entry for the name the website has to respond, in this case IT.CORP.LOCAL.

The SPN can be associated to a Web Server machine name or Service Account under which the Application Pool's web server will be running, it can be Local System, Network Service or a domain account, the SPN has to be unique.

In case the IIS website needs to be available only by the name of the server on which it is located (for this lab is https://intranet.corp.local) you would not need to create additional SPN entries as these already exist in the server account INTRANET in Active Directory. Since the DNS name we are using is IT.CORP.LOCAL and the Web Server machine is INTRANET, you will create a SPN entry HTTP/IT.CORP.LOCAL for the user account CORP\IIS_IT.

NOTE: Another important point, for Kerberos authentication to succeed in a Load Balanced scenario, the Web servers must use an alternate credential that's shared by all members of the array. The credential must also be associated with the array-specific SPNs. This shared credential may be either a computer account or a service account and must be known by every Web server within the array.

Load Balance is not part of this exercise, however you can obtain more information about this scenario here.

2.2. Assign Service Principal Name to Service Account

Setspn for HTTP/it.corp.local
  1. Click the Command Prompt icon from the taskbar on the Intranet VM.
  2. Enter the command setspn /s HTTP/it.corp.local CORP\iis_it and press ENTER.
  3. Confirm the command ran successfully, noted by the Updated object output.

With this command, you are giving permission to CORP\IIS_IT to decrypt Kerberos tickets, when users access these addresses and authenticate sessions.

2.3. Assign Delegation Rights to the Service Account

Select IIS IT User

Return to the Active Directory Users and Computers management console.

  1. Click on the Active Directory Users and Computers icon from the Main Console taskbar
  2. Right-click on IIS IT
  3. Click on Properties

2.4. Update Delegation Settings

Set User account for Delegation
  1. Click on Delegation tab
  2. Select Trust this user for delegation to specified services only
  3. Select Use any authentication protocol
  4. Click on Add
Launch Computer search

Click on Users or Computers

2.6. Search for the Intranet Object Name

Search Intranet computer
  1. Enter intranet on the Enter the object names to select
  2. Click OK

2.7. Select the HTTP Service

Select HTTP protocol
  1. Select http for INTRANET computer on the list of Available Services
  2. Click OK

2.8. Add HTTP Service for the Delegation

Add HTTP as Service
  1. Confirm that http for INTRANET computer was added to the list of services to which the IIS_IT account can present delegated credentials. The computer value will be refresh next time you come back to the Delegation tab, instead of INTRANET you will see INTRANET.CORP.LOCAL
  2. Click OK

With that CORP\IIS_IT account is authorized to delegate the user logged in credentials to any HTTP service on the INTRANET machine. This setting varies on the type of SPN you have registered and might fall under any one of the below categories.

3. Create a Keytab file

Creating Keytab file

Keytab is the token that will be used to connect to Active Directory and request an authentication ticket without a login password. Keytab can only be generated through Windows Server OS.

In this step, from your Domain Controller (ControlCenter VM) you will generate the Keytab file.

  1. From the ControlCenter VM, click on the Command Prompt icon
  2. Enter the following command
    ktpass /princ HTTP/[email protected] /mapuser [email protected] /mapOp set /pass VMware1! /crypto all /ptype KRB5_NT_PRINCIPAL /out C:\it.keytab and press ENTER

After you execute this command a file named  it.keytab will be created on C:\ - This file will be used later during the configuration of the Identity Bridging on Unified Access Gateway.

Note, understanding each parameter on the ktpass tool.

  • /princ - Specifies the principal name in the form HTTP/[email protected] that you created on previous step during the Active Directory Setup.
    • Warning: This parameter is case sensitive and there is no validation to see if the parameter matches the exact case of the userPrincipalName attribute value when generating the Keytab file.
  • /mapuser - Maps the name of the Kerberos principal, which is specified by the princ parameter, to the specified domain account.
  • /map0p - Specifies how the mapping attribute is set, in this case -Set sets the value for Data Encryption Standard (DES) - only encryption for the specified local user name.
  • /crypto - Specifies the keys that are generated in the keytab file.
  • /ptype - Specified the principal type, KRB5_NT_PRINCIPAL is the general principal type (recommended).
  • /out - Specifies the name of the Kerberos version 5 .keytab file to generate.