Cato Antonsen’s Weblog

Kerberos

Firstly – I assume you already know what Kerberos is and which problems it is intending to solve. This posting will not teach you this – but this might…

Even though I have tried to follow much of the available information out there, I was stuck on an issue involving an ASP.net frontend, WCF webservice and CRM backend. The reason was off course just ignorance and lack of better knowledge — as often is the case when dealing with something you don’t need to use often.

This is just a summary of my experience that might act as an checklist for others:

  • Use separate domain accounts for each individual service / IIS application pool. This makes registering SPN’s cleaner.
  • Use hostname’s (intranet.company.com, crm.company.com etc) for all IIS web applications and never refer to servername in calling applications.
  • Set up Kerberos Service Principle Names (SPN) correctly:
    • Register SPN for hostname’s only (HTTP/intranet.company.com) as SPN for web applications.
    • Don’t register HTTP/NETBIOS-name and HTTP/Fully-qualified-domain-name as many suggests.
    • Don’t delete HOST/SERVERNAME SPN’s registered on the computer account (domain\SERVERNAME$) or else you will get into trouble. I discovered it the hard way trying to clean up my SPN’s after doing a lot of testing. They can easily be re-created, though…
  • Enable Kerberos logging: HKLM\Software\CurrentControlSet\System\Lsa\Kerberos\Parameters\LogLevel = 1 (DWORD
  • Enforce Kerberos to use TCP instead of UDP: HKLM\System\CurrentControlSet\Lsa\Kerberos\Parameters\MaxPacketSize = 1 (DWORD) to get rid of some Kerberos error messages
  • If you need to delegate credentials on same machine, typically when webapplication, webservice and/or sql running is on same server, just must disable loopback check: HKLM\System\CurrentControlSet\Lsa\DisableLoopbackCheck = 1 (DWORD)
  • If you are running IIS7, check out this: http://www.adopenstatic.com/cs/blogs/ken/archive/2008/02/21/16275.aspx. Thanks to my former collegue Mads Nissen for this one
  • To be tested: Register all hostname’s with A-records in DNS. Don’t use CNAME! And off course make sure the server is set up with static IP or DHCP record.
  • Use DelegConfig to test Kerberos:
    • Make test-user member of  Local Admin group of server
    • Extract files to C:\Kerberos
    • Add virtual directory in IIS web application you need to test with Kerberos as Alias, C:\Kerberos as Path and and Read and Execute permission
    • On server in question, log in as test-user and go to HTTP://intranet.company.com/Kerberos) – pray to God for all green checkboxes
  • Configure Internet Explorer correctly: Turn on Windows Authentication and put URL’s in Local Intranet Zone
  • When nothing of this helped – you’re on your own

1 Comment »

  1. [...] Love, Hate, Love Filed under: IIS, Kerberos, Network — Cato @ 9:35 pm Update: Read the Kerberos-page on the right side as it is more [...]

    Pingback by Kerberos 101 - Love, Hate, Love « Cato Antonsen’s Weblog — September 23, 2008 @ 11:16 pm


RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.