Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Security Considerations

If a Web site or service hosted in Internet Information Services (IIS) impersonates a user to authenticate to back-end resources and if IIS or the back-end service that IIS consumes is running with a custom identity such as a domain account, the following steps should be performed.

To create a service principal name for IIS that impersonates a user

  1. Log on to the domain controller.
  2. Open a command prompt.
  3. Run the following set of commands:
    • If the application pool under which the Web site runs uses a domain identity, run the following commands:

      setspn -A HTTP/netbiosName domainName\userName

      setspn -A HTTP/FullyQualifiedName domainName\userName

      The following provides more information about the preceding commands:

      • userName is the domain identity of the application pool.
      • netbiosName and FullyQualifiedName are the flat and DNS names of the Web server computer that is impersonating the user and consuming back-end services.
      • domainName is the domain name of Active Directory.
      • HTTP is the service for which you are registering the Service Principal Name (SPN).

      By running these commands, the user can use any of the names when calling the Web or Windows Communication Foundation (WCF) service.

      Ee250078.note(en-US,BTS.10).gifNote:
      If the application pool runs under the network service, this procedure is not necessary, because the network service will use the computer account to authenticate with Kerberos. There are already SPNs created for the HTTP and other services running in the computer associated with the computer account.

To create a service principal name for SQL that is consumed by IIS that impersonates the user

  1. Log on to the domain controller.
  2. Open a command prompt.
  3. Run the following set of commands:
    • If SQL is running under a domain identity, run the following commands:

      setspn -A MSSQLsvc/netbiosName domainName\userName

      setspn -A MSSQLsvc/FullyQualifiedName domainName\userName

      The following provides more information about the preceding commands:

      • userName is the domain identity that SQL is running under.
      • netbiosName and FullyQualifiedName are the flat and DNS names of SQL server.
      • domainName is the domain name of active directory.
      • MSSQLsvc is the SQL service for which you are registering the Service Principal Name (SPN).

      By running these commands, the user can use any of the names when connecting to an instance of Microsoft SQL Server.

      Ee250078.note(en-US,BTS.10).gifNote:
      If the SQL Server runs under local system or network service, this procedure is not necessary, because network service will use the computer account to authenticate with Kerberos. There are already SPNS created for the MSSQLsvc and other services running in the computer associated with the computer account.

To create a service principal name for IIS that is consumed by another IIS that impersonates a user

  1. Log on to the domain controller.
  2. Open a command prompt.
  3. Run the following set of commands:
    • If the application pool under which the Web site runs uses a domain identity, run the following commands:

      setspn -A HTTP/netbiosName domainName\userName

      setspn -A HTTP/FullyQualifiedName domainName\userName

      The following provides more information about the preceding commands:

      • userName is the domain identity of the application pool.
      • netbiosName and FullyQualifiedName are the flat and DNS names of the Web server computer that is impersonating the user and consuming backend services.
      • domainName is the domain name of active directory.
      • HTTP is the service for which you are registering the Service Principal Name (SPN).

      By running these commands, the user can use any of the names when calling the Web or Windows Communication Foundation (WCF) service.

      Ee250078.note(en-US,BTS.10).gifNote:
      If the application pool runs under the network service, this procedure is not necessary, because the network service will use the computer account to authenticate with Kerberos. There are already SPNs created for the HTTP and other services running in the computer associated with the computer account.

To configure the account for trusted for delegation

  1. Log on to the domain controller.
  2. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
  3. In the left pane of the MMC snap-in, if the application pool runs under Network Service, click the Computers node; if the application pool runs under Domain Identity, click Users.
  4. In the right pane, double-click your Web server computer or the account identity under which your application pool runs to display the Properties dialog box.
  5. On the Delegation tab of the Properties dialog box for the WCF server computer, Do not trust the computer for delegation is selected by default. To use constrained delegation, select Trust this computer for delegation to specified services only. You can specify precisely which service or services can be accessed in the bottom pane.
  6. Under Trust this computer for delegation to specified services only, use the default option (Use Kerberos only).
  7. Click Add to display the Add Services dialog box.
  8. Click Users or Computers.
  9. In the Select Users or Computers dialog box, type the name of your database server computer or Web server if you are running SQL Server/Web server as System or Network Service. Alternately, if you are running SQL Server using a custom domain account, enter that account name instead, and then click OK. You will see all the service principal names configured for the selected user or computer account. To restrict access to SQL Server, select MSSQLSvc service, and then click OK.
Ee250078.note(en-US,BTS.10).gifNote:
When creating a reference to a Web service or WCF service, use the NetBIOS name or fully qualified name of the host. Using an IP address or local host will cause Windows to switch to NTLM and impersonation will fail.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.