Configuring Kerberos constrained delegation in IAG SP1

  • Article

Applies To: Intelligent Application Gateway (IAG)

This topic provides information about configuring Kerberos constrained delegation in IAG SP1.

Configuring IAG and ISA Server settings

To configure IAG and ISA settings

  1. If the IAG Configuration program is open, close it.

  2. In the computer where the IAG is installed, open a command line, type the following, and then press ENTER:

    IAG_KCD_tool.exe

  3. On the IAG Password dialog box, type your IAG Configuration password, and then click OK.

  4. On the IAG KCD Support Tool dialog box, in the IAG KCD Trunks and Applications section, select the trunks that you want to configure to Kerberos constrained delegation. For each trunk that you selected, select the applications that you want to configure to Kerberos constrained delegation.

  5. If you want to edit a service principal name (SPN), select the application to which the SPN belongs, and then, in the Application’s SPN Data section, in the SPN field, type in the new name. The default SPN is the <SPN service>/<server name>.

  6. On the IAG KCD Support Tool dialog box, click Activate.

    The IAG Configuration program opens. All the configured trunk information is updated (for example, in the External IP field).

  7. On the toolbar of the IAG Configuration program, click the Activate icon.

  8. In the Activate Configuration dialog box, click Activate.

    A file called SPNS.xml, which includes a list of all service principal names (SPNs), is created.

Configuring the domain controller to enable delegation of service principal names

Note

You must have administrative privileges in the domain controller to perform the following procedure.

You can perform this procedure from the computer where the IAG is installed or from a different computer. If you perform this procedure from a different computer it must belong to the domain and have .NET Framework version 2.0 installed.

To configure the domain controller via the computer where the IAG is installed

  • In the computer where the IAG is installed, open a command line, type the following, and then press ENTER:

    IAG_KCD_AD_tool.exe Add

To configure the domain controller via a different computer

  1. Copy both IAG_KCD_AD_tool.exe and SPNS.xml from the IAG computer to the computer from which you want to run the tool. Make sure they are in the same folder.

  2. In the computer where you run the tool, open a command line and navigate to the location of the files. Type the following, and then press ENTER:

    IAG_KCD_AD_tool.exe Add