Setting up Kerberos Authentication against the cluster name Service Principal Name
Updated: October 6, 2011
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
There are three phases to setting up Kerberos Authentication against the cluster name SPN, each targeted at a different entity. A sample configuration is suggested in the following procedures, but your configuration may be different.
Phase 1: Administration of Domain Controller
On the Windows Server 2003 domain controller, perform the following steps. You must have administrator credentials to follow this procedure.
Create a domain user account for IIS 6.0
For example, on the domain controller, run net user /add <iisid> <nlb> where <iisid> is the user name and <nlb> is the password.
If there isn’t already one, create a domain user account for the client.
For example, on the domain controller, run net user /add <iistst> <nlb> where <iistst> is the user name and <nlb> is the password.
Register the service principal name (SPN) that will be used by the client to identify the service on the domain user account created in step 1 using the setspn.exe tool.
For example, if Internet Explorer is the client and testweb is the cluster name, on the domain controller, run setspn -a HOST/testweb nlb.net\iisid to register the SPN of HOST/testweb on the domain user account of nlb.net\iisid.
|The SPN will be formatted as <Service-Class>/<Host>. The value of <Service-Class> depends on the client. While Internet Explorer uses the string HOST, other clients might use http or some other string for <Service-Class>. The value of <Host> is the cluster name.|
Phase 2: Administration of Servers
Perform each of these steps on every Windows Server 2003 computer that is part of the NLB cluster.
Configure IIS to run in Worker Process Isolation Mode. Start IIS Manager, expand Local Computer, right-click Web Sites, and then click Properties. Click the Service tab, clear the Run WWW service in IIS 5.0 isolation mode check box, and then click OK.
If the switch to Worker Process Isolation Mode is successful, a folder named Application Pools appears in IIS Manager listing for your local computer as shown in the following diagram:
Assign the domain user account (created in Phase 1, step one) identity to the application pool that you wish to use to run the Web site. In this example, DefaultAppPool is the application pool used. Right-click the relevant application pool folder, select Properties, click the Identity tab, then under Application pool identity, select Configurable and enter the user name and password created earlier.
Add the domain user account created in Phase 1, step one to the local IIS_WPG group. This is the IIS Worker Process Group. This can be accomplished using the Computer Management dialog box or by running this command: net localgroup iis_wpg add <iisid>.
Create your Web site. Please refer to the IIS documentation for help with this step.
Assign the Web site to the application pool operated on in step 2. Right-click the Web site folder, select Properties, click the Home Directory tab, and then, in Application settings, in the Application pool drop-down list, select the appropriate application pool.
If using host header names, right-click the Web site folder, select Properties, click the Web Site tab, and then, in Web site identification, click Advanced and enter the cluster name for the Host header value.
Right-click the Web site folder, select Properties, click the Directory Security tab, and then, in Authentication and access control, click Edit, and then under Authenticated access, clear the Basic authentication check box and select Integrated Windows Authentication.
To force precedence of Kerberos over NTLM, navigate to the Inetpub\AdminScripts directory, where there is a script called adsutil.vbs. Run the following command: adsutil set w3svc/ntauthenticationproviders Negotiate, NTLM.
Phase 3: Administration of Client
There are really no special steps to be performed at the client. The client computer has to use the SPN registered on the domain user account created in Phase 1, step 1. Also, if another domain user account was created in step 2, the client should use it to log on. In our sample configuration, Internet Explorer was the client and we were logged on as Administrator. So we forced Internet Explorer to accept new credentials (created in Phase 1, step 2) by selecting Prompt for user name and password in Tools/Internet Options/Security/Custom Level/User Authentication/Log on.
Solution Execution and Verification
After you have completed the three phases, the configuration is ready to be verified. The client should be able to access the Web site using Kerberos for authentication, In our sample configuration, we accessed http://testweb/test.htm using Internet Explorer. To verify the Kerberos (instead of NTLM) was indeed used for authentication, please look for an event like the following to be logged in the Security folder of the servers Windows Event Log.