These instructions describe how to configure Microsoft IIS for SPNEGO authentication.
Before you begin
These instructions assume that you have Windows Server 2003 deployed with Active
Directory. These steps must be completed before you can set up constrained
delegation.
Procedure
- On the domain controller, select .
- Create a user that acts as a proxy for the IIS server.
For example, iisuser.
- Specify the user password as never expires.
- Open a command prompt.
- Change directory to C:\Program Files\Support
Tools.
- Enter the appropriate ktpass command.
Syntax for ktpass:
ktpass -princ HTTP/IIS_server_name.domain_name@DOMAIN_NAME
-mapuser IIS_user_name -mapOp set
where:
- -princ is the Principal Name, in the form user@REALM
- -mapuser maps the -princ value to this use account.
This is not done by default.
- -mapOp specifies how to set the mapping attribute: set set_value
- View the account properties for iisuser.
Verify that the field User logon name is set
to the following value:
HTTP/IIS_server_name.domain_name
For example:
HTTP/mydataserver.example.com
- Configuring the Application Pool Identity.
- On the IIS server system, select .
- Select .
- Right-click and select Properties.
- Select the identity tab, and specify the domain identity
for your IIS user (for example iisuser).
For detailed instructions on the Windows task Configuring Application Pool
Identity with IIS 6.0, see
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true.
- Open Windows Explorer.
- Go to C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files.
- Select Properties.
- Select the Security tab.
- Grant domain user iisuser full control
over the directory.
- Go to the IIS system, and select .
- Open Local Users and groups.
- Open groups.
- Right click on the local group IIS_WPG.
- Select properties.
- Select Add.
- Add the domain user (in our case, iisuser)
to this local group.
- On IIS system, open the server's local security policy.
- Click and enter secpol.msc.
- Expand local polices and browse to User Rights assignment.
- Open up the Log on as Service right.
Note
that any account or group in this list can logon as a service.
- Click Add User or Group.
- Enter (or browse for) the domain user iisuser account.
- When the right is granted, reboot the server.
The
system reboot is required because security settings are applied during
the startup phase of any Windows 2003
Server machine.
- On the IIS system, select .
- Open the local computer.
- Right-click on the DefaultAppPool.
- Select Recycle to restart the
pool.
- Open a browser and access http://web_server.
When this is a new IIS server without existing content,
you should see the IIS Under Construction page. When
the IIS server has content, you should be able to see the content.
- On the IIS system, select .
- Right-click on Default Web Site
- Select Properties and select the Directory Security
tab.
- Click the Edit button next to Enable
anonymous access, and edit the authentication messages for
this resource.
- Disable anonymous access.
- Enable integrated windows authentication.
- Click OK.
- Click OK again.
- Open your browser and access http://web_server. You are prompted to log on.
- Enter a valid domain user. For example, user@mydomain.com. When the log on is successful you can view the IIS content.