Enabling integrated Windows authentication

These instructions describe how to configure Microsoft IIS for SPNEGO authentication.

1. On the domain controller, select Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Create a user that acts as a proxy for the IIS server. For example, iisuser.
3. Specify the user password as never expires.
4. Open a command prompt.
   1. Change directory to C:\Program Files\Support Tools.
   2. Enter the appropriate ktpass command.

      Syntax for ktpass:

      ktpass -princ HTTP/IIS_server_name.domain_name@DOMAIN_NAME 
        -mapuser IIS_user_name -mapOp set

      where:

      • -princ is the Principal Name, in the form user@REALM
      • -mapuser maps the -princ value to this use account. This is not done by default.
      • -mapOp specifies how to set the mapping attribute: set set_value
5. View the account properties for iisuser. Verify that the field User logon name is set to the following value:

   HTTP/IIS_server_name.domain_name

   For example:

   HTTP/mydataserver.example.com

6. Configuring the Application Pool Identity.
   1. On the IIS server system, select Start > Programs > Administrative Tools > Internet Information Service (IIS) Manager.
   2. Select your_server_name/IIS name > Programs > Administrative Pools > Default App Pool.
   3. Right-click and select Properties.
   4. Select the identity tab, and specify the domain identity for your IIS user (for example iisuser).

   For detailed instructions on the Windows task Configuring Application Pool Identity with IIS 6.0, see

   http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true.

7. Open Windows Explorer.
   1. Go to C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files.
   2. Select Properties.
   3. Select the Security tab.
   4. Grant domain user iisuser full control over the directory.
8. Go to the IIS system, and select Start > Programs > Administrative Tools > Computer Management.
   1. Open Local Users and groups.
   2. Open groups.
   3. Right click on the local group IIS_WPG.
   4. Select properties.
   5. Select Add.
   6. Add the domain user (in our case, iisuser) to this local group.
9. On IIS system, open the server's local security policy.
   1. Click Start > Run and enter secpol.msc.
   2. Expand local polices and browse to User Rights assignment.
   3. Open up the Log on as Service right.

      Note that any account or group in this list can logon as a service.

   4. Click Add User or Group.
   5. Enter (or browse for) the domain user iisuser account.
   6. When the right is granted, reboot the server.

      The system reboot is required because security settings are applied during the startup phase of any Windows 2003 Server machine.

10. On the IIS system, select Start > Programs > Administrative Tools > IIS Manager.
    1. Open the local computer.
    2. Right-click on the DefaultAppPool.
    3. Select Recycle to restart the pool.
11. Open a browser and access http://web_server.

    When this is a new IIS server without existing content, you should see the IIS Under Construction page. When the IIS server has content, you should be able to see the content.

12. On the IIS system, select Start > Programs > Administrative Tools > IIS Manager.
    1. Right-click on Default Web Site
    2. Select Properties and select the Directory Security tab.
    3. Click the Edit button next to Enable anonymous access, and edit the authentication messages for this resource.
    4. Disable anonymous access.
    5. Enable integrated windows authentication.
    6. Click OK.
    7. Click OK again.
13. Open your browser and access http://web_server. You are prompted to log on.
14. Enter a valid domain user. For example, user@mydomain.com. When the log on is successful you can view the IIS content.