Setup IIS for Windows Authentication LDAP
Overview
How does IIS request information from LDAP?
When an user login an SSO (Single Sign on) application, IIS sends a request to LDAP (Lightweight Directory Access
Protocol) for user information for authentication. LDAP and IIS communicate ( IIS sends a request to LDAP in order
to get some user information). Windows IIS Manager couldn't locate any connection between IIS and LDAP.
Configure IIS for Windows Authentication LDAP into Joomla
- Open Command prompt in Administrator mode.
- Execute the following command on it to add Service Principal Name (SPN) for the account.
- Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.
- Open Active Directory Users and Computers.
- Search for the service account which was used to create the Service Principal Name (SPN).
- Navigate to the Delegation tab.
- Select Trust this user for delegation to any service (Kerberos only).
setspn -a HTTP/## Server FQDN ## ## Domain Service Account ##
- Click Apply.
- Open up IIS Manager.
- Select the site which you want to apply Windows Authentication to.
- Select the Application Pool for that website. Right click on it and select Advanced Settings.
- Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
- Navigate to the Authentication section for the website.
- Enable Windows Authentication and disable Anonymous Authentication. (Both cannot work simultaneously)
- Go to the Configuration Editor.
- Search for: system.webServer/security/authentication/windowsAuthentication
- Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.
- Click Apply.
- Restart IIS server.
