Setup Kerberos for Windows Authentication
Overview
Step-by-step guidelines for setting up Kerberos Windows Authentication. Learn how to configure Kerberos for secure and seamless user authentication, including initial setup, settings, and troubleshooting tips. Perfect for system administrators and IT professionals.
Steps To Setup Kerberos For Windows Authentication:
- Open Command prompt in Administrator mode.
- Execute the following command on it to add Service Principal Name (SPN) for the account
- Open Active Directory Users and Computers.
- Search for the service account which was used to create the Service Principal Name (SPN).
- Navigate to the Delegation tab.
- Select Trust this user for delegation to any service (Kerberos only).
- Click Apply.
- Open up IIS Manager.
- Select the site which you want to apply Windows Authentication to.
- Select the Application Pool for that website. Right click on it and select Advanced Settings.
- Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
- Navigate to the Authentication section for the website.
- Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously)
- Go to the Configuration Editor.
- Search for: system.webServer/security/authentication/windowsAuthentication
- Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.
- Click Apply.
- Restart IIS server.
setspn -a HTTP/## Server FQDN ## ## Domain Service Account ##
Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin
Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.
FAQs
More FAQs ➔Can I use an existing LDAP user as a Kerberos Service principal? 
Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.
What is a "Kerberos client", "Kerberos server", and "application server"?
All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.
Why am I getting a prompt to enter my credentials?
This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:
- Check if you are using a domain joined machine to access the website.
- Make sure the time is synchronized between the LDAP server and webserver.
- Confirm if your browser settings and Internet options are configured for Kerberos SSO.
- If you are still facing this issue, feel free to contact us.
