Steps To Setup Kerberos For Windows Authentication

Steps To Setup Kerberos For Windows Authentication

    Step 1: Open Command prompt in Administrator mode.

    Step 2: Execute the following command on it to add Service Principal Name(SPN) for the account:

      setspn -a HTTP/## Server FQDN## ##Domain Service Account##
      Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin

      Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.

    Step3: Open Active Directory Users and Computers.

    Step4: Search for the service account which was used to create the Service Principal Name (SPN).

    Step5: Navigate to the Delegation tab.

    Step6: Select Trust this user for delegation to any service (Kerberos only).

    Step7: Click Apply.

    Step8: Open up IIS Manager.

    Step9: Select the site which you want to apply Windows Authentication to.

    Step10: Select the Application Pool for that website. Right click on it and select Advanced Settings.

    Step11: Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.

    Step12: Navigate to the Authentication section for the website.

    Step13: Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously).

    Step14: Go to the Configuration Editor

    • Search for: system.webServer/security/authentication/windowsAuthentication

    Step15: Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.

    Step16: Click Apply

    Step17: Restart IIS server

Client Site setting for Windows Authentication (Below Steps will works for IE and Chrome)

    Step1: Open up Internet Explorer and open Internet Options.

    Step2: Add the base URL of IIS Server to the list of sites in Local Intranet.

    Step3: Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.