Steps To Setup Kerberos For Windows Authentication

Steps To Setup Kerberos For Windows Authentication

    Step 1: Open Command prompt in Administrator mode.

    Step 2: Execute the following command on it to add Service Principal Name(SPN) for the account:

      setspn -a HTTP/## Server FQDN## ##Domain Service Account##
      Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin

      Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.

    Step3: Open Active Directory Users and Computers.

    Step4: Search for the service account which was used to create the Service Principal Name (SPN).

    Step5: Navigate to the Delegation tab.

    Step6: Select Trust this user for delegation to any service (Kerberos only).

      kerberos windows-1
    Step7: Click Apply.

    Step8: Open up IIS Manager.

    Step9: Select the site which you want to apply Windows Authentication to.

    Step10: Select the Application Pool for that website. Right click on it and select Advanced Settings.

      kerberos windows-2
    Step11: Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.

      kerberos windows-3
    Step12: Navigate to the Authentication section for the website.

      kerberos windows-4
    Step13: Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously).

      kerberos windows-5
    Step14: Go to the Configuration Editor

      kerberos windows-6
    • Search for: system.webServer/security/authentication/windowsAuthentication

      kerberos windows-7
    Step15: Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.

    Step16: Click Apply

    Step17: Restart IIS server

Client Site setting for Windows Authentication (Below Steps will works for IE and Chrome)

    Step1: Open up Internet Explorer and open Internet Options.

    Step2: Add the base URL of IIS Server to the list of sites in Local Intranet.

    Step3: Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

    kerberos windows-8