Search Results :

×
Sign Up Contact Us

Contents

Setup Kerberos for Windows Authentication

Step-by-step guidelines for setting up Kerberos Windows Authentication. Learn how to configure Kerberos for secure and seamless user authentication, including initial setup, settings, and troubleshooting tips. Perfect for system administrators and IT professionals.



Know More Pricing Plans
  • Open Command prompt in Administrator mode.
  • Execute the following command on it to add Service Principal Name (SPN) for the account
      • setspn -a HTTP/## Server FQDN ## ## Domain Service Account ##

      Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin
      Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.

  • Open Active Directory Users and Computers.
  • Search for the service account which was used to create the Service Principal Name (SPN).
  • Navigate to the Delegation tab.
  • Select Trust this user for delegation to any service (Kerberos only).
service principal name delegation

  • Click Apply.
  • Open up IIS Manager.
  • Select the site which you want to apply Windows Authentication to.
  • Select the Application Pool for that website. Right click on it and select Advanced Settings.
IIS manager, advanced settings

  • Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
custom account advanced settings

  • Navigate to the Authentication section for the website.
default web sites authentication settings

  • Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously)
enable windows authentication and disable anonymous authentication

  • Go to the Configuration Editor.
configuration editor

  • Search for: system.webServer/security/authentication/windowsAuthentication
configuration editor set useKernelMode and useAppPoolCredentials

  • Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.
  • Click Apply.
  • Restart IIS server.

More FAQs ➔

Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.

All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.

This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:

  • Check if you are using a domain joined machine to access the website.
  • Make sure the time is synchronized between the LDAP server and webserver.
  • Confirm if your browser settings and Internet options are configured for Kerberos SSO.
  • If you are still facing this issue, feel free to contact us.


ADFS_sso ×
Hello there!

Need Help? We are right here!

support