Share via


DelegConfig v2 beta (Delegation / Kerberos Configuration Tool) : Download : The Official Microsoft IIS Site

I just love the main screen of this tool! Kerberos can be scary and misunderstood (kinda like referees!)

Introduction

DON'T RUSH!!! You are not so smart that you should skip over reading the following. I like to skip over documentation just as much as the next person. But for your own benefit please read this information (usage tips and features). If you are not aware of everything this tool can do, you will add unnecessary confusion and work to your already frustrating experience of getting Kerberos and Delegation to function properly.

Usage Tips
READ what the report tells you - If I had a penny for every time somebody asked me what the report ALREADY SAYS I would be rich. Okay, maybe not rich, but I'd have a lot of pennies.
Start by using the report locally from the web server - You should still use the same URL that you plan on using remotely. However, certain types of authentication problems will occur only if your connection is using Kerberos and there is something misconfigured. Using this tool from a browser instance local to the server will avoid those types of problems since in most cases local requests use NTLM.
Next, use the report from a remote client - One important check that is performed is whether or not your browser has actually connected to the web service using Kerberos. If you always make your requests from the web server itself, you will likely always see a "Negotiate with NTLM" connection with a red "x" next to it (and red icons usually bother people). A second important piece of information revolves around name resolution of the client. If your requests are always from the server, how can we see what the client thinks?
Lastly, click any "Fix This" buttons locally from the server - There will be "Fix This" buttons that appear that will allow you to make the exact changes that you need to get things working. But just like any other web application, this application is at the mercy of the whole double-hop concept. The most relevant types of changes this tool can make are Trust settings and ServicePrincipalName settings which are both stored in Active Directory. If you try to make changes to these settings (i.e. you click the fixThis buttons) from a remote browser instance it will likely fail because of the failed double-hop from browser-to-WebServer then webServer-to-ActiveDirectory.
Pages
/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
/Set/Delegation.aspx - Allows changing Trust for Delegation settings.
/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
/Report.aspx - Gives a picture of what is right and what is wrong.
/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-File server or webServer-to-webServer

 

DelegConfig v2 beta (Delegation / Kerberos Configuration Tool) : Download : The Official Microsoft IIS Site

Comments

  • Anonymous
    November 17, 2010
    The comment has been removed

  • Anonymous
    March 08, 2011
    The comment has been removed

  • Anonymous
    May 30, 2011
    The comment has been removed

  • Anonymous
    June 20, 2011
    Make sure the client machines have .NET 2.0 SP2 installed; the servers send some javascript that's running on the client, and that's where the error is coming from.

  • Anonymous
    July 14, 2011
    My server is running .NET 3.5 (2008 R2) and i'm having the same issue. I've also tried running the appPool in Classic Mode but not joy. Is there any other ideas out there?

  • Anonymous
    August 24, 2011
    The comment has been removed

  • Anonymous
    March 18, 2013
    The comment has been removed

  • Anonymous
    March 12, 2014
    The error message is related to DispHTMLObjectElement which doesn’t support the GetResolved method. Is there any possibility to get the source code of DelegConfig v2 beta ?

  • Anonymous
    September 04, 2015
    Get resolved this by running the Wizard (Wizard.aspx).