共用方式為

Enabling Kerberos in IIS

  • 發行項

How do I enable Kerberos authentication for my web service?

Kerberos is a very good authentication protocol to use when you're joined to a Windows domain. It is intended to work through simple configuration, but using Kerberos for network authentication sometimes turns out to be harder than it should. There are two fundamental steps that you need to take when setting up your service for Kerberos:

1.
Enable Integrated Windows Authentication for your website in IIS. 2. Configure your WCF service binding to have Windows credentials so that you can get the Negotiate protocol on the wire.

These basics were exactly what I covered a few days ago when talking about turning off anonymous access. Now, I have some troubleshooting tips in case you think that you have Kerberos enabled but are either getting an error or getting NTLM instead of Kerberos.

I'm going to recommend that you get some network monitoring software so that you can look at the HTTP headers. It's possible to look at the HTTP headers in other ways, but using an external program for network sniffing makes it less likely that you accidentally "fix" the problem by setting up your monitoring program differently than your actual service. Being able to look at the HTTP headers lets you see whether Kerberos or NTLM is being offered on the wire.

One of the common reasons for Kerberos to be skipped is an issue with the principal name. The client has to specify a user or service principal name as the target when connecting to the service. The service needs to have its service principal name registered when receiving requests. When you first set up a web server, service principals are registered for standard accounts like System and Network Service. If you're using a non-standard account or the configuration has been changed a lot over time, you may be in a state where you have zero or multiple service principals, either of which will cause Kerberos to fail.

Another issue with changing configurations is that IIS allows you to configure the authentication providers for an application pool. This is the NtAuthenticationProviders setting. Either the default value or explicitly setting that variable to "Negotiate,NTLM" should work, but I've seen some configurations that had this set to support NTLM only.

Next time: Choosing a Message Size for Buffered Copies

Comments

  • Anonymous
    April 02, 2007
    Can I write a point-to-point router service by setting the Via property for outgoing messages? Like most

  • Anonymous
    April 05, 2007
    I have spent a lot of time through the night and some today to try to get my personal blog in order after