Microsoft Internet Information Services (IIS 7) support the classic HTTP authentication protocols like basic and digest authentication, typical Windows authentication protocols like NTLM and Kerberos. The major change in IIS 7.0 is that these authentication protocols are not installing by default. In this document, I will guide you through the setup and configuration so that we can successfully enable Single Sign-On authentication using Kerberos. The below setup is tested with Blackberry database on SQL and third party web based application.
Situation:
I highly recommend
that all the tests must be performed in a test or dev environment.
For the proof of concept, I installed and configured Windows
Server 2008 standard edition. Through server manager, I did default
installation of IIS 7. For authentication, I just installed Windows
authentication. A third party Web application is also installed on IIS to which
user will connect over HTTP and retrieve data from the repository located on back
end database server. Application supports the Single Sign-on and it is
configured with proper information. It is typically a configuration page which
required you to enter the information for SSO. Back-end database is running on
SQL server 2008 which is installed on Windows Server 2008. SQL server service
is running with a domain user account. Users are connecting to website running
on IIS through Internet Explorer and/or Firefox.
This situation is generally referred as Double-Hop Kerberos
authentication. Because at first user connect to IIS from a client using the
logged on credential (first hop) and then connect to database on another server
(second hop).
Configure Client Browser
In order to achieve the goal of SSO, client browser need to
be configured so that proper authentication can take place.
Internet Explorer
Perform the below for IE to work with Single Sign on
1.
Add the website URL to Intranet security zone
2.
Automatic logon only in Intranet zone
3.
Enable Integrated Windows Authentication
(restart browser)
Firefox
Firefox by default does not support Kerberos. Set the domain
or wild card for your domain of the website. If your website URL is
mysite.domain.com then enter the value .domain.com
1.
Network.negotiate-auth.delegation-uris
2.
Network.negotiate-auth.trusted-uris
In order to enable the Kerberos on Firefox, we need to make
the changes as above in Firefox config.
Configure IIS 7.0/7.5
In order to enable Single Sign-On, we must install Windows
Authentication component and disable Anonymous access. We should check that IIS
DefaultAppPool is running under NETWORK SERVICE. We do not need domain account
to the application pool. Once the Windows authentication feature is installed and
enabled for use, disable Anonymous if installed. Assuming that the website URL
is
http://myserver.domain.com
and running on default port 80
Configure Active Directory
To perform the AD related changed, a domain admin need to be
involved so that SPN can be created. If there are multiple domain controllers
then make sure the changes have been replicated to all domain controllers. Now
logon to a domain controller, and open the command prompt with same privilege.
Set the SPN for the site, on the hostname and FQDN of the
server where IIS is running.
Setspn -A http/mysite servername
Setspn
-A http/mysite.domain.com servername
Set the SPN for the SQL service on your SQL service account
– assuming you use the default SQL port
setspn -A MSSQLSvc/hostname domain\MySQLService
setspn
-A MSSQLSvc/hostname:1433 domain\MySQLService
setspn
-A MSSQLSvc/hostname.domain.com domain\MySQLService
setspn -A MSSQLSvc/hostname.domain.com:1433
domain\MySQLService
Configure SQL Server 2008
Once the Active Directory changes performed and replicated
to all the domain controllers, logon to SQL server and run the following query.
"select auth_scheme from sys.dm_exec_connections where
session_id=@@spid"
The above query should return “Kerberos” as authentication
protocols. If you do not see Kerberos then you need to troubleshoot. I will
explain in my next post how to troubleshoot Kerberos issue in SQL server.
Also provide the logon access to the server where IIS is
running and privilege should not be more the “public”. Login name should be domain\iisserver$. You
may need to create login for users to database.
Perform the test
Before you perform the test, make sure that all the permission
and logins to users are in place. Open the website from the client browser. The
page should open with your logged on credential. Please the IIS log to verify
that. If you make an attempt to connect to database through the website, SQL
log will also show you as logged in or authenticated. We confirmed that SSO
using Kerberos is working fine.
Test environment may differ and hence results may vary, but
there are ways to troubleshoot the issue. Below document will give more
understanding for SSO in double-hop scenario.