Configure IIS, SQL and AD for Double-Hop single sign-on authentication


Microsoft Internet Information Services (IIS 7) support the classic HTTP authentication protocols like basic and digest authentication, typical Windows authentication protocols like NTLM and Kerberos. The major change in IIS 7.0 is that these authentication protocols are not installing by default.  In this document, I will guide you through the setup and configuration so that we can successfully enable Single Sign-On authentication using Kerberos. The below setup is tested with Blackberry database on SQL and third party web based application.

Situation:


I highly recommend that all the tests must be performed in a test or dev environment.

For the proof of concept, I installed and configured Windows Server 2008 standard edition. Through server manager, I did default installation of IIS 7. For authentication, I just installed Windows authentication. A third party Web application is also installed on IIS to which user will connect over HTTP and retrieve data from the repository located on back end database server. Application supports the Single Sign-on and it is configured with proper information. It is typically a configuration page which required you to enter the information for SSO. Back-end database is running on SQL server 2008 which is installed on Windows Server 2008. SQL server service is running with a domain user account. Users are connecting to website running on IIS through Internet Explorer and/or Firefox.

This situation is generally referred as Double-Hop Kerberos authentication. Because at first user connect to IIS from a client using the logged on credential (first hop) and then connect to database on another server (second hop).

Configure Client Browser


In order to achieve the goal of SSO, client browser need to be configured so that proper authentication can take place.

Internet Explorer


Perform the below for IE to work with Single Sign on

1.       Add the website URL to Intranet security zone

2.       Automatic logon only in Intranet zone

3.       Enable Integrated Windows Authentication (restart browser)

Firefox


Firefox by default does not support Kerberos. Set the domain or wild card for your domain of the website. If your website URL is mysite.domain.com then enter the value .domain.com

1.       Network.negotiate-auth.delegation-uris

2.       Network.negotiate-auth.trusted-uris

In order to enable the Kerberos on Firefox, we need to make the changes as above in Firefox config.

 

Configure IIS 7.0/7.5


In order to enable Single Sign-On, we must install Windows Authentication component and disable Anonymous access. We should check that IIS DefaultAppPool is running under NETWORK SERVICE. We do not need domain account to the application pool. Once the Windows authentication feature is installed and enabled for use, disable Anonymous if installed. Assuming that the website URL is

http://myserver.domain.com and running on default port 80

Configure Active Directory


To perform the AD related changed, a domain admin need to be involved so that SPN can be created. If there are multiple domain controllers then make sure the changes have been replicated to all domain controllers. Now logon to a domain controller, and open the command prompt with same privilege.

Set the SPN for the site, on the hostname and FQDN of the server where IIS is running.

                Setspn -A http/mysite servername
Setspn -A http/mysite.domain.com servername

Set the SPN for the SQL service on your SQL service account – assuming you use the default SQL port

                setspn -A MSSQLSvc/hostname domain\MySQLService
setspn -A MSSQLSvc/hostname:1433 domain\MySQLService
                setspn -A MSSQLSvc/hostname.domain.com domain\MySQLService
 setspn -A MSSQLSvc/hostname.domain.com:1433 domain\MySQLService

Configure SQL Server 2008


Once the Active Directory changes performed and replicated to all the domain controllers, logon to SQL server and run the following query.

"select auth_scheme from sys.dm_exec_connections where session_id=@@spid"

The above query should return “Kerberos” as authentication protocols. If you do not see Kerberos then you need to troubleshoot. I will explain in my next post how to troubleshoot Kerberos issue in SQL server.

Also provide the logon access to the server where IIS is running and privilege should not be more the “public”.  Login name should be domain\iisserver$. You may need to create login for users to database.

Perform the test


Before you perform the test, make sure that all the permission and logins to users are in place. Open the website from the client browser. The page should open with your logged on credential. Please the IIS log to verify that. If you make an attempt to connect to database through the website, SQL log will also show you as logged in or authenticated. We confirmed that SSO using Kerberos is working fine.

Test environment may differ and hence results may vary, but there are ways to troubleshoot the issue. Below document will give more understanding for SSO in double-hop scenario.

References



 

 

 

No comments:

Post a Comment