K2 blackpearl Product Documentation: Installation and Configuration Guide
Setup Kerberos delegation for IIS 7.0
K2 blackpearl Installation and Configuration Guide > Prerequisites > Environment Configuration > User Authentication and Security > Kerberos for Windows Server 2008 > Setup Kerberos delegation for IIS 7.0 Send feedback

Setup Kerberos delegation for IIS 7.0

Configuring Kerberos is an advanced task and should only be performed by an appropriately trained professional. The steps and configurations given in this help file are to be used as a guide - your system may require additional configuration due to different hardware and software compatibilities.

When using Kerberos delegation with websites hosted in IIS 7.0 there are a few things to consider:

  1. Using machine name and port OR using CNAME host headers as URL  vs. using Host or A type DNS records for host headers
  2. Using Kernel mode authentication or not (http://blogs.msdn.com/sudeepg/archive/2009/02/08/iis-7-kernel-mode-authentication.aspx )

Kernel mode authentication

Kernel mode allows multiple sub level applications for one IIS site under different application pool identities without having duplicate SPNs

Benefits

Kernel Mode Authentication allows authentication persistence when switching the request from one application pool to another application pool. It re-authenticates only once for the first time when the request is made to that application. For rest all requests Kernel mode authentication (KA) session is maintained, which is a huge performance gain!

Easier Kerberos delegation configuration

When using CNAME DNS records for sites you don’t need to create any SPNs under the Application pool identity (the fully qualified domain name (FQDN) or host headers that you are using for the site resolves to the FQDN of the web server’s NETBIOS name.) In IIS 7.0, they use the web server computer’s active directory account (ComputerName$) to decrypt the service ticket. In other words, by default, we no longer use the application pool identity to decrypt the service ticket.

Caveats:

It is not possible to use a CNAME DNS record when pointing to a farm as your load balancer cannot guarantee that it will forward the request always to the same host.

When using “Host” or “A” type DNS records (using a FQDN/host header that does not resolve to the web server’s fully qualified NETBIOS name), an SPN  must be added when using an FQDN/host header that does not resolve to the web server’s fully qualified NETBIOS name OR if you are using application pool identity.

Create SPNs

This step is only necessary in the following circumstances:

  1. Create a web farm
  2. The Host Header used do not resolve to a specific Server's FQDN
  3. If delegation is to be forced to run under the specific application pool identity (decryption of service tickets are performed by the application pool identity rather than the system account). Use SETSPN.exe tool or ADSI edit mmc to add SPNs
     
While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes.

 

 

K2 blackpearl Product Documentation: Installation and Configuration Guide 4.6.10