How to enable IIS to use Kerberos authentication on a computer that is not a domain controller (326089)


The information in this article applies to:

  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 5.0
This article was previously published under Q326089

IN THIS TASK

SUMMARY

This step-by-step article describes how to enable Internet Information Services (IIS) to use Kerberos authentication on a computer that is not a domain controller. By default, domain controllers have Kerberos enabled to do many of the security functions in the Active Directory domains. However, IIS member servers are not enabled to communicate by using the faster, more secure Kerberos protocol.

back to the top

Enable delegation on domain controllers

  1. Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. Under Computers Organizational Unit, click to select the name of the IIS server.
  3. Right-click the server name, and then click Properties to open the computer properties for the IIS computer.
  4. On the General tab, click to select Trust Computer for Delegation, and then click Apply.
NOTE: Enabling your IIS server for delegation does introduce possible security concerns, as noted in the warning on the General tab. This delegation permits services that run in the context of the system account to request information from remote services. This is enabled because Kerberos is a mutual authentication protocol, that is, it verifies the client and server credentials.

back to the top

Test FQDN name resolution on IIS

For Kerberos to work, all communication must use a fully qualified domain name (FQDN). To make sure that IIS can be reached with an FQDN, follow these steps:
  1. On the domain controller, open a command prompt. To do this, click Start, click Run, type CMD, and then click OK.
  2. At the command prompt, type ping fqdn, and then press ENTER. For example:

    ping webserver01.mydomain.ms.local

    If the operation is successful, the system replies with a readout that states that the system successfully communicated during all 5 attempts.

    If these steps do not work (that is, if the ping operation is unsuccessful), use the articles that are listed in the "References" section to troubleshoot network Domain Name System (DNS) issues. For Kerberos to work as designed, DNS resolution must be working correctly on your network.
back to the top

REFERENCES

For additional information about DNS troubleshooting, click the following article numbers to view the articles in the Microsoft Knowledge Base:

300986 How to diagnose and test TCP/IP or NetBIOS network connections in Windows 2000

316341 How to troubleshoot DNS name resolution on the Internet in Windows 2000

For additional information about Kerberos, click the following article numbers to view the articles in the Microsoft Knowledge Base:

287537 Using basic authentication to generate Kerberos tokens

283201 How to use delegation in Windows 2000 with COM+

266080 Answers to frequently asked Kerberos questions

282189 Error 0x800706D5 from ASP when calling OOP component with delegation security level

314404 How to use Kerberos with the ServerXMLHTTP component in MSXML

back to the top
Modification Type:MajorLast Reviewed:3/16/2005
Keywords:kbHOWTOmaster KB326089
©2004 Microsoft Corporation. All rights reserved.