go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  How to configure IIS to support Kerberos protocol for Single Sign-On (SSO)
 
Subject: How to configure IIS to support Kerberos protocol for Single Sign-On (SSO)
Author: SteveHB
Posted on: 06/01/2006 07:44:59 PM

IIS passes the Negotiate security header when Integrated Windows authentication is used to authenticate client requests. The Negotiate security header lets clients select between Kerberos authentication and NTLM authentication. The Negotiate process selects Kerberos authentication unless one of the following conditions is true:

• One of the systems that is involved in the authentication cannot use Kerberos authentication.

• The calling application does not provide sufficient information to use Kerberos authentication.

To enable the Negotiate process to select the Kerberos protocol for network authentication, the client application must provide a service principal name (SPN), a user principal name (UPN), or a NetBIOS account name as the target name. Otherwise, the Negotiate process always selects the NTLM protocol as the preferred authentication method.

Essentially, you need not to do anything for IIS to support Kerberos protocol for network authentication due to the facts:

• By default, the NTAuthenticationProviders metabase property is not defined when you install IIS 6.0. IIS 6.0 uses the Negotiate, NTLM parameter when the NTAuthenticationProviders metabase property is not defined. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.

• By default, the NTAuthenticationProviders metabase property is defined when you install IIS 5.1 and IIS 5.0. This metabase property uses the Negotiate, NTLM parameter. Therefore, you do not have to configure IIS to use the Negotiate,NTLM property value unless the default value has been overwritten.


To make sure that IIS is using Kerberos protocol or NTLM protocol, open the Internet Services Manager by selecting Start -> Programs -> Administrative Tools -> Internet Services Manager. Select the Web site you wish to configure the redirection to, right-click and select properties from the context menu. Click on the Directory Security tab and then the Edit button in the Anonymous access and authentication control section. This will bring up a dialog of Authentication Methods. On this dialog, you must confirm that the selection of Integrated Windows Authentication is checked, which is a default settings.



Replies:

References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.