Wednesday 24 November 2010

Troubleshooting Kerberos Delegation

Historically, there has been two things I have used when troubleshooting Kerberos delegation issues:

The other day I found a fantastic tool called “DelegConfig” which appears to have been authored by a Microsoft Support engineer. The tool allows you to set-up a web application which will diagnose your Kerberos configuration. This means it’s only really relevant for troubleshooting Kerberos delegation under IIS but I cannot recommend it enough. More information here.

There appears to be a “DelegConfig v2 (beta)” but I have not tested it. More information here, it appears to better support IIS 7.0.

When configuring DelegConfig, remember to set the AppPool running the DelegConfig web application to the same account as the one you want to use to perform the delegation.

Kerberos Delegation with IIS 7.0

Under IIS 7.0 you need to watch out for “Kernel Mode Authentication”, there is a very good post on the subject here.

To change your settings as per the above link, you need to change the values in the “applicationHost.config” file (you cannot set the value in your application’s web.config as that configuration section is locked. You can find the file here:

%systemdrive%\Windows\System32\inetsrv\config\applicationHost.config

You might also want to disable the loopback check.


0 comments:

About Me