Home
About UsOur CustomersContact Us 24/7MVP Expert Zone
WRTU
Forefront EDGE | TMG | UAG | IAG | DAForefront Endpoint | FEP | FCSForefront Server | FPE | FPSP | FSOCS | FSMMCIdentity and Access Management | IAM | IDM | FIMGeneral ForefrontMicrosoft Security
Articles
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMCSForefront Identity Manager | FIM 2010Active Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Videos
Intelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Endpoint Protection | FEP 2010Forefront Client Security | FCSForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Server Security Management Console FPMSCActive Directory SecurityActive Directory Rights Management Services AD RMSActive Directory Federation Services | AD FSActive Directory Certificate Services | AD CS PKI
Forums
General for all Forums | AnnouncementsIntelligent Application Gateway | IAG 2007Forefront Unified Access Gateway | UAG 2010Forefront Threat Management Gateway | TMG 2010Forefront UAG DirectAccess | DAForefront Client Security | FCSForefront Endpoint Protection | FEP 2010Forefront Online Protection for Exchange | FOPEForefront Protection for Exchange | FPEForefront Protection for SharePoint | FPSPForefront Security for OCS | FSOCSForefront Identity Manage | FIM 2010Active Direcroty SecurityActive Direcroty Rights Management Services AD RMSActive Directory Federation Services | AD FS | WIFActive Directory Certificate Services | AD CS PKI
TechNet Forums
Services
DesignImplementationProject ManagementCustom Development and Customization
Online Training
Online Store
Shopping Cart
Online Support
Online Support and Debugging Tools
ForefrontSecurity TV
       
Article View
How to configure IAG KCD in Load Balancing Architectures (IIS 6.0 / 7.0)
Created by forefrontsupport on 10/13/2010 9:39:10 PM

Before you begin

So what is the problem with Kerberos Constrained Delegation (KCD) in Load Balancing Architectures? and how we are going to solve it?

When ISA/IAG request Kerberos ticket on behalf of the client and present it to the back-end web server, it must be configure to trust for delegation to the back-end server for a specific service, and this server must have UNIQUE SPN (Service Principle Name) related to a unique service so the KDC (Kerberos Distribution Center) will be able to issue Kerberos ticket and send it to the ISA/IAG server.

When there is ONE virtual hostname for two web servers (Load Balancing Scenarios) you cannot assign the same SPN for two web servers! (You must have UNIQUE SPN)

Please read this article to learn how to solve this issue in both IIS 6.0 and IIS 7.0 architectures

Important to know!

  1. I will cover the Active Directory and the Web Servers configurations sides and in high level the IAG configuration side
  2. In the IIS 7.0 configurations section I'm using TSWeb 2008 architecture
  3. In the IIS 6.0 configurations section I'm using my own web program that I developed which display the identity of the original client that perform that authentication (the original client)

Prerequisites

  1. I assumed that you have already Installed IAG, configure Trunk and Application using KCD
  2. I recommend you to Install ADSIEDIT on the Active Directory machine

Configuration Procedures

Conceptual high level architecture

  1. The following diagram maps the relevant attributes which demonstrate the solution for the KCD Load Balancing problem: SPN, msDS-AllowToDelegateTo

Flow Diagram – ISA / IAG KCD (with Smart Card) in Load Balancing Architecture

Active Directory Configuration Procedures

  1. Create Service Account in the Active Directory (choose strong password)
  2. I called my service account svcIIS
  3. This account need to be only a "Domain users" member

  4. Add the SPN "http/nlbiis.lab.iagserver.org" to the Service Account svcIIS.I prefer using ADSIEDIT but if you are not familiar with this tool please download setspn.exe and use it with the following syntax:

    setspn -A http/nlbiis.lab.iagserver.org LAB\svcIIS

  5. Configure the IAG Computer Account for Trusted for Delegation in the Active Directory to the svcIIS Service Account and choose the SPN "http/nlbiis.lab.iagserver.org"

  6. Configure the svcIIS Service Account for Trusted for Delegation in the Active Directory to the WEB01.lab.iagserver.org, choose the SPN "http/WEB01.lab.iagserver.org" and also to the WEB02.lab.iagserver.org, choose the SPN "http/WEB02.lab.iagserver.org".

    Use ADSIEDIT, go to the svcIIS account and find the attribute "msDS-AllowedToDelegateTo" and add the following SPN's according to the following print screen

IIS 6.0 Configuration Procedures

  1. Add the account to the local group "IIS_WPG" on the IIS server, this group have the following user rights: "Impersonate a client after authentication"

  2. Open the IIS Manager on the back-end IIS server (Start->Run->inetmgr.msc)
  3. Navigate to the Application Pools
  4. Right click on the relevant Application Pool
  5. Navigate to the "Identity" Tab
  6. Change the identity of the Application Pool to the Service Account we created (svcIIS)
  7. Choose "OK"

  8. Navigate to the relevant Site/Virtual Directory, Right click -> Properties -> Directory Security -> Authentication and access control-> Edit. Make sure you are using Internet Windows Authentication (IWA)

  9. This is not relevant to KCD and Load Balancing, but If you want IIS to impersonate the user and forward it to the application (my code below), you need to configure in the web.config

  10. The following print screen illustrate my test page that I wrote, I used the WindowsIdentity class and the GetCurrent method to print the original authenticated clien

  11. This is the code I wrote, you can use it to be sure that the IAG forward the original user credentials

IIS 7.0 Configuration Procedures

  1. Create service account in the Active Directory (choose strong password)
  2. I called my service account svcIIS
  3. This account need to be only a "Domain users" member

  4. Open the IIS Manager on the back-end IIS server (Start->Run->inetmgr.msc)
  5. Navigate to the Application Pools
  6. Right Click on the relevant Application Pool and choose "Advanced Settings"

  7. Change the identity of the Application Pool to the Service Account we created (svcIIS)

  8. And click OK
  9. Verify the Application Pool Identity after you change it

  10. Navigate to the relevant Site/Virtual Directory, choose the "Authentication" icon.

  11. Make sure ONLY "Windows Authentication" is Enabled

  12. Navigate to C:\Windows\System32\inetsrv\config and open the file "application.config"

  13. Add the following useAppPoolCredentials="true" (this is for TSWeb scenario)

  14. Verify in the IIS logs that you see the original user

IAG (High Level) Configuration Procedures

  1. Important !!! on the IAG server you must configure the following FQDN "NLBIIS.IAGserver.ORG" on the "Web Servers" tab

  2. Important !!! on the IAG server you must configure the following FQDN "NLBIIS.IAGserver.ORG" on the "Portal Link" tab

  3. Before IAG SP2 you need to configure the SPN in the ISA server rules, in the "Authentication Delegation" tab. Important !!! you must configure the identical SPN "http/NLBIIS.IAGserver.ORG" to the FQDN

  4. In IAG SP2 you need to configure the SPN in the IAG "Web Settings" tab. Important !!! you must configure the identical SPN "http/NLBIIS.IAGserver.ORG" to the FQDN

If you have any issues with this configuration please post them in our Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

powered by metaPost

print
rating
 Comments