How to Set Up Kerberos for an IIS Website with Domain Trust Issues?

0
8
Asked By TechGuru428 On

I need some guidance on setting up Kerberos for my IIS website. Here's the setup I'm working with: I have a website hosted on a Windows server that connects to an Oracle database in the background. Users from domain X access this site, which is hosted in domain Z. Domain Z trusts domain X, but not the other way around. I'm trying to configure Kerberos authentication instead of NTLM for this setup. I've followed a guide for setting it up, but I'm unsure whether the service account should be created in domain Z or domain X. Also, what are the best strategies for troubleshooting Kerberos access issues?

2 Answers

Answered By TroubleshooterJoe On

For troubleshooting, you should run the command 'klist' on a client machine after trying to authenticate. This will show you what tickets were requested or issued. Don't forget to check the Kerberos event logs for Event ID 4771 on your domain controllers. It's also essential to verify the Service Principal Name (SPN) with 'setspn -l' for the service account, especially since the load balancer introduces some complexity. The SPN must correspond to what clients use in their browser, not just the internal server name.

Answered By CuriousAdmin93 On

Have you considered whether you can establish a two-way trust? Generally speaking, the service account for IIS should ideally be in the same domain as the IIS server. One major difference to note is that NTLM can handle one-way trusts, while Kerberos might require more configurations. It's possible to make it work, but it won't be straightforward.

NetworkNinja77 -

That's a great point! I'm curious how IAKerb and LocalKDC would factor into this as well.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.