Kerberos Configuration Manager for IIS
Many of us find troubleshooting Kerberos quite a tedious task since it involves multiple levels of troubleshooting. Today, inorder to configure kerberos on IIS server we need to go through the set of steps which is really time consuming and of high complexity.
Why is Kerberos painful at times?
To address these issues, I have created the “Kerberos Configuration Manager for IIS”. This tool configures Kerberos single hop on any site on IIS by reading and modifying the Configration files. This reduces both time spent.This tool allows one to do the following tasks:
Let’s see what exactly happens “Under the Hood”:
At a high level, the below steps needs to be followed to configure Kerberos for a website:
On IIS Server:
On Domain Controller:
On Client Browser(Internet Explorer):
You can find more information regarding Configuration of Kerberos in the below blogs:
Now just imagine if we can automate the above process through a nifty application which can help us troubleshoot/configure Kerberos in just a few minutes – Is it possible? The good news is that NOW IT IS POSSIBLE
I have developed a simple troubleshooter “Kerberos Configuration Manager for IIS” which allows one to do the following tasks:
Review the current settings related to Kerberos for any specific website in IIS.
Configures Kerberos for the affected website: a. Disables Anonymous authentication if enabled b. Disables Basic authentication if enabled c. Disables Digest authentication if enabled d. Disables ASP.NET Impersonation if enabled e. Enables Windows authentication if disabled i. Once the above is enabled, checks whether we have Negotiate on priority or no. If not, Negotiate is moved to the top f. Based on the application pool credentials, i. Either it will enable useAppPoolCredentials or disables it ii. Either it will enable useKernelMode or disables it g. Based on the Application pool identity, i. Checks for the existing SPNs for that identity and displays them ii. Displays the necessary SPNs required for Kerberos to work h. Generates the script for setting the required SPNs in the same directory
It also has a provision to revert the changes made just in case there is a requirement.
It also has a feature of auditing through a log file which would capture the below details: a. Logged in user who used the tool and made changes b. Timestamp when the changes were made c. Review, Configure and Revert logs (All settings which were added/modified)
The good news is that we have released the Kerberos Configuration Manager v2.0 which supports reviewing and configuring the Kerberos Pass-through authentication also (Kerberos Double Hop).
Whats new in Kerberos Configuration Manager v2.0 ?
Why should I use tool?:
Where do I get it from and how do I use it?
The tool can be downloaded from the open source github repo:
Latest release: https://github.com/SurajDixit/KerberosConfigMgrIIS/releases/download/v2.1/KerberosConfigMgrIIS.exe
All releases: https://github.com/SurajDixit/KerberosConfigMgrIIS/releases
The GUI has a fairly simple layout with the options to Review, Configure, Generate Script and Revert the Kerberos related configuration settings.
Instructions for use: