Microsoft KB Archive/326089

= How to enable IIS to use Kerberos authentication on a computer that is not a domain controller =

Article ID: 326089

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q326089



IN THIS TASK
SUMMARY
 * Enable delegation on domain controllers
 * Test FQDN name resolution on IIS

REFERENCES



SUMMARY
This step-by-step article describes how to enable Internet Information Services (IIS) to use Kerberos authentication on a computer that is not a domain controller. By default, domain controllers have Kerberos enabled to do many of the security functions in the Active Directory domains. However, IIS member servers are not enabled to communicate by using the faster, more secure Kerberos protocol.

back to the top

Enable delegation on domain controllers

 * 1) Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Under Computers Organizational Unit, click to select the name of the IIS server.
 * 3) Right-click the server name, and then click Properties to open the computer properties for the IIS computer.
 * 4) On the General tab, click to select Trust Computer for Delegation, and then click Apply.

NOTE: Enabling your IIS server for delegation does introduce possible security concerns, as noted in the warning on the General tab. This delegation permits services that run in the context of the system account to request information from remote services. This is enabled because Kerberos is a mutual authentication protocol, that is, it verifies the client and server credentials.

back to the top

Test FQDN name resolution on IIS
For Kerberos to work, all communication must use a fully qualified domain name (FQDN). To make sure that IIS can be reached with an FQDN, follow these steps:  On the domain controller, open a command prompt. To do this, click Start, click Run, type CMD, and then click OK. At the command prompt, type ping, and then press ENTER. For example:

ping webserver01.mydomain.ms.local

If the operation is successful, the system replies with a readout that states that the system successfully communicated during all 5 attempts.

If these steps do not work (that is, if the ping operation is unsuccessful), use the articles that are listed in the &quot;References&quot; section to troubleshoot network Domain Name System (DNS) issues. For Kerberos to work as designed, DNS resolution must be working correctly on your network.

back to the top

