Microsoft KB Archive/326089

From BetaArchive Wiki

Article ID: 326089

Article Last Modified on 11/21/2006


APPLIES TO

  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 5.0


This article was previously published under Q326089

IN THIS TASK

SUMMARY

REFERENCES

SUMMARY

This step-by-step article describes how to enable Internet Information Services (IIS) to use Kerberos authentication on a computer that is not a domain controller. By default, domain controllers have Kerberos enabled to do many of the security functions in the Active Directory domains. However, IIS member servers are not enabled to communicate by using the faster, more secure Kerberos protocol.

back to the top

Enable delegation on domain controllers

  1. Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. Under Computers Organizational Unit, click to select the name of the IIS server.
  3. Right-click the server name, and then click Properties to open the computer properties for the IIS computer.
  4. On the General tab, click to select Trust Computer for Delegation, and then click Apply.

NOTE: Enabling your IIS server for delegation does introduce possible security concerns, as noted in the warning on the General tab. This delegation permits services that run in the context of the system account to request information from remote services. This is enabled because Kerberos is a mutual authentication protocol, that is, it verifies the client and server credentials.

back to the top

Test FQDN name resolution on IIS

For Kerberos to work, all communication must use a fully qualified domain name (FQDN). To make sure that IIS can be reached with an FQDN, follow these steps:

  1. On the domain controller, open a command prompt. To do this, click Start, click Run, type CMD, and then click OK.
  2. At the command prompt, type ping fqdn, and then press ENTER. For example:

    ping webserver01.mydomain.ms.local

    If the operation is successful, the system replies with a readout that states that the system successfully communicated during all 5 attempts.

    If these steps do not work (that is, if the ping operation is unsuccessful), use the articles that are listed in the "References" section to troubleshoot network Domain Name System (DNS) issues. For Kerberos to work as designed, DNS resolution must be working correctly on your network.

back to the top

REFERENCES

For additional information about DNS troubleshooting, click the following article numbers to view the articles in the Microsoft Knowledge Base:

300986 How to diagnose and test TCP/IP or NetBIOS network connections in Windows 2000


316341 How to troubleshoot DNS name resolution on the Internet in Windows 2000


For additional information about Kerberos, click the following article numbers to view the articles in the Microsoft Knowledge Base:

287537 Using basic authentication to generate Kerberos tokens


283201 How to use delegation in Windows 2000 with COM+


266080 Answers to frequently asked Kerberos questions


282189 Error 0x800706D5 from ASP when calling OOP component with delegation security level


314404 How to use Kerberos with the ServerXMLHTTP component in MSXML


back to the top

Keywords: kbhowtomaster KB326089



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/326089&oldid=180418
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki