Kerberos Double Hop Setup 備忘 – Part 2

 

 

 

 

 

今日繼續試落去,就發現自己係有另一部做前Set落已經用緊Double Hop嘅機。
Setup再有小小唔同
DoubleHop Website無enable ASP.Net Impersonation
Application Pool 係用.Net Framework v4.0.30319 . Managed pipeline mode 係”Integrated” (如果有Enable ASP.Net Impersonation,但係Pipeline mode 係Integrated,會出Error 500)

Kerberos Double Hop Setup 備忘

 

 

 

 

Kerberos – 對於自己嚟講叫做常用,但係有時候都會忘記一啲特別嘅Implementation 方法。Double Hop 正正係自己會忘記嘅一種。

先講咩係 Single Hop / Double Hop。

 

顧名思義 Single Hop > 平常 常用嘅度法,好似Share Point咁
Double Hop > 同Single Hop 嘅別就係會再用Kerberos去Connect 另一個Source。 (注意:係兩次Kerberos,我會常常忘記嘅就係第二層無用Kerberos嘅駁法而Fail Error 401)

下面第一條Reference URL 係非常清晰Setup Guide。

而常用Kerberos Hop係 IIS Virtual Directory指係 UNC Path

自己喜歡用嘅方法同Article 講嘅有啲唔同

到法如下 –
IIS WebSite 會用另一個名, 小用本身Server Host Name
Application Pool嘅Identity 會用另一個Service Account,而唔會係Default Built-In Account 嘅 ApplicationPoolIdentity,亦需要用 Setspn register Web Server 嘅 SPN (緊記係Web Server 將會用嘅名)

係會用Kerberos Auth嘅IIS Website>Authentication>Windows Authentication>Advanced Settings > unTick “Enable Kernel-Mode Authentication”。

同埋Website 嘅Configuration Editor > “system.webServer/security/authentication/windowsAuthentication” > “UseAppPoolCrentials” set做”True”

Windows Authentication 入面嘅Provider會揀
Negotiate:Kerberos
Negotiate
Optional: NTLM (如果Website確定只會用Kerberos,可以唔用NTLM)

亦唔好忘記,ASP.NET Impersonation 係必須要Enable,Disable “Basic Authentication” & “Anonymous Authentication”

最後 係加VirtualDirectory,即將要用UNC Path嘅做第二個Hop嘅Target。係用\\host.domain.com 而唔係\\IP Address, 用IP Address 必定會Fail

自己嘅做法就係咁。
之後就可以係Domain Joined PC上面試。係Command Prompt打”Klist” 會見到駁去WebServer 嘅Kerberos Ticket

Reference

https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/