繼二星期前出現Exchange Server CBA vDirectory 被唔正常地disable Apphost settings 由True變False後
係前日再出現神秘事件。今次係兩個 OKTA Connector 同時disconnect,引發完全無法Login之外,就係OKTA IWA(Integrated Windows Authentication) Agent Website 用作Kerberose 嘅SPN突然消失。
所以今次呢個寫嘅IIS Configure Kerberos Auth嘅溫故知新
下面Reference嘅Website值得一睇。但係想特別提出要留意嘅有以下
- 係開嘅IIS Website會用Service Account以唔用Default 嘅Application Pool Identity,對往後create SPN會容易控制
- 係IIS嘅Configuration Editor,“system.webServer > security > authentication > windowsAuthentication”,入面嘅 “useAppPoolCredentials” 要Set做True
- 最後,如果新Configure嘅IIS Website同Server本身機名唔同
Sample 機名原本係 “ServerA.domain.local” , 但係新IIS WebSite 係 “ServerA.domain.com”, Create 新 SPN照跟Create “HTTP/ServerA.domain.com” 甚至額外加更多SPN “HTTP/Web.domain.com” 係容許嘅。只需要係Network上用resolve到”Web.domain.com”走可以
Reference:
http://woshub.com/configuring-kerberos-authentication-on-iis-website/
Client Ceritificate Mapping in IIS Configuration Editor
section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True”