接連神秘Config比改動事件 I & II ……. Kerberos Auth

 

 

 

 

繼二星期前出現Exchange Server CBA vDirectory 被唔正常地disable Apphost settings 由True變False後

係前日再出現神秘事件。今次係兩個 OKTA Connector 同時disconnect,引發完全無法Login之外,就係OKTA IWA(Integrated Windows Authentication) Agent Website 用作Kerberose 嘅SPN突然消失。
所以今次呢個寫嘅IIS Configure Kerberos Auth嘅溫故知新

下面Reference嘅Website值得一睇。但係想特別提出要留意嘅有以下

  • 係開嘅IIS Website會用Service Account以唔用Default 嘅Application Pool Identity,對往後create SPN會容易控制
  • 係IIS嘅Configuration Editor,“system.webServer > security > authentication > windowsAuthentication”,入面嘅 “useAppPoolCredentials” 要Set做True
  • 最後,如果新Configure嘅IIS Website同Server本身機名唔同
    Sample 機名原本係 “ServerA.domain.local” , 但係新IIS WebSite 係 “ServerA.domain.com”, Create 新 SPN照跟Create “HTTP/ServerA.domain.com” 甚至額外加更多SPN “HTTP/Web.domain.com” 係容許嘅。只需要係Network上用resolve到”Web.domain.com”走可以

 

Reference:

http://woshub.com/configuring-kerberos-authentication-on-iis-website/

Client Ceritificate Mapping in IIS Configuration Editor

section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True”

 

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.