Kerberos Double Hop Setup 備忘

 

 

 

 

Kerberos – 對於自己嚟講叫做常用,但係有時候都會忘記一啲特別嘅Implementation 方法。Double Hop 正正係自己會忘記嘅一種。

先講咩係 Single Hop / Double Hop。

 

顧名思義 Single Hop > 平常 常用嘅度法,好似Share Point咁
Double Hop > 同Single Hop 嘅別就係會再用Kerberos去Connect 另一個Source。 (注意:係兩次Kerberos,我會常常忘記嘅就係第二層無用Kerberos嘅駁法而Fail Error 401)

下面第一條Reference URL 係非常清晰Setup Guide。

而常用Kerberos Hop係 IIS Virtual Directory指係 UNC Path

自己喜歡用嘅方法同Article 講嘅有啲唔同

到法如下 –
IIS WebSite 會用另一個名, 小用本身Server Host Name
Application Pool嘅Identity 會用另一個Service Account,而唔會係Default Built-In Account 嘅 ApplicationPoolIdentity,亦需要用 Setspn register Web Server 嘅 SPN (緊記係Web Server 將會用嘅名)

係會用Kerberos Auth嘅IIS Website>Authentication>Windows Authentication>Advanced Settings > unTick “Enable Kernel-Mode Authentication”。

同埋Website 嘅Configuration Editor > “system.webServer/security/authentication/windowsAuthentication” > “UseAppPoolCrentials” set做”True”

Windows Authentication 入面嘅Provider會揀
Negotiate:Kerberos
Negotiate
Optional: NTLM (如果Website確定只會用Kerberos,可以唔用NTLM)

亦唔好忘記,ASP.NET Impersonation 係必須要Enable,Disable “Basic Authentication” & “Anonymous Authentication”

最後 係加VirtualDirectory,即將要用UNC Path嘅做第二個Hop嘅Target。係用\\host.domain.com 而唔係\\IP Address, 用IP Address 必定會Fail

自己嘅做法就係咁。
之後就可以係Domain Joined PC上面試。係Command Prompt打”Klist” 會見到駁去WebServer 嘅Kerberos Ticket

Reference

https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/

https://blogs.technet.microsoft.com/askds/2008/06/13/understanding-kerberos-double-hop/

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.