Jump to content
Tuts 4 You

Windows Server 2022 Kerberos on AD DS w/ IIS DHCP DNS


Recommended Posts

Posted (edited)

Kerberos on AD DS w/ IIS DHCP DNS Installed

There were so many tutorials on how to properly get Kerberos configured on an AD DS setup,  mostly utilizing kerber with a 3 party cloud system, I wanted to establish Windows Authentication using only 1 provider "Negotitiate:Kerberos"
You can try to simply enable only this provider but it still wont work. Ive seen videos/tutorials explaining you need another account added into the AD or you need to setup a "service" account and yes technically this could be done, but here's step by step kerber provider only without any added accounts or services - you will however need to properly set your SPNs, and that was where I went wrong - so here's a quick step by step to have kerberos on your DC (there was a C# program released out of MCSFT called KerberosConfigMgrIIS which provided helpful info on exactly which settings should be put into place for Kerberos to work instead of the fall back to NTLM)

1) This assumes youve installed AD DS, IIS, DHCP, DNS server roles n' features and have promted your DS into a DC
2) You want to make sure you Windows Authentication installed (this can be added under web services in roles and features)
3) Enter into IIS Manager
4) select the IIS server and click authentication
5) disable everything but Windows Authentication
6) Click WinAuth -> adv settings & disable kernel mode auth
7) Afterwards click providers and remove all and add ONLY Negotiate:Kerberos
😎 Do the same thing ya just did with eh IIS server for the particular web site (mine was Default Web Site)

9) Lastly we need a Service Principle Name (SPN) so from powershell DO NOT blindly copy paste n run this (ehh ehh ehhhhh) but it shows ya how it would look like:

setspn -S HTTP/xabihsot.com abihsot

 

Note: My machine name was abihsot and the host name xabihsot.com

(screenshot below showing kerber ticket after winauth login prompt credentials supplied)

IMG_0373.JPG

Edited by JMC31337
lets get serious
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...