JMC31337 Posted August 27, 2021 Posted August 27, 2021 (edited) Kerberos on AD DS w/ IIS DHCP DNS Installed There were so many tutorials on how to properly get Kerberos configured on an AD DS setup, mostly utilizing kerber with a 3 party cloud system, I wanted to establish Windows Authentication using only 1 provider "Negotitiate:Kerberos" You can try to simply enable only this provider but it still wont work. Ive seen videos/tutorials explaining you need another account added into the AD or you need to setup a "service" account and yes technically this could be done, but here's step by step kerber provider only without any added accounts or services - you will however need to properly set your SPNs, and that was where I went wrong - so here's a quick step by step to have kerberos on your DC (there was a C# program released out of MCSFT called KerberosConfigMgrIIS which provided helpful info on exactly which settings should be put into place for Kerberos to work instead of the fall back to NTLM) 1) This assumes youve installed AD DS, IIS, DHCP, DNS server roles n' features and have promted your DS into a DC 2) You want to make sure you Windows Authentication installed (this can be added under web services in roles and features) 3) Enter into IIS Manager 4) select the IIS server and click authentication 5) disable everything but Windows Authentication 6) Click WinAuth -> adv settings & disable kernel mode auth 7) Afterwards click providers and remove all and add ONLY Negotiate:Kerberos 😎 Do the same thing ya just did with eh IIS server for the particular web site (mine was Default Web Site) 9) Lastly we need a Service Principle Name (SPN) so from powershell DO NOT blindly copy paste n run this (ehh ehh ehhhhh) but it shows ya how it would look like: setspn -S HTTP/xabihsot.com abihsot Note: My machine name was abihsot and the host name xabihsot.com (screenshot below showing kerber ticket after winauth login prompt credentials supplied) Edited August 27, 2021 by JMC31337 lets get serious 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now