Two of them are of interest: forwardable and ok_as_delegate. Note: is the SPN of the service you wish to contact and authenticate to via Kerberos.
#Microsoft edge login to website issue windows#
Use the klist command tool present in Windows to list the cache of Kerberos tickets from the client machine ( Workstation-Client1 in the diagram above).
#Microsoft edge login to website issue how to#
How to know whether the Kerberos ticket obtained on the client to send to the Web-Server uses constrained or unconstrained delegation? An application is granted the rights it needs to function and nothing more, whereas unconstrained delegation allows an application to contact resources it shouldn't contact on behalf of the user. If the web-application residing on the server called Web-Server must also contact a database and authenticate on behalf of the user, this service principal name (SPN) must be added to the list of authorized services.Ĭonstrained delegation is more secure than unconstrained delegation based on the principle of least privilege. In a constrained delegation configuration, the active directory account that is used as an application pool identity can delegate the credentials of authenticated users only to a list of services that have been authorized to delegate. This is called unconstrained delegation because the application pool account has the permission (it's unconstrained) to delegate credentials to any service it contacts. For example, an SMTP server, a file server, a database server, another web server, etc.
The application pool's account running on Web-Server can delegate the credentials of authenticated users of the website hosted on that server to any other service in the active directory. In an unconstrained Kerberos delegation configuration, the application pool identity runs on Web-Server and is configured in Active Directory to be trusted for delegation to any service. In the scenario above, both configurations allow users to delegate credentials from their user session on machine Workstation-Client1 to the back-end API server while connecting through the front-end Web-Server. To use Kerberos credential delegation, refer to Troubleshoot Kerberos failures in Internet Explorer first. The steps below will help you troubleshoot this scenario: The setup works with Internet Explorer, but when users adopt Microsoft Edge, they can no longer use the credential delegation feature. The website located on Web-Server will make HTTP calls using authenticated user's credentials to API-Server (which is the alias for Backend-Web-SRV) to retrieve application data on behalf of users, using Kerberos credential delegation.Then they will launch a browser (Microsoft Edge), navigate to a website located on Web-Server, which is the alias name used for Primary-IIS-SRV, and authenticate via integrated Windows authentication using Kerberos.Users of the computer Workstation-Client1 will log on to the machine using the Windows Active Directory account.The Workstation-Client1 computer is part of the same active directory as primary Web-Server, called Primary-IIS-SRV and the backend web server, called Backend-Web-SRV.This article assumes that you are setting up an architecture similar to the one represented in the diagram below: Follow this article's steps to set up the delegation of authentication tickets and use services with a modern browser such as Microsoft Edge version 87 or above. Setting up Windows Authentication based on the Kerberos authentication protocol can be a complex endeavor, especially when dealing with scenarios such as delegation of identity from a front-end site to a back-end service in the context of IIS and ASP.NET. Applies to: Internet Information Services Introduction
0 kommentar(er)
