Instructions for binding the date label

Configure Kerberos constrained delegation for web registry proxy pages

  • 6 minutes to read

The article provides step-by-step instructions for implementing User-to-Proxy Service (S4U2Proxy) or Kerberos constrained delegation for a custom web registry proxy site service account.

Original product version: Window Server 2016, Window Server 2019, Windows Server 2012 R2
Original KB number:   4494313

Summary

This article provides step-by-step instructions on how to implement User-to-Proxy Service (S4U2Proxy) or Kerberos Limited Delegation for web registry proxy pages. This article describes the following configuration scenarios:

  • Configure delegation for a custom service account
  • Configure delegation for the network service account

Note

The workflows described in this article are specific to a particular environment. The same workflows may not work for a different situation. However, the principles remain unchanged. The following figure summarizes this environment.

Scenario 1: Configure constrained delegation for a custom service account

This section describes how to implement user-to-proxy (S4U2Proxy) or Kerberos limited delegation when using a custom service account for the web proxy pages.

1. Add a service provider to the service account

Map the service account to a service principal name (SPN). To do this, proceed as follows:

  1. Put In Active Directory Users and Computers connect to the domain, and then select PKI-PKI user > out.

  2. Right-click the service account (for example, web_svc), then choose Properties out.

  3. Select Attribute editor > servicePrincipalName.

  4. Enter the new SPN string, select You "add" (as shown in the following figure), then select OK off.

    You can also configure the spN using Windows PowerShell. To do this, open an elevated PowerShell window, and then run the command. For example, run the following command:

2. Configure delegation

  1. Configure S4U2proxy restricted delegation (Kerberos only) for the service account. To do this, in the Service Account Properties dialog box (as described in the previous procedure) "Delegation Trust this user to only delegate to specified services> to obtain. Make sure make sure "Use Kerberos Only" is selected.

  2. Close the dialog box.

  3. Select in the console tree "Computer" , and then select the front-end server computer account for web registration.

    Note

    This account is also known as the "computer account".

  4. Configure S4U2self constrained delegation (protocol transition) for the computer account. To do this, right-click the computer account, then select "Trust delegation of properties to this computer" to only delegate to specified services>> to obtain. Then choose Use any authentication protocol out.

3. Create and bind the SSL certificate for web registration

To enable the web registration pages, create a domain certificate for the website, and then bind it to the default website. To do this, proceed as follows:

  1. Open Internet Information Services Manager.

  2. Select in the <**HostName_> Console structure _Server certificates then select _Server certificates* out.

    Note

    <HostName> is the name of the front-end web server.

  3. Choose in the "Actions" menu the option "Create domain certificate".

  4. After the certificate has been created, choose In the console tree, select "Default Web Site" and then "Bindings".

  5. Make sure sure port on 443 is set. Then choose under "SSL Certificate" select the certificate you created in step 3.

  6. Choose You ok to bind the certificate to port 443.

4. Configure the web registry front-end server to use the service account

Important

Make sure the service account is part of the local administrators or IIS_Users group on the web server.

  1. Click the right click on "DefaultAppPool", and then select "Advanced Settings".

  2. Choose You "process model identity", > "Custom Account" and then "Set". Provide the service account name and password.

  3. Select in the Set Credentials Dialog Boxes and "Application pool identity" the option "OK" out.

  4. Search You in the advanced settings "Load user profile", and make sure it's on Is set to "True".

  5. Restart the computer.

Scenario 2: Configure constrained delegation for the NetworkService account

This section describes how to implement S4U2Proxy or Kerberos-only restricted delegation when using the NetworkService account for the web registry proxy pages.

Optional step: Configure a name for connections

You can give the web registration role a name that clients can use to connect. This configuration means that incoming requests do not need to know the computer name of the front-end server for web registration or other routing information such as the canonical # A0 (CNAME).

For example, suppose the computer name of your web registration server is WEBENROLLMAC (in the Contoso domain). You want incoming connections to use the name ContosoWebEnroll instead. In this case the connection url would be as follows:

This wouldn't be like this:

To use such a configuration, do the following:

  1. In the DNS zone file for the domain, create an alias or host name record that maps the new connection name to the web registration role IP address. Use the ping tool to test the routing configuration.

    In the previous example, the zone file has an alias entry that maps ContosoWebEnroll to the IP address of the web registration role.

  2. Configure the new name as the SPN for the front-end server for web registration. To do this, proceed as follows:

    1. In Active Directory Users and Computers, make sure to connect to the domain, and then select Computer off.
    2. Right-click the front-end server computer account for the web registration, and then select "Properties".

      Note

      This account is also known as the "computer account".

    3. Select Attribute editor > servicePrincipalName.
    4. Give HTTP / <ConnectionName> <DomainName.com> a. Choose You "add" and then "OK".

      Note

      In this string, this is the new name you defined and the <ConnectionName> <DomainName> Name of the domain. In the example, the string is HTTP / ContosoWebEnroll.contoso.com.

1. Configure delegation

  1. If you haven't already connected to the domain, do so now in Active Directory Users and Computer, and then select Computer off.

  2. Right-click the front-end server computer account for the web registration, and then select "Properties".

    Note

    This account is also known as the "computer account".

  3. Choose "Delegation" , and then select This computer for only Delegation to specified services trusted ".

    Note

    If you can guarantee that clients will always use Kerberos authentication when connecting to this server, select "Only use Kerberos". If some clients use other authentication methods, such as B. NTLM or forms-based authentication, select Any Use authentication protocol ".

2. Create and bind the SSL certificate for web registration

To enable the web registration pages, create a domain certificate for the website, and then bind it to the first default website. To do this, proceed as follows:

  1. Open the IIS manager.

  2. In the console structure in the action area, select the option <**HostName_> _ Server certificates out.

    Note

    <HostName> is the name of the front-end web server.

  3. Choose in the "Actions" menu the option "Create domain certificate".

  4. After the certificate has been created, select "Standard Website" and then "Bindings".

  5. Make sure sure port on 443 is set. Then select under "SSL Certificate" select the certificate you created in step 3. Choose You ok to bind the certificate to port 443.

3. Configuring the web registration front-end server to use the NetworkService account

  1. Click the right click on "DefaultAppPool", and then select "Advanced Settings".

  2. Choose "Process model identity" > out. Make sure, that the built-in account is selected, and then select NetworkService. Then select OK out.

  3. Search You in the advanced properties according to "Load user profile", and then make sure it's on Is set to "True".

  4. Restart the IIS service.

Related topics

For more information on these processes, see Authenticating Web Application Users.

For more information on the S4U2self and S4U2proxy protocol extensions, see the following articles: