MENU
Groupware that integrates business chat, web conferencing, schedules, document management, workflow, and attendance | Chat&Messenger for web conferencing
  1. Home
  2. Blog
  3. Technical Blog
  4. IIS settings for successful IIS Integrated Windows Authentication in an L4 load balancer environment

IIS settings for successful IIS Integrated Windows Authentication in an L4 load balancer environment

Blog Technical Blog
TOC

summary

The following article explains how to configure Integrated Windows Authentication (IWA) in IIS in an L4 load balancer + SSL termination environment.

Chat&Messenger for web conferencing
How to configure IIS Integrated Windows Authentication successfully in a load balancer + SSL environment | Web conferencing Chat&Messenger About Integrated Windows Authentication Integrated Windows Authentication is a feature that automatically authenticates users when IIS and users belong to the same Active Directory domain.

When configuring this method, there are many cases where authentication fails due to incorrect or duplicated SPN (Service Principal Name) settings.

This article provides a comprehensive explanation of SPN registration and the required tasks.

Configuration example in this article

   [Client Browser] | | HTTPS Access v [L4 Load Balancer (TCP 443)] | | vv [Server1 (IIS)] [Server2 (IIS)]
  • FQDN: sso.chat-messenger.com
  • IIS Hostname: Server1, Server2
  • Shared Services Accounts:CAMTEST\cam-svc

Problem: Duplicate SPN error

With Integrated Windows Authentication, the client looks up the SPN for the FQDN it is accessing and obtains a Kerberos ticket for the appropriate service account.

setspn -S HTTP/sso.chat-messenger.com Server1$ setspn -S HTTP/sso.chat-messenger.com Server2$

As shown above, the same FQDN (sso.chat-messenger.comWhen you register the SPN for the .NET Framework 2.0.1 on different hosts (Server1, Server2), the following error occurs:

Duplicate SPN found, aborting operation.

Solution: Register the SPN in the shared service account

If multiple hosts use the same FQDN, only one SPN needs to be registered in the shared service account.

Creating a Shared Services Account

A service account running in an IIS application pool can be a domain user (as long as it belongs to Domain Users), but to separate normal users and service accounts and to clarify the scope of password policy and prevent operational errors,OU=ServiceAccounts Like, OU Users In distinction from Active Directory domain controllers,cam-svc Create a new one.

Register SPN with service account

Register the SPN using the service account created above.

setspn -S HTTP/sso.chat-messenger.com CAMTEST\cam-svc

- Any terminal that is part of the domain can be used. However, domain administrator privileges are required.
・The SPN is also used in HTTPS communication.HTTP/hostnameYou must register in the format:

IIS Application Pool Settings

Server1, Server2 Change the application pool execution user on both servers to the service account you created. CAMTEST\cam-svc Set to

IIS Manager "Configuration Editor"

To change the IIS Application Pool to a Service Account and have Windows Authentication work correctly with Kerberos, you must configure the following in the "Configuration Editor" feature of IIS Manager:

  • system.webServer/security/authentication/windowsAuthentication section
  • useAppPoolCredentials indicates object of desire, like, hate, etc. True Set to
  • useKernelMode indicates object of desire, like, hate, etc. False Set to

If IIS is running on a domain controller, this setting may not be necessary.

Setting "Log on as a batch job" permission for the Shared Services account

The application pool responds to web requests. w3wp.exe(Worker process). If you run this under a shared service account, the process will be denied and an HTTP 503 error will occur if the account does not have the "Log on as a batch job" permission, so the shared service account must have the "Log on as a batch job" permission set (GPO-based).

The following settings can be controlled by the local security policy of each IIS terminal, but there may be restrictions imposed by organizational policies in GPO (Group Policy Object) on the Active Directory domain controller. In that case, control is required in the GPO itself, and this article explains how to do so.

If IIS is running on a domain controller, "Log on as a batch job" may not be necessary.

Steps to link the GPO to OU=ServiceAccounts

Service AccountCAMTEST\cam-svcindicates object of desire, like, hate, etc.OU=ServiceAccountsIf you create it in
If you do not link a group policy (e.g. IIS-BatchLogon-GPO) to this OU,cam-svcThe policy is not applied to. The target of the GPO is determined by "which OU it is linked to", so it is important to match the location of the account with the linked GPO.

  1. gpmc.msc Run the command to start the Group Policy Management Editor.
  2. In the left panecamtest.com/ServiceAccounts Right-click on the OU → "Create a GPO in this domain and link it to this container" → Enter any name (e.g.IIS-BatchLogon-GPO)
  3. CreatedIIS-BatchLogon-GPOEdit with
  4. Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Log on as a batch job
  5. Double-click to open the dialogCAMTEST\cam-svc Add a User

About GPO settings

To apply the GPO correctly, you must gpupdate /force It is important to run this command. This will ensure that the GPO settings take effect immediately. In particular, when granting the "Log on as a batch job" right, the policy may take effect at a later time. w3wp.exe This can lead to startup failures.

Blog Technical Blog
TOC