Is Kerberos authentication supported?
I'm trying to configure a new Password Server instance for proper Windows Authenticaion, meaning Kerberos, not NTLM.
You're documentation for "Windows Authentication" seems to support only NTLM, as many Kerberos aspects are missing.
- Used the directory, created by DVLS.Console
- Changed AppPool acount from NetworkService to a service account from my AD
- Added SPN to this AppPool account (HTTP/dvls.mydomain.com)
- Allowed AppPool account to delegate to any service (Kerberos)
- Feature Delegation settings were set as described in your Windows Auth documentation
- client has *.mydomain.com defined as Intranet sites in Windows/IE
- AppPool account and AD group for app users were permitted on file system
When trying to login (Chrome and IE11 with SPN-fitting FQDN), there's always a login prompt popup. This should not appear as it's supposed to be itnegrated authentication. Even entering a correct user/password let's the popup re-appear until the server says http 401 unauthenticated.
To verify Kerberos Authentication is setup correctly (for the directory, not for the DVLS app), I've moved all files off the web directory and put a PNG file in. Access to the PNG file works as expected with integrated authentication.
How to get Kerberos authentication working for DVLS?
Some other facts:
- App Server OS is Windows Server 2016
- AD is in Windows 2016 mode
- SQL 2016 is installed on separate server
As far as I understand, if you configure IIS to only allow kerberos, all will be handled correctly when using RDM.
As to the Web Interface, we have elected that the best route to keep on handling a combination of our existing authentication models (custom, AD, DB, Local) at the same time (many of our customers do that....), it was best to keep our login page as a facade.
So in essence, the engineer tells me that the feature is working as it has been designed for implementation.