Forum

Posts by martin12 (martin12)

martin12
martin12
Posts: 1

Is Kerberos authentication supported?


I'm trying to configure a new Password Server instance for proper Windows Authenticaion, meaning Kerberos, not NTLM.
You're documentation for "Windows Authentication" seems to support only NTLM, as many Kerberos aspects are missing.

- Used the directory, created by DVLS.Console
- Changed AppPool acount from NetworkService to a service account from my AD
- Added SPN to this AppPool account (HTTP/dvls.mydomain.com)
- Allowed AppPool account to delegate to any service (Kerberos)
- Feature Delegation settings were set as described in your Windows Auth documentation
- client has *.mydomain.com defined as Intranet sites in Windows/IE
- AppPool account and AD group for app users were permitted on file system

When trying to login (Chrome and IE11 with SPN-fitting FQDN), there's always a login prompt popup. This should not appear as it's supposed to be itnegrated authentication. Even entering a correct user/password let's the popup re-appear until the server says http 401 unauthenticated.

To verify Kerberos Authentication is setup correctly (for the directory, not for the DVLS app), I've moved all files off the web directory and put a PNG file in. Access to the PNG file works as expected with integrated authentication.

How to get Kerberos authentication working for DVLS?

Some other facts:
- App Server OS is Windows Server 2016
- AD is in Windows 2016 mode
- SQL 2016 is installed on separate server

2 yrs Windows Authentication with Kerberos