IIS 7 and Above
Application Request Routing (ARR)
Kerberos Constrained Delegation
Last post Nov 07, 2018 10:15 PM by pfeif4
Nov 05, 2018 08:32 PM|pfeif4|LINK
So I am wondering if this is possible as I am trying to replace TMG 2010 with ARR.
In TMG, I have the server set up to request a client certificate and authenticate the user. TMG then redirects to the backend server which is IIS and has Windows Auth turned on. The user is logged in based on Kerberos Constrained Delegation.
TMG box is authorized to delegate to the backend iis server with AD. TMG is also told to use the spn of http/backendserver
So, I try the same thing in ARR and it is failing. I saw some posts that ARR cannot delegate, so I am wondering if it is possible or what I am missing.
ARR is set to allow delegation to the backend server. The backend server is the same as above with Windows Auth turned on. ARR has windows Auth turned on as well.
Is this possible? Or am I just missing setting an SPN on the ARR box, so it knows how to set the KCD ticket? What SPN should I use to mimic the TMG UI setting?
Nov 07, 2018 02:17 AM|Brando Zhang|LINK
As far as I know, we could set the ARR server work with the Kerberos Constrained Delegation.
I suggest you could refer to below article to know how to set the Kerberos Constrained Delegation works with the ARR.
We could u
Nov 07, 2018 10:15 PM|pfeif4|LINK
Thank you - Was reading that as well. My confusion has been over most of the articles reference the kerberos from the desktop to the web site. I will check this out to see if it helps with the double hop. Looks promising.