IIS 7 and Above
IWA/Kerberos Authentication fails on HA WebAdapters when the site in...
Last post Jun 25, 2019 04:25 PM by pip13
Jun 25, 2019 11:54 AM|pip13|LINK
We have a load balancer in front of these IIS-based WebAdapters. Disabling "Extended Protection" under Windows authentication, advanced settings, will allow Kerberos to authenticate and pass credentials.
Theoretically, setting this value to "Allow" should work as well, but no luck.
Any suggestions as to why this is the case? We need double-hop to pass credentials from the load-balancer's to the services behind the Web Adapters.
Jun 25, 2019 01:55 PM|lextm|LINK
Ask your domain administrators to assist, as they know more about the necessary configuration. Tools like DelegConfig might help but again, domain administrators are more familiar with the tooling.
Jun 25, 2019 04:25 PM|pip13|LINK
SPN and application pool ID's have been assigned for the load balancer and webadapter's. The double-hop/ticket authentication should be working with the default IWA settings... however...
In order for double hop to work, we've had to "Turn off" the Extended Protection feature under Advanced Settings in the Windows Authentication section of the site.