We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IWA/Kerberos Authentication fails on HA WebAdapters when the site in IIS is set to use "Extended Protection" RSS

2 replies

Last post Jun 25, 2019 04:25 PM by pip13

  • IWA/Kerberos Authentication fails on HA WebAdapters when the site in IIS is set to use "Extended...

    Jun 25, 2019 11:54 AM|pip13|LINK

    We have a load balancer in front of these IIS-based WebAdapters. Disabling "Extended Protection" under Windows authentication, advanced settings, will allow Kerberos to authenticate and pass credentials. 

    Theoretically, setting this value to "Allow" should work as well, but no luck.

    Any suggestions as to why this is the case? We need double-hop to pass credentials from the load-balancer's to the services behind the Web Adapters.

  • Re: IWA/Kerberos Authentication fails on HA WebAdapters when the site in IIS is set to use "Exten...

    Jun 25, 2019 01:55 PM|lextm|LINK

    Ask your domain administrators to assist, as they know more about the necessary configuration. Tools like DelegConfig might help but again, domain administrators are more familiar with the tooling.

    Lex Li
    Want to have a chat on the issues you meet? Book an appointment at https://buy.stripe.com/cN24ia0yi7sAdIA7sv
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IWA/Kerberos Authentication fails on HA WebAdapters when the site in IIS is set to use "Exten...

    Jun 25, 2019 04:25 PM|pip13|LINK

    SPN and application pool ID's have been assigned for the load balancer and webadapter's. The double-hop/ticket authentication should be working with the default IWA settings... however...

    In order for double hop to work, we've had to "Turn off" the Extended Protection feature under Advanced Settings in the Windows Authentication section of the site.