Configuring Delegated Authentication

Using the Proper SPN Service

Depending on the on how backend web service is deployed effects which SPN service need to be used.  If you deployed backend web service as a standalone server and are using the local service accounts to serve up the webpages you need to use the 'HOST' SPN service.  In any other case, the deployment should use the 'HTTP' service.

Adding Destination SPNs

Login to a server join to the windows domain. Add the required SPNs for the host and user hosting backend web server. Use the setspn.exe command to do it. If your setup is using the HOST SPN service, the host may already have the SPN created.

#> setspn -C -S {Service SPN}/{backend FQDN of host / farm} DOMAIN\{backend hosname}$

#> setspn -C -S {Service SPN}/{backend SHORTNAME of host} DOMAIN\{backend hostname}$

#> setspn -U -S {Service SPN}/{backend FQDN of host / farm } DOMAIN\{username}

#> setspn -U -S {Service SPN}/{backend SHORTNAME of host / farm } DOMAIN\{username}

Granting WAP Delegation Privileges

Granting WAP Delegation Privileges

You have to grant the WAP server(s) the right to preform delegations. Launch the Active Directory User & Computers MMC. Locate the computer object for the WAP server. Open the properties of the object. Click on the 'Delegation' tab. Select the 'Trust this computer for delegation for the specified services only' radio button. Then click ' Use any authentication' radio button.  Now add the backend web host(s) to the list for the deployment specific SPN service.

Now do the same for the domain account that was used to configure the web application proxy role.

Enabled Default Kerberos Authentication

With group policy, you must enable the 'Allow default delegating credentials' in Computer Configuration / Policies / Administrative Templates / System / Credential Delegation of your group policy.  This policy should apply to all of your backend servers accepting the WAP Kerberos token.