Archive for category Kerberos
IIS & Kerberos Kernel Mode
A new post about kerberos.. indeed some techno stuff nobody seems to understand but is very important for security. A new feature in Windows 2008 IIS7 is the kernel mode support, what does it do, and more important how can it help you?
Windows 2008R2 features part VI: Managed Service Accounts – delegation
Posted by RZomerman in . All Posts, Active Directory, Kerberos on April 1st, 2010
In a previous entry I’ve explained how you can run services under the new Managed Service Account. Say now that we want to use this service account in combination with Kerberos and the account needs to be trusted for delegation. We set an SPN to it, but in the Active Directory Users and Computers, we seem to be unable to find the trusted for delegation option.. Let’s take a closer look at these accounts once they have been created, to do this we’ll be using ldp.exe
Kerberos multiple hops
Posted by RZomerman in . All Posts, Kerberos on July 29th, 2008
You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.
Basically we want the following to happen:
Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication
In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..
Kerberos PAC validation
Posted by RZomerman in . All Posts, Kerberos on July 20th, 2008
