When and how do I use Kerberos authentication in ASP.NET 2.0?

From Guidance Share

Revision as of 05:34, 16 October 2006; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


If all your computers are in a Windows Server 2000 or later domain and your clients are using Internet Explorer version 5.5 or later, you can use Kerberos authentication in ASP.NET.

To use Kerberos Authentication in ASP.NET

  • Configure your application's virtual directory in IIS to disable anonymous access and configure it to use Integrated Windows authentication alone (by default anonymous access is enabled).
  • Configure your application's Web.config for Windows authentication (the default)
<authentication mode="Windows">

If you run your application using a domain service account, you must register a service principal name (SPN) for that account in Active Directory to associate the account with the HTTP service on the Web server. To register an SPN, use the Setspn.exe utility as follows

setspn -A HTTP/webservername domain\customAccountName 
setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName 

Note that you cannot have multiple Web applications with the same host name if you want them to have multiple identities and to use Kerberos authentication. This is an HTTP limitation, not a Kerberos limitation. The workaround is to have multiple Domain Name System (DNS) names for the same host, and start the URLs for each Web application with a different DNS name. For example, you would use http://app1 and http://app2 instead of http://site/app1 and http://site/app2.

Note: If your clients run Internet Explorer 6, you must enable the browser to respond to a negotiate challenge and perform Kerberos authentication. To do this, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser. Administrators can enable Integrated Windows authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Personal tools