Kerberos (Impersonation/Delegation) Setup in 2022

Requirements

  • The IIS needs to be run as local system or network service (default)
  • Actual server names must be used when accessing Targit Server and Anywhere (IP address or localhost will not work)

Computer names used in below examples

  • TSERVER - Server running the TARGIT Server service 
  • ASERVER - Server Running the Anywhere service (in IIS)

FQDN Domain is TEST.LOCAL

Service Principle Name (SPN) setup for servers and service account 

Run the following commands:

  • SETSPN –A HTTP/TSERVER:1301 TEST\TSERVER
  • SETSPN –A HTTP/TSERVER.TEST.LOCAL:1301 TEST\TSERVER

If dns aliases are used for either the Targit server or the anywhere server those must be registered

The SPN must be matching the address used in the browser/windows client

ex. if the brower url for anywhere is http://AW.UniversalImports.com  the SPN should be set as  

  • SETSPN –A HTTP/AW.UniversalImports.com TEST\ASERVER

NOTE: It does not matter which account is used for the Targit Server service. The accounts used when setting SPN's must be the computer accounts

NOTE: SETSPN command parameters are not supported on Windows Server 2012 (and earlier).

Front End Server(s) trusted for delegation

  1. Open Active Directory Users and Computers on the domain controller
  2. Right click on the computer account for the front end server and select Properties.
  3. Left click the Delegation tab and select the radio option Trust this computer for delegation to specified services only.
  4. Add the TServer account and select the HTTP port 1301 server (this comes from the SPN created earlier)
  5. Restart the IIS server (the entire server, not just IIS).
  6. Repeat for each frontend server.

The following is a screenshot of the delegation tab.

image2019-9-24_13-21-34.png

 

TARGIT Anywhere Server targitsettings.json changes to reflect multiple servers

  • Open C:\inetpub\wwwroot\TouchServer\targitsettings.json in a text editor like Notepad
  • Update the server name to the value of the name the SPN is registered for in this case TSERVER or TSERVER.Test.Local

{
  "TargitSettings": {
    "Server": "TSERVER",
    "SessionTimeout": 60
  }
}

Restart the IIS server.

Change Windows Security to Negotiate TARGIT Management Studio

if you want to use "Kerberos only"  change the security model in TARGIT Management 

  1. In TARGIT Management Studio select the Security tab.
  2. Under the security model select Change Security Model. Change the Windows Security – Security Package to Negotiate.

image2019-9-24_14-50-14.png

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.