How to configure SynWeb for Kerberos authentication

Modified on Fri, 13 Mar at 12:10 AM

Overview

SynWeb single sign-on with Windows authentication requires Kerberos authentication. This is achieved by configuring the SQL and Web servers to trust each other using Kerberos constrained delegation.

Requirements:

Active Directory backed up and available to restore if required.
SQL Server instance needs to be assigned a static port.
SQL Server instance needs to be run as a domain user service account.
Synergetic login (typically 'CDA') needs to be temporally elevated to domain administrator.
Log in access to domain controller.

Please make sure you have the following information at hand.

<domain name> - Domain name
<sql server name> - SQL Server name or SQL Server Availability Group listener name (if Availability Groups in use)
<sql server fqdn> - SQL Server FQDN or SQL Server Availability Group listener FQDN (if Availability Groups in use)
<sql port> - SQL Server instance port
<service account> - SQL Server service account name
Web Server name and location in Active Directory

Procedure

Log in to domain controller
Open command prompt as administrator
Enter the following:
setspn –S MSSQLSvc/<sql server name>:<sql port> <domain name>\<service account>
setspn –S MSSQLSvc/<sql server fqdn>:<sql port> <domain name>\<service account>
If new Web Server installed, you may also need to add a SPN for the web server computer object for 'HTTP/<web URL>. This may need to be performed using ADSI Edit on domain controller.
Run 'Active Directory Users and Computers'
Navigate to Web Server and select 'Properties'
Click on 'Delegation' tab and select 'Trust this computer for delegation to specified services only' – 'Use Kerberos only'
Click 'Add' and search for SQL Server service account name.
From 'Add Services', select both services defined above by the 'setspn' command and click 'OK'.
Click 'OK' to accept the changes.
In IIS
1. set the SynWeb site App Pool to Local System
2. under Authentication enable Windows and ASP.Net Impersonation
In SynWeb configuration, set authentication mode to 'W' and make sure all users have read/write file system permissions to SynWeb folder.

Verify Kerberos is operational

Log in to SQL Server and execute the following. You should start to see Kerberos listed as the connection type for new connections. Old connections will still be listed as 'NTLM'.

select
spid,
loginame=left(rtrim(loginame),30),
hostname=left(hostname,15),
auth_scheme,
connect_time
from master.dbo.sysprocesses p
inner join sys.dm_exec_connections c on (p.spid = c.session_id)
where loginame like '%%'
order by connect_time desc

To check new connections, log in to separate server or workstation (not SQL Server or Web Server) and create a temporary ODBC connection to the SQL Server. Click on 'Test Connection' and re-run the script above. The new connection should be at the top of the list.

Debugging

If Kerberos is not being listed at all, enable debugging by editing the following registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel - REG_DWORD - 0x1

Open a command prompt as administrator and enter 'klist' to display Kerberos tickets. This will display information for all current and attempted Kerberos tickets. Check server names, service account names and particularly ports to make sure the tickets match the SPN configuration above.