BusinessObjects Enterprise Administrator's Guide

Configuring IIS5 for Kerberos end-to-end single sign-on

To support Kerberos end-to-end single sign-on, you have to set the IIS and the Aspnet_wp.exe worker process to run as a domain account that has been trusted for delegation.

You can run the IIS either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

• If you use a machine domain account, the password will be automatically generated and won't expire, nor can it be exposed or modified.
• If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.

Which approach you use, depends on how you want to manage your system security.

For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: http://www.microsoft.com.

Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:

• To run the IIS5 worker process under the machine domain account
• To run the IIS5 worker process under a user domain account

To run the IIS5 worker process under the machine domain account

1. On the domain controller, set the domain account of the IIS machine to be trusted for delegation.

Changing this property can take several minutes to propagate.

2. Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:
• userName="SYSTEM"
• Password="AutoGenerate"

  In the above path name, version represents the software version.

  Note:    Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

  Note:    For security reasons, make sure that the account which the IIS helper processes run under does not belong to a mapped group.

3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

To run the IIS5 worker process under a user domain account

1. Set the Aspnet_wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:
• userName="domainaccount"
• Password="password"

  Where domainaccount is a domain account that you have set to be trusted for delegation, and password is the password for the domain account.

  In the above path name, version represents the software version.

  Note:    For security reasons, make sure that the account which IIS helper processes run under does not belong to a mapped group.

2. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.