DEV Community

Cover image for Tips to debug authentication error with Kerberos on Windows Server
Lucas Pacheco
Lucas Pacheco

Posted on

Tips to debug authentication error with Kerberos on Windows Server

#kerberos #windowsserver #authentication #iis

Authentication errors with Kerberos and Windows Server are not unusual. To be able to find these errors, there are a lot of internet pages about Kerberos and Windows Server. Therefore, below are some summarized steps that may help you identify any problems and possibly help you resolve them.

Steps

1 - Check that the application on the Windows Server has all authentication options disabled, except the Windows Authentication option, which must be enabled.

2 - In the Windows Authentication section, click on "Advanced Settings" and make sure that the Negotiate option is available and in the first position of the available list, if you wish to have authentication through NTLM, leave it second in the list.

3 - For performance matters, check the "Use kernel mode" option. This option uses the machine account by default to decrypt Kerberos tickets.

4 - If you use a custom account for your ApplicationPool, check the application configuration regarding WindowsAuthentication in the Configuration Editor. Access the path system.webServer/security/authentication/windowsAuthentication and make sure the UseAppPoolCredentials option is set to True.

5 - After ensuring that your WebServer and apps are well configured to receive Kerberos authentications and the error persists, you must check whether the settings of the account used are correct to authenticate with Kerberos.

6 - Check if the account's SPNs are correctly configured. To list the SPNs of an account you can run the following command in PowerShell from a machine inserted in the same AD domain you are using. It could be the server itself. Run the following command:

setspn -l domain\account_name
Enter fullscreen mode Exit fullscreen mode

The command must return the SPNs configured on the account. Guarantee the account has the correct SPN with the name of the server being used for authentication. E.g. HTTP/myserver.com, SERV/myserv. Also verify that no repeated SPNs occur, as this can cause failures.

If you do not have SPNs configured, you can add SPNs to an AD account with the following command, if you have access to do so:

setspn -s HTTP/myserver.com
Enter fullscreen mode Exit fullscreen mode

7 - If you use a MachineAccount to authenticate with Kerberos on your WebServer, check the SPNs configured in the MachineAccount on the server itself.

setspn -l server_name
Enter fullscreen mode Exit fullscreen mode

If you do not have the correct SPNs, follow the steps to add an SPN in item 6.

I hope these steps helped you solve your problem as they helped me!

For other issues, please comment below, maybe we can help each other.

References

Register a Service Principal Name (SPN) for a report server
Kerberos authentication troubleshooting guidance

Neon
 Promoted

Neon image

Serverless Postgres in 300ms (❗️)

10 free databases with autoscaling, scale-to-zero, and read replicas. Start building without infrastructure headaches. No credit card needed.

Try for Free →

Top comments (0)

Sentry
 Promoted

Sentry image

Make it make sense

Only the context you need to fix your broken code with Sentry.

Start debugging →

👋 Kindness is contagious

Value this insightful article and join the thriving DEV Community. Developers of every skill level are encouraged to contribute and expand our collective knowledge.

A simple “thank you” can uplift someone’s spirits. Leave your appreciation in the comments!

On DEV, exchanging expertise lightens our path and reinforces our bonds. Enjoyed the read? A quick note of thanks to the author means a lot.

Okay