Configure Windows Server IIS for constrained delegation
- Return to or sign in to your Windows Server.
- Start the Internet Information Services (IIS) application.
- Navigate to the default Web Site.
- Double-click Authentication. and configure:
- Exit Internet Information Services (IIS).
- Start the Active Directory Users and Computers application.
- Navigate to the previously added Access Gateway service account user.
- Select the user, right-click and select properties.
- Select the Delegation tab.
- Select Trust this user for delegation to specified services only and enable Use any authentication protocol.
- Click Add.
- Add your IIS host to the delegation.
- Click Check Name to verify that server has joined to the domain.
- Click OK.
In the Add Services dialog box, select the delegation protocol and click OK
- Exit the Internet Information Services (IIS) application
To test, we will simulate a Kerberos sign in:
- Start the the Active Directory Users and Computers application.
- Select Access Gateway instance, in this example idaasgateway.net, and then > Users > New User.
- Create a new Okta Access Gatewayuser and click Next.
First name: test
Last name: user
User logon name: testuser
- Complete the new user.
- Return to the Access Gateway Admin UI console.
- Navigate to Settings.
- Click the Simulate button.
Enter test user and host. Specifically use the test user and the FQDN of the IIS server host, which is the same as the DC.