Configure Windows Server IIS for constrained delegation


Configure constrained delegation

  1. Return to or sign in to your Windows Server.
  2. Start the Internet Information Services (IIS) application.
  3. Navigate to the default Web Site.
  4. Double-click Authentication. and configure:
    Anonymous access:Disabled
    Windows Authentication:Enabled
  5. Exit Internet Information Services (IIS).
  6. Start the Active Directory Users and Computers application.
  7. Navigate to the previously added Access Gateway service account user.
  8. Select the user, right-click and select properties.
  9. Select the Delegation tab.
  10. Select Trust this user for delegation to specified services only and enable Use any authentication protocol.
  11. Click Add.
  12. Add your IIS host to the delegation.
  13. Click Check Name to verify that server has joined to the domain.
  14. Click OK.
  15. In the Add Services dialog box, select the delegation protocol and click OK

  16. Exit the Internet Information Services (IIS) application


To test, we will simulate a Kerberos sign in:

  1. Start the the Active Directory Users and Computers application.
  2. Select Access Gateway instance, in this example, and then UsersNew User.
  3. Create a new Okta Access Gatewayuser and click Next.
    For example:
    First name: test
    Last name: user
    User logon name: testuser
  4. Complete the new user.
  5. Return to the Access Gateway Admin UI console.
  6. Navigate to Settings.
  7. Click the Simulate button.
  8. Enter test user and host. Specifically use the test user and the FQDN of the IIS server host, which is the same as the DC.