Configure Windows Server IIS for constrained delegation

The topic describes how to configure and validate a Microsoft Windows Internet Information Services (IIS) server for constrained delegation.

Access Gateway only supports connecting to the default IIS app, which is the hostname of the IIS server. If you have more sites configured in IIS, then you need a custom solution developed by Okta Professional Services to use this feature.

Configure constrained delegation

  1. On your Microsoft Windows Server, start the IIS application.
  2. In the Connections pane, open the Sites folder and then click Default Web Site.
  3. In the Default Web Site Home pane, double-click Authentication.
  4. Configure these options:
    • Anonymous access: Disabled
    • Windows Authentication: Enabled
  5. Exit the IIS application.
  6. Start the Active Directory Users and Computers application.
  7. Find the Access Gateway service account user that you created in Add Kerberos service and select it.
  8. Right-click on the username and then select Properties.
  9. Select the Delegation tab.
  10. Select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
  11. Click Add.
  12. Add your IIS host to the delegation.
  13. Click Check Names to verify that the server has joined to the domain.
  14. Click OK.
  15. In the Add Services dialog, select the delegation protocol, and then click OK.
  16. Exit the IIS application.

Validate constrained delegation

  1. Start the Active Directory Users and Computers application.
  2. Select the Access Gateway instance.
  3. Click UsersNew User.
  4. Create an Access Gateway user and then click Next.
  5. Return to the Access Gateway Admin UI console.
  6. Go to Settings.
  7. Click Simulate.
  8. Complete the Test AD User and Test Web Resource fields. Use the test user and the FQDN values of the IIS server host.