How to configure Kerberos authentication on a Windows Server outside of a domain for an ASP.NET MVC web application?
I have an ASP.NET MVC web application running on IIS on Windows Server. The clients connecting to the application are in a domain, but the application server itself is not part of that domain.
Previously, the server was in the domain, and IIS used the application pool account to connect to the domain and obtain the necessary Kerberos tokens. The application successfully used these tokens for user authentication via SSO.
Now the server is not in the domain, and I cannot configure an account in IIS to connect to the domain.
Question: Is it possible to configure IIS using a proxy server or other IIS extensions to connect to the domain and distribute Kerberos tokens without rewriting the application logic?
I’m also interested in experience setting up ADFS in a similar scenario, as this is an alternative solution being considered.
Moving the application to Linux is not being considered, as it’s a monolithic application on an outdated framework, and the business is not ready for a lengthy rewriting process.
Configuring Kerberos Authentication on Windows Server Outside of a Domain for ASP.NET MVC Applications
Configuring Kerberos authentication on Windows Server outside of a domain for ASP.NET MVC applications is possible, but requires a comprehensive approach using additional components and technologies. Main solutions include setting up ADFS as an authentication proxy, using Kerberos through specialized tools, or alternative authentication methods with minimal changes to the application code.
Table of Contents
- Basic Limitations of Kerberos Outside of a Domain
- ADFS as a Solution
- Alternative Authentication Methods
- IIS Configuration for Kerberos Support
- Practical Examples and Tools
- Migration Recommendations
Basic Limitations of Kerberos Outside of a Domain
Kerberos authentication is initially designed to work in Active Directory environments where all authentication participants (clients and servers) are domain members. When the application server is not part of a domain, fundamental limitations arise:
- Lack of trust between server and domain: A non-domain joined server cannot directly obtain Kerberos tickets from the domain controller
- Problems with SPN (Service Principal Name): Services outside of a domain cannot register SPNs required for Kerberos operation
- IIS limitations: IIS requires a domain account for the application pool when using Kerberos by default
According to research, Kerberos will not work with accounts/computers that are not part of the domain. However, there are workarounds that allow for Kerberos-like functionality without fully joining the server to the domain.
Important: Even without domain membership of the client, a user can execute the
kinit usercommand on a Linux machine, enter a password to obtain Kerberos credentials (TGT) from the domain controller, and then use Firefox to access a web page protected by Kerberos on IIS.
ADFS as a Solution
Active Directory Federation Services (ADFS) is the most elegant solution for authentication outside of a domain through Kerberos-like mechanisms.
ADFS Integration Requirements
To set up ADFS in your scenario, you will need:
- ADFS Server: A separate server that is a domain member, which will act as a federation proxy
- Trust Configuration: Establishing federation trust between ADFS and your application
- Claims Configuration: Setting up user attribute transmission from the domain to the application
ADFS Setup Process
- Install ADFS on a separate server in the domain
- Configure relying party trust for your web application
- Configure authentication policy for Windows attribute transmission
- Configure redirection from your web application to ADFS
Advantages of the ADFS approach:
- Preserves existing application authentication logic
- Provides SSO without changing the application server
- Supports Windows attribute transmission
Disadvantages:
- Requires an additional server
- Increases infrastructure complexity
- May require changes to application configuration
ADFS Troubleshooting
When Kerberos issues arise in ADFS, you can use the PowerShell command:
Set-ADFSProperties -ExtendedProtectionTokenCheck None
This command disables extended protection token checking, which can resolve authentication issues in some scenarios.
Alternative Authentication Methods
If ADFS is not suitable, there are other methods to provide authentication compatible with existing application code.
1. Basic Authentication with Subsequent Processing
You can configure IIS to use basic authentication, and then in the application code, convert credentials:
// Example code for credential conversion
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(
string lpszUsername,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
out IntPtr phToken
);
Advantages:
- Minimal code changes
- Does not require domain membership of the server
Disadvantages:
- Requires SSL for security
- Does not provide full SSO
2. Using Forms Authentication with Active Directory Integration
Configure Forms Authentication, but with credential validation through Active Directory:
public bool ValidateADUser(string username, string password)
{
try
{
using (var context = new PrincipalContext(ContextType.Domain))
{
return context.ValidateCredentials(username, password);
}
}
catch
{
return false;
}
}
3. Setting Up Trust Between Domains
If possible, set up trust between the domain where clients are located and the domain where you can join the application server.
IIS Configuration for Kerberos Support
Even without domain membership of the server, you can partially configure IIS to work with Kerberos through special mechanisms.
Authentication Provider Configuration
In IIS Manager:
- Disable anonymous authentication
- Enable Windows Authentication
- Configure providers: Negotiate and NTLM
Important: Ensure that the “Enable Kernel-mode” checkbox is unchecked in the advanced settings of Windows Authentication.
Application Pool Configuration
Even without domain membership, you can configure the application pool to use:
- Local system account
- Service account
- Specially created account with rights to access domain resources
SPN Configuration Through Third-Party Tools
There are tools that allow registering SPNs for services outside of a domain. One such tool was specifically developed to solve Kerberos problems:
Tool: A colleague developed a tool to resolve Kerberos issues and manage settings source
Practical Examples and Tools
Using Network Monitor for Diagnostics
For Kerberos issue diagnostics, you can use Network Monitor:
- Download and install Network Monitor on the client computer and target server
- Collect a data trace during authentication attempts
- Analyze Kerberos messages in the trace
Configuration for Linux Clients
Even Linux clients can access Kerberos-authenticated resources:
# Obtain Kerberos ticket on Linux
kinit user@DOMAIN
# Access web resource through browser
firefox https://your-website.com
Test Environment for Debugging
For debugging issues, a three-machine environment is recommended:
- Domain controller
- Application server (outside of domain)
- Client workstation
Migration Recommendations
Gradual Migration
If the business is ready for gradual modernization, consider the following plan:
- Phase 1: Set up ADFS as a temporary solution
- Phase 2: Modernize authentication in the application using modern frameworks
- Phase 3: Consider migration to modern platforms
Monitoring and Auditing
Set up monitoring:
- Logging all authentication attempts
- Monitoring authentication performance
- Security auditing for vulnerability tracking
Security
Ensure security when using alternative methods:
- Always use SSL/TLS
- Regularly update certificates
- Configure password policies
- Implement multi-factor authentication
Sources
- Setting up Kerberos Authentication for a Website in IIS | Microsoft Community Hub
- ASP.NET and Kerberos Authentication | Stack Overflow
- Configuring Kerberos Authentication on IIS Website | Windows OS Hub
- Unable to Get Windows Authentication to Work Through Local IIS | Stack Overflow
- Kerberos Authentication in IIS with .NET App Under Domain Identity Not Working | Server Fault
- Set up Kerberos Authentication with Delegation on IIS 7 | Stack Overflow
- Kerberos Authentication Failing with 401 | Server Fault
- Client Can’t Authenticate to IIS Site Using Kerberos | Server Fault
- IIS: Using Kerberos with Client Computers Not on Domain | Stack Overflow
- Configure Windows Authentication in ASP.NET Core | Microsoft Learn
- Kerberos Authentication for Workstations Not on Domain | Server Fault
- Kerberos Authentication Troubleshooting Guide | Microsoft Learn
- Kerberos on Windows Server Out of Domain | Stack Overflow
- ADFS Troubleshooting - Integrated Windows Authentication | Microsoft Learn
Conclusion
Configuring Kerberos authentication on Windows Server outside of a domain for ASP.NET MVC applications requires a comprehensive approach but is entirely feasible. Key takeaways:
-
ADFS is the preferred solution - allows preserving existing authentication logic and providing full SSO without changing the application server
-
Alternative authentication methods - basic authentication with subsequent processing or Forms Authentication with Active Directory integration can be used as temporary solutions
-
Specialized tools - there are tools for managing SPNs and diagnosing Kerberos issues, even without domain membership
-
Gradual modernization - it’s recommended to start with ADFS as a temporary solution, then gradually modernize the application to use modern authentication mechanisms
For your scenario of a monolithic application on an outdated framework, setting up ADFS appears to be the most optimal solution, as it allows minimizing changes to the application code and continuing to use existing authentication infrastructure.