Configure Windows Server IIS for constrained delegation
The topic describes how to configure and validate a Microsoft Windows Internet Information Services (IIS) server for constrained delegation.
Note:
Access Gateway only supports connecting to the default IIS app, which is the hostname of the IIS server. If you have more sites configured in IIS, then you need a custom solution developed by Okta Professional Services to use this feature.
Configure constrained delegation
- On your Microsoft Windows Server, start the IIS application.
- In the Connections pane, open the Sites folder and then click Default Web Site.
- In the Default Web Site Home pane, double-click Authentication.
- Configure these options:
- Anonymous access: Disabled
- Windows Authentication: Enabled
- Exit the IIS application.
- Start the Active Directory Users and Computers application.
- Find the Access Gateway service account user that you created in Add Kerberos service and select it.
- Right-click on the username and then select Properties.
- Select the Delegation tab.
- Select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
- Click Add.
- Add your IIS host to the delegation.
- Click Check Names to verify that the server has joined to the domain.
- Click OK.
- In the Add Services dialog, select the delegation protocol, and then click OK.
- Exit the IIS application.
Validate constrained delegation
- Start the Active Directory Users and Computers application.
- Select the Access Gateway instance.
- Click .
- Create an Access Gateway user and then click Next.
- Return to the Access Gateway Admin UI console.
- Go to Settings.
- Click Simulate.
- Complete the Test AD User and Test Web Resource fields. Use the test user and the FQDN values of the IIS server host.
Next steps