Kerberos Tips

byAlex R. •September 12, 2023

Get available tokens

klist

Get a token for SPN

klist get http/server.domain.co.il

To enable kerberos events logging, add LogLevel = 1 to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The event logs should appear under System Events in the event viewer

Purge all tickets for local system:

klist purge -li 0x3e7

Configure IIS to work with "Active Directory Client Certificate Authentication"

This method of authentication maps a certificate to an active directory account, for this to work, make sure to follow these steps:

Enroll a certificate for a domain user account where the certificate is either published to the user account in AD or has the UPN set correctly.
Set the option in IIS:
Ensure the application pool runs under "Local System" account and not NetworkService, LocalService or any other.
Setup delegation and ensure SPN with FQDN to any service such as SQL Server. E.g.:

Tags Kerberos

<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/1601900224-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY7AHqk9ZsUpGAA38S8FFijvtum4pQ:1761908955251';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d2139279071038304164','//alexrait.blogspot.com/2023/09/kerberos-tips.html','2139279071038304164');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '2139279071038304164', 'title': 'Coding with Alex', 'url': 'https://alexrait.blogspot.com/2023/09/kerberos-tips.html', 'canonicalUrl': 'https://alexrait.blogspot.com/2023/09/kerberos-tips.html', 'homepageUrl': 'https://alexrait.blogspot.com/', 'searchUrl': 'https://alexrait.blogspot.com/search', 'canonicalHomepageUrl': 'https://alexrait.blogspot.com/', 'blogspotFaviconUrl': 'https://alexrait.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-202988341-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Coding with Alex - Atom\x22 href\x3d\x22https://alexrait.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Coding with Alex - RSS\x22 href\x3d\x22https://alexrait.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Coding with Alex - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/2139279071038304164/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Coding with Alex - Atom\x22 href\x3d\x22https://alexrait.blogspot.com/feeds/3229524346625795589/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseClientId': 'ca-pub-9348007134072555', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/93b5482d11d1bbee', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': true, 'jumpLinkMessage': 'Blog Posts', 'pageType': 'item', 'postId': '3229524346625795589', 'postImageThumbnailUrl': 'https://blogger.googleusercontent.com/img/a/AVvXsEi21Cn71N8rYrufULKUbDdYgOIojfooPuVvJriTRjS-5FUO_w7_91icxq0NitnfxIRkgJ9H0we3vW2MeGPMKCAW7nn2_v1RBrhm8Heg9ax09qiVuNcvBPWsWFE_3zjqvvrBN_NFWUt4CLsRY4bQCWyO8TTgz80Aof6Ye2VJjKqYq2d4VQsc_sCjn_dOIQM1\x3ds72-w640-c-h221', 'postImageUrl': 'https://blogger.googleusercontent.com/img/a/AVvXsEi21Cn71N8rYrufULKUbDdYgOIojfooPuVvJriTRjS-5FUO_w7_91icxq0NitnfxIRkgJ9H0we3vW2MeGPMKCAW7nn2_v1RBrhm8Heg9ax09qiVuNcvBPWsWFE_3zjqvvrBN_NFWUt4CLsRY4bQCWyO8TTgz80Aof6Ye2VJjKqYq2d4VQsc_sCjn_dOIQM1\x3dw640-h221', 'pageName': 'Kerberos Tips', 'pageTitle': 'Coding with Alex: Kerberos Tips', 'metaDescription': ''}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Kerberos Tips', 'description': 'A collection of interesting software articles, tips and code snippets, mostly in .NET and JavaScript.', 'featuredImage': 'https://blogger.googleusercontent.com/img/a/AVvXsEi21Cn71N8rYrufULKUbDdYgOIojfooPuVvJriTRjS-5FUO_w7_91icxq0NitnfxIRkgJ9H0we3vW2MeGPMKCAW7nn2_v1RBrhm8Heg9ax09qiVuNcvBPWsWFE_3zjqvvrBN_NFWUt4CLsRY4bQCWyO8TTgz80Aof6Ye2VJjKqYq2d4VQsc_sCjn_dOIQM1\x3dw640-h221', 'url': 'https://alexrait.blogspot.com/2023/09/kerberos-tips.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 3229524346625795589}}, {'name': 'widgets', 'data': [{'title': 'Default Thumbnail', 'type': 'Image', 'sectionId': 'pbt-panel', 'id': 'Image52'}, {'title': 'JSON Variables', 'type': 'HTML', 'sectionId': 'pbt-panel', 'id': 'HTML50'}, {'title': 'Coding with Alex', 'type': 'Image', 'sectionId': 'main-logo', 'id': 'Image50'}, {'title': '', 'type': 'LinkList', 'sectionId': 'xdfcb-main-menu', 'id': 'LinkList200'}, {'title': 'Links', 'type': 'LinkList', 'sectionId': 'headerbar', 'id': 'LinkList201'}, {'title': 'Follow Us', 'type': 'LinkList', 'sectionId': 'headerbar', 'id': 'LinkList202'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'main', 'id': 'Blog1', 'posts': [{'id': '3229524346625795589', 'title': 'Kerberos Tips', 'featuredImage': 'https://blogger.googleusercontent.com/img/a/AVvXsEi21Cn71N8rYrufULKUbDdYgOIojfooPuVvJriTRjS-5FUO_w7_91icxq0NitnfxIRkgJ9H0we3vW2MeGPMKCAW7nn2_v1RBrhm8Heg9ax09qiVuNcvBPWsWFE_3zjqvvrBN_NFWUt4CLsRY4bQCWyO8TTgz80Aof6Ye2VJjKqYq2d4VQsc_sCjn_dOIQM1\x3dw640-h221', 'showInlineAds': false}], 'headerByline': {'regionName': 'header1', 'items': [{'name': 'share', 'label': ''}, {'name': 'author', 'label': 'by'}, {'name': 'timestamp', 'label': '\u2022'}]}, 'footerBylines': [{'regionName': 'footer1', 'items': [{'name': 'comments', 'label': '$type\x3d{blogger}'}, {'name': 'icons', 'label': ''}]}, {'regionName': 'footer2', 'items': [{'name': 'labels', 'label': 'Tags'}]}], 'allBylineItems': [{'name': 'share', 'label': ''}, {'name': 'author', 'label': 'by'}, {'name': 'timestamp', 'label': '\u2022'}, {'name': 'comments', 'label': '$type\x3d{blogger}'}, {'name': 'icons', 'label': ''}, {'name': 'labels', 'label': 'Tags'}]}, {'title': 'You might like', 'type': 'HTML', 'sectionId': 'xdfcb-related-posts', 'id': 'HTML51'}, {'title': 'Coding with Alex (Header)', 'type': 'Header', 'sectionId': 'sidebar', 'id': 'Header1'}, {'title': 'Main Tags', 'type': 'Label', 'sectionId': 'sidebar', 'id': 'Label2'}, {'title': 'Total Pageviews', 'type': 'Stats', 'sectionId': 'sidebar', 'id': 'Stats1'}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar', 'id': 'PopularPosts2', 'posts': [{'title': 'How to deserialize object from XML in .NET', 'id': 4054038090734924572}, {'title': '\u05e9\u05d9\u05e2\u05d5\u05e8\u05d9 \u05e8\u05d9\u05e7\u05d5\u05d3\u05d9 \u05dc\u05d6\u05d2\u05d9\u05e0\u05e7\u05d4 \u05d1\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8', 'id': 7810475746607606345}, {'title': 'Disable ssl verification when pushing git to remote repository', 'id': 4196366144205767161}, {'title': '.NET Auto Mapper library', 'id': 1094240385410530243}]}, {'title': 'Most Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar', 'id': 'PopularPosts1', 'posts': [{'title': 'How to deserialize object from XML in .NET', 'id': '4054038090734924572'}, {'title': '\u05e9\u05d9\u05e2\u05d5\u05e8\u05d9 \u05e8\u05d9\u05e7\u05d5\u05d3\u05d9 \u05dc\u05d6\u05d2\u05d9\u05e0\u05e7\u05d4 \u05d1\u05d0\u05d9\u05e0\u05d8\u05e8\u05e0\u05d8', 'id': '7810475746607606345'}, {'title': 'Disable ssl verification when pushing git to remote repository', 'id': '4196366144205767161'}, {'title': '.NET Auto Mapper library', 'id': '1094240385410530243'}, {'title': 'Decrypting DPAPI strings with PowerShell', 'id': '1872587466158205825'}, {'title': 'Configure action in ASP.NET core that requires client certificate authentication', 'id': '190547147754577582'}]}, {'title': 'About Us', 'type': 'Image', 'sectionId': 'xdfcb-about-section', 'id': 'Image51'}]}]);
_WidgetManager._RegisterWidget('_ImageView', new _WidgetInfo('Image52', 'pbt-panel', document.getElementById('Image52'), {'resize': true}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML50', 'pbt-panel', document.getElementById('HTML50'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ImageView', new _WidgetInfo('Image50', 'main-logo', document.getElementById('Image50'), {'resize': true}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList200', 'xdfcb-main-menu', document.getElementById('LinkList200'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList201', 'headerbar', document.getElementById('LinkList201'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList202', 'headerbar', document.getElementById('LinkList202'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/6096503-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/828616780-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML51', 'xdfcb-related-posts', document.getElementById('HTML51'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'sidebar', document.getElementById('Header1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label2', 'sidebar', document.getElementById('Label2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_StatsView', new _WidgetInfo('Stats1', 'sidebar', document.getElementById('Stats1'), {'title': 'Total Pageviews', 'showGraphicalCounter': false, 'showAnimatedCounter': false, 'showSparkline': true, 'statsUrl': '//alexrait.blogspot.com/b/stats?style\x3dBLACK_TRANSPARENT\x26timeRange\x3dALL_TIME\x26token\x3dAPq4FmAdl7AvPDawpxaddQfTX3MhxHZw78AkMnCJTOofsqAwEccLUDHRurFQgMw1Tb9rc1XY4pr7uMJdWPCp7MSThHGhftLeyQ'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts2', 'sidebar', document.getElementById('PopularPosts2'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts1', 'sidebar', document.getElementById('PopularPosts1'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_ImageView', new _WidgetInfo('Image51', 'xdfcb-about-section', document.getElementById('Image51'), {'resize': true}, 'displayModeFull'));
</script>
</body>

Kerberos Tips

Configure IIS to work with "Active Directory Client Certificate Authentication"

Post a Comment