0

We're having an authentication problem with our self-made collaboration website.

We have server A with the Collab platform. We log on with our domain account on the website. This website talks to an API on Server B but Server B should also be able to get data from out intranet (Sharepoint) on server C. Is this the double hop issue? NTLM is uses, not Kerberos.

Do we need to change everything to Kerberos? I found a lot about double hop but none have a decent explanation on how to configure/fix it.

Server A & B are 2012R2, server C is 2016.

halfer
  • 19,824
  • 17
  • 99
  • 186
Skyline
  • 1
  • 1
  • It could be a double-hop, depending on how you have security set on IIS. There are 2 options: 1) IIS requires authentication from a user, and needs to identify that same user to back-end systems. or 2) The back-end systems don't need to know the user, they just need to provide services and the anonymous (or some other service account) is okay. Which one do you need? – tgolisch Dec 19 '18 at 14:15
  • Please read [Under what circumstances may I add “urgent” or other similar phrases to my question, in order to obtain faster answers?](//meta.stackoverflow.com/q/326569) - the summary is that this is not an ideal way to address volunteers, and is probably counterproductive to obtaining answers. Please refrain from adding this to your questions. – halfer Dec 19 '18 at 19:11
  • Hi @tgolisch, it's the first option that's used. – Skyline Dec 20 '18 at 07:01

1 Answers1

1

Yes. When you need authenticate a user on a web server and then re-use and pass credentials from the web server to another server, that is the "double-hop" scenario. The only way to allow this, is to establish a Kerberos trust between those two machines. This is done in Active Directory.

Kerberos config in Active Directory

You don't need to "convert all of your stuff to Kerberos" because it is already built-into any server that is on an Active Directory domain.

In IIS, you will need to set the "IIS", "Authentication" to use "Digest" authentication (of course Anonymous is disabled).

There are dozens of great articles that walk you through anything that I didn't mention. (Like this one) It is not difficult, but it takes some time to learn it the first time. So there is no need to worry.

tgolisch
  • 6,549
  • 3
  • 24
  • 42