Configuring Protocol Transition

First implemented in Windows Server 2003, protocol transition is a feature that allows a client to authenticate to IIS 8.0 using a protocol other than Kerberos (for example, NTLM or Digest). By utilizing Services for User to Self (S4U2S) and Services for User to Proxy (S4U2P), IIS 8.0 is able to get a Kerberos ticket to the back-end service. For more information on S4U2P and S4U2S, see http://adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx.

In a protocol transition scenario:

1. The client authenticates to IIS 8.0 using an HTTP authentication protocol other than Kerberos (for example, NTLM or Digest authentication).

2. IIS 8.0 obtains a Kerberos ticket on behalf of the user. The process for obtaining Kerberos tickets is discussed above.

3. The IIS 8.0 server authenticates to the back-end server application using Kerberos. The back-end service must support Kerberos authentication.

In a default IIS 8.0 configuration, nothing additional needs to be configured in IIS 8.0 to support protocol transition. The only configuration that is required is on your domain controllers. To support protocol transition, the domain functional level must be Windows Server 2003 or higher. Additionally, protocol transition relies on constrained delegation. This requires that the IIS 8.0 server and back-end server be in the same domain. The client can be in any trusted domain or forest.

To configure Active Directory for protocol transition, ensure that required ...

Get Professional Microsoft IIS 8 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Professional Microsoft IIS 8 by Kenneth Schaefer, Jeff Cochran, Scott Forsyth, Dennis Glendenning, Benjamin Perkins

Configuring Protocol Transition

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly