Some tips on setting up the DelegConfig Tool

 

Introduction

 

Brian Murphy-Booth wrote a great tool that has helped thousands of people troubleshoot their way through some tough Kerberos authentication problem. The home page for the tools and instructions is here: https://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx. I've used Delegconfig a few times and been impressed with its potential. However, it tends to be a bit easier to set it up in a straight IIS website than it is to set up in a SharePoint Web Application however. Sometimes web.config files can interfere with its functionality, for example. The net effect is that sometimes DelegConfig version 1 works and version 2 Beta doesn't. And other times it is the other way around. So I tend to like to "install" both versions.

Here are the steps I use.

 

Download and Unzip

 
 

Download DelegConfig2 Beta from  https://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 to the web server and save it under C:\inetpub\wwwroot\DelegConfig2\.

Unzip it to C:\inetpub\wwwroot\DelegConfig2.    

(You can save it anywhere you like, but permissions tend to be set up well in wwwroot.  You may have to adjust NTFS permissions there too.  Wherever you save it to, try not to save it in or under a folder that has a web.config in it.)

Download DelegConfig 1 from https://www.iis.net/community/default.aspx?tabid=34&g=6&i=1434 to the web server and save it under C:\inetpub\wwwroot\DelegConfig1.  

Unzip it to C:\inetpub\wwwroot\DelegConfig1.

Open the IIS manager and drill down into the website you're troubleshooting your Kerberos problem on.  (If you're just testing the tool out, just make sure the site you choose has Windows Authentication set.)

 
 

Create two applications in IIS

 
 

Right click on the web site and select Add Application.  (Steps are almost identical for both IIS 6.0 and IIS 7.x.)

 
 

 
 

Make the first application for DelegConfig2 and give it the path of C:\inetpub\wwwroot\DelegConfig2\kerberos.

Also ensure that this application is assigned to the same application pool as the other application you're troubleshooting.

 
 

You should see Default.aspx in this virtual directory.  (In IIS 7.x you'll have to click on "Content View" to see it, however.)

 
 

 
 

 
 

Add another application to the same website for DelegConfig1 and path it to C:\inetpub\wwwroot\DelegConfig1\Kerberos.  

 
 

 
 

Adjust NTFS Permissions?

 
 

From Windows Explorer, adjust NTFS permissions on the delegconfig1 and delegconfig2 folders if needed.   The users who will browse to the page need to have Read and Execute permissions.

 
 

Local Browsing Tests

 
 

Try browsing locally to the default.aspx page of DelegConfig2 and DelegConfig1 as well just to see if one or both pages serve at all.   Hopefully DelegConfig 2 Beta works.  If not, settle for DelegConfig 1.

 
 

 
 

DelegConfig's Default.aspx should look like this:

Remote Workstation Browsing/Testing

 
 

To really begin to test out the delegation, browse to the same pages from a remote client. 

Browse to default.aspx page and click REPORT.

 
 

Don't forget to add a backend server to test out delegation.  Start by clicking the "Add Back-End Server" button.