Why can users delegate authentication to IIS via IE?

Question

Kerberos authentication supports delegation, but delegation needs cooperation between the client and the server.

If the client uses SSPI,for example, it must set flag of ISC_REQ_DELEGATE when invoke InitializeSecurityContext.

If the server, IIS(more accurately applications run on IIS), want to use client's authentication for another remote access, clients(IE browser) have to use delegation, but how to know the server wants to do so?

Answer 1

This depends a bit on browsers. The SSPI actually uses two things to control delegation. First, the ISC_REQ_DELEGATE flag to InitializeSecurityContext needs to be set as you discuss. Second, though the computer account in Active Directory must include the trusted for delegation flag. This flag is also called ok-as-delegate in the Kerberos documentation. The idea is that a browser can always set the delegation requested flag in InitializeSecurityContext, but Active Directory decides whether delegation works. IE normally does set that flag and normally does support delegation if the web server's computer account permits. See here for a discussion of how to configure delegation in Firefox.
See here for a discussion of how to configure the web server's computer account. And see here for a discussion of delegation, its risks and constrained delegation which is an alternative that doesn't require browser cooperation. See this RFC for a discussion of how your http client can use the ok-as-delegate flag if you need to code to GSS-API rather than SSPI