IIS Integration Authentication options
Argh, it's a pain, and there are a million pages on it on the Interweb.
I'm approaching from the direction of getting BizTalk's BAM Portal working. Hurdle one, it will only run on 32-bit IIS servers, which means it can't run on our BizTalk hosts (as they are in 64-bit mode). So we plonked it on our Intranet server.
Next authentication. You need to use the BizTalk configuration tool to setup the portal unless you want to hack about. It encrypts logon details into the registry based on the service account used in the setup.
In order to access BAM, you need to use Integrated Authentication in IIS to allow users to authenticate correctly. This boils down to three options:
- Kerberos
- NTLM
- Plain-text
Kerberos is a pain because you need to make sure all the AppPools on the server are all running under the same identity (e.g. A service account for that server). You then need to manually assign a "SPN" in Active Directory for this AppPool's service account.
This is due to the DC encrypting tokens with the IIS server's password, and it needs to know which password to pick if there are multiple AppPool identities (Network and Local Service accounts are normally ok, but can't be configured with BAM).
NTLM is a pain because it doesn't allow you to "double-hop", so if you have anything that needs to pass through the user's authentication details it won't work. Kerberos allows this. Kerberos also requires a bit of a fiddle with non-IE browsers, where NTLM is widely supported.
The final option is plain-text, but this is horrible too as your NT passwords get dumped around your network in the clear. Unless of course you use SSL. This also allows for double-hop as the IIS server gets a copy of your password (to it, essentially in the clear).
But do you trust your password to an IIS server?