Environment
Directory Resource Administrator 9.2.x
Situation
When using the DRA Web Client UI it is possible to configure the authentication method to be Windows Authentication. This method allows the Web Browser to read the credentials of the logged on user, and pass them securely to the IIS Sever. The IIS Server will then pass those credentials over to the selected DRA REST and DRA HOST Services. These services sit between the Web Client and the DRA Administration Service used to perform the DRA operations. By default the IIS Server will not allow these credentials to be passed to services on a remote OS. If the request from the IIS Server hosting the DRA Client fails to include the user credentials, the REST and HOST Service will deny the connection. They will report an error regarding an invalid user name and password.
Resolution
The following steps outline the process used to configure DRA Rest Services, IIS Server settings, and AD object settings. This configuration will allow the DRAClient Web application to use any DRA REST or DRA Host Service.
Create Service Principal Names (SPNs) linking each DRA REST and DRA Host Server to the DRA Service Account
1. Open an Administrator CMD prompt, in the context of DRA service (or other Domain Admin level account).Note: The CMD prompt can be run from any Member Server within the AD Domain hosting the DRA Server(s)2. Create a SPN for each DRA REST and HOST server
a. Create a DRA REST Service SPN, using both the flat name and FQDN of the computer name of each DRA REST server.i. "SetSpn –U –A NetIQDRARest/<FQDN of REST server> <DomainName>\<service account name>"Example: DRA REST server with a FQDN of HouDRA01.Houts.lab, and Service account Houts\Dra.Service"Setspn –U –A NetIQDRARest/HouDra01.houts.lab Houts\dra.service"ii. SetSpn –U –A NetIQDRARest/<flat name of REST server> <DomainName>\<service account name>"Example: DRA REST server flat name of HouDRA01, and Service account Houts\Dra.Service"Setspn –U –A NetIQDRARest/HouDra01 Houts\dra.service"iii. Repeat the above step for every Windows OS Name hosting the NetIQ DRA REST Serviceb. Create a DRA HOST Service SPN, using both the flat name and FQDN of the computer name of each DRA HOST serveri. "SetSpn –U –A NetIQDRAHost/<FQDN of HOST server> <DomainName>\<service account name>"Example: DRA HOST server FQDN of HouDRA01.houts.lab, and Service account Houts\Dra.Service"Setspn –U –A NetIQDRAHost/HouDra01.houts.lab Houts\dra.serviceii. "SetSpn –U –A NetIQDRAHost/<flatname of HOST server> <DomainName>\<service account name>"Example: DRA HOST server flat name of HouDRA01, and Service account Houts\Dra.Service"Setspn –U –A NetIQDRAHost/HouDra01 Houts\dra.service"iii. Repeat the above step for every Windows OS Name hosting the NetIQ DRA HOST Service
Enable delegation for the REST and HOST Service account
1. Use ADUC to search for the AD account running the NetIQ DRA REST or HOST Service on each service instancea. You will need to perform these operations using an AD account with Domain Admin rights2. From the account properties window, select the Delegation Tab3. From the Delegation Tab, choose the option for Trust this user for delegation to the specified services only' and 'Use any authentication protocol'.4. Use the ADD Button add a service to the delegation5. From the Add Services window, search for the DRA REST and HOST Service account6. From the Add Services window, select the Service Types of NetIQDRARest or NetIQDRAHost, whose user or computer name value equals both the flat name and FQDN of each OS hosting the DRA REST OR HOST Service.
Enable delegation for the IIS server computer account
1. Use ADUC to search for the Computer account of each IIS Server used to host the DRAClient Web Applicationa. You will need to perform these operations using an AD account with Domain Admin rights2. From the account properties window, select the Delegation Tab3. From the Delegation Tab, choose the option for Trust this user for delegation to the specified services only' and 'Use any authentication protocol'.4. Add a service to the delegation tab, using the Add button5. From the Add Services window, search for the DRA REST and HOST Service account6. From the Add Services window, select the Service Types of NetIQDRARest or NetIQDRAHost, whose user or computer name value equals both the flat name and FQDN of each OS hosting the DRA REST OR HOST Service.
Update the application configuration files used by the DRA REST server
1. Modify the NetIQRestProxy\restProxy.config file on each DRA REST Servera. Default path: %ProgramData%\NetIQRestProxy\restProxy.configb. Create a backup copy of the filec. Change line 9, which starts with <consoleConfiguration to be:i. <consoleConfiguration autoLogoutAfter="20" allowCustomJavaScript="false" taskEnumTimerMsDelay="750" restServerSpn="<SPN of a remote DRA REST Server>">ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.labiii. The Server name should be any DRA REST Sever , other than the local hostd. These steps must be done on every DRA REST Server
2. Modify the DRA Rest Service Configuration file on each DRA REST Servera. Default path: C:\Program Files (x86)\NetIQ\DRA Extensions\ NetIQ.DRA.RestService.exe.configb. Create a backup copy of the filec. Change line 7, which starts with <customAppSettings to be:i. <customAppSettings hostServerSpn="<SPN of a remote DRA REST Server>">ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.labiii. The Server name should be any DRA REST Sever , other than the local hostd. Change line 45, which starts with <servicePrincipalName to be:i. <servicePrincipalName value="<SPN of a remote DRA REST Server>">ii. The format for the SPN will look like NetIQDRARest/houdvdr890.drdom691.labiii. The SPN name should be the same name as the value used in line 7e. These steps must be done on every DRA REST Server
Configure the DRA Client web application configuration to use Windows Authentication
1. Locate the Web.Config file for the DRA REST Web Applicationa. Default path: C:\inetpub\wwwroot\DRAClient\rest\Web.Configb. Backup the filec. Change line 33, which starts with “<authentication mode=” TO:d. <authentication mode="Windows" />e. These steps must be done on every IIS ServerConfigure each IIS server to use Windows Authentication1. Use Windows IIS Manger to change the Authentication for the REST Web Applicationa. Navigate within IIS Manager down to: Server Name – Default Web Site – DRAClient – Restb. Use the authentication option to enable only Windows Authentication, and disable all other Authentication typesc. Edit the Providers option of Windows Authentication to ensure Negotiate Provider is at the top of the listRestart the Services1. Restart the NetIQ DRA Rest Service on every DRA REST Server2. Restart the IIS service on every IIS server
Cause
The default behavior of IIS and the DRA REST service is to not allow impersonation or passing of the Windows User credentials to a remote machine. Without this ability, the IIS Server , DRA REST Server and DRA Host Server must reside on the same OS; when using Windows Authentication.
Additional Information
Technical support recommends that you create a backup of all configuration files, before making any changes. In addition any DRA REST Service upgrades may also revert the configuration files back to the default settings.