The IIS Authentication Plug-in guide provides information about system requirements and how to install and configure the IIS Authentication plug-in on Windows.
This guide is intended for the Advanced Authentication domain administrators.
The Advanced Authentication IIS Authentication plug-in facilitates you to configure multi-factor authentication for the websites that are hosted and managed on the Microsoft IIS server. So the users who want to access the websites must perform multi-factor authentication on the IIS server.
For example, Bob, who is an end-user wants to access his mails on the Outlook Web Access (OWA) or the shared applications through Remote Desktop Web (RDWeb) that are hosted on the IIS server. He must perform multi-factor authentication using the IIS Authentication plug-in and get a secured access to OWA or RDWeb.
IIS Authentication plug-in leverages the Service for User (S4U) impersonation feature to obtain the user token to interact with and secure the Windows resources hosted on the IIS server. Advanced Authentication performs the primary authentication and then Windows authentication is required to acquire the access token for an identified user through S4U.
If the resources to be accessed are available on the local host, then set the IIS Pool as LocalSystem. This applies for applications with resources on single host, including small scale implementations of OWA, RDWeb, or similar applications.
When resources to be accessed are available on different hosts, then S4U requires the following:
A domain user to manage the IIS Pool with the required privileges and groups.
Configure Kerberos constrained resource delegation.
An example of this usage is multi-host services like Sharepoint with SQL hosted separately.