Configure Windows Server IIS for constrained delegation

1. Return to or sign in to your Windows Server.
2. Start the Internet Information Services (IIS) application.
3. Navigate to the default Web Site.
   
4. Double-click Authentication. and configure:
   Anonymous access:Disabled
   Windows Authentication:Enabled
   
5. Exit Internet Information Services (IIS).
6. Start the Active Directory Users and Computers application.
7. Navigate to the previously added Access Gateway service account user.
8. Select the user, right-click and select properties.
9. Select the Delegation tab.
10. Select Trust this user for delegation to specified services only and enable Use any authentication protocol.
    
11. Click Add.
12. Add your IIS host to the delegation.
13. Click Check Name to verify that server has joined to the domain.
14. Click OK.
    

15. In the Add Services dialog box, select the delegation protocol and click OK
    

16. Exit the Internet Information Services (IIS) application

Validate

To test, we will simulate a Kerberos sign in:

1. Start the the Active Directory Users and Computers application.
2. Select Access Gateway instance, in this example idaasgateway.net, and then > Users > New User.
   
3. Create a new Okta Access Gatewayuser and click Next.
   For example:
   First name: test
   Last name: user
   User logon name: testuser
   
4. Complete the new user.
5. Return to the Access Gateway Admin UI console.
6. Navigate to Settings.
7. Click the Simulate button.
   

8. Enter test user and host. Specifically use the test user and the FQDN of the IIS server host, which is the same as the DC.
   

Next steps

Create an Microsoft IIS IWA application