In brief:

This application will not work directly without any modification as it has been created for company I am working for. However, I believe that with a few small changes you can have it running in your environment.

Feel free to contact me if you need help to get it running on your webserver ;-)

To have the best performance for its users, this tool gathers a couple of information from text files. These text files are created by PowerShell scripts which you can also find in the Source code portion of this page.
I recommend to have Scheduled Tasks running those scripts to have current data.

I named the dev-version of my tool delinpocs, the name can change to what you like, it is not hardcoded, just part of the screenshots.

Environment:

This website runs and was only tested with IIS 7.5 on a Windows Server 2008 R2 machine.
It requires .Net Framework 4.5, Windows PowerShell version 4, Active Directory Users & Computers and
the Exchange Management Console has also to be installed on this web server.

Configuration in DNS:

Create an A-Record named as your application. This name must be the same as the SPN and I recommend also be chosen as application pool name. In this screenshots you find delinpocs, but the name can be changed according your taste ;-)

Configuration in Active Directory:

On the webserver computer object, allow Delegation, choose 'Trust this computer for delegation to any service (Kerberos only)'

ad1.png

Add service principal names on the webserver computer object. For:
- Host: Servername
- Host: Servername (FQDN)
- HTTP: Servername
- HTTP: Servername (FQDN)
- HTTP: otherDNSname <- the one for your application name
- HTTP: otherDNSname (FQDN) <- the one for your application name

ad2.png

Configuration of the .Net:

This tool uses PowerShell through C# classes in order to communicate with Exchange and to set the NTFS permissions for the user's home-drive. To use powershell out of this web application, running as the user who is using this application ( authenticated user) it is a must to change all the aspnet.config files in the following folders:

.NET 2.0 32-bit: C:\Windows\Microsoft.NET\Framework\v2.0.50727
.NET 2.0 64-bit: C:\Windows\Microsoft.NET\Framework64\v2.0.50727
.NET 4.0 32-bit: C:\Windows\Microsoft.NET\Framework\v4.0.30319
.NET 40. 64-bit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319

<runtime>
<legacyImpersonationPolicy enabled=”false”/>
<alwaysFlowImpersonationPolicy enabled=”true”/>
</runtime>

Configure IIS related Kerberos buffer:

Change is important to ensure the tool runs smooth, even if the user is member of several hundred permission groups.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
"MaxRequestBytes"=dword:16777216
"MaxFieldLength"=dword:00065534

Configure IIS:

1. Add a new we-site and name it like your application.

iis-0.png


2. Open it and change to the ISAP and CGI Restrictions, verify that ASP.NET v4.0.30319 is allowed.

iis-1.png
iis-2.png


3. Configure the ApplicationPool properties for the application as 'Integrated Pipeline' running as managed code with '.Net Framework 4'.

iis-3.png


4.
a) Configure Authentication ASP.NET Impersonation and Windows Authentication Enabled, the rest Disabled.

iis-4.png

b) Configure Windows Authentication and choose Kerberos Negotiate

iis-5.png

c) Choose Extended Protection Off and uncheck Enable Kernel Mode authentication

iis-6.png


5.) Change the binding of the website, set the host-header. The port can be any you like. Just remember to set is the same as the A-Record you previously created and it must match the SPN you set on the computer object.

iis-7.png


6.) Assign Read-Only NTFS - permission to the ApplicationPool Identity (here: delinpocs) on the directory where the website is located.

iis-8.png

iis-9.png

Environment configured. - Adjust the source code to enjoy the application :-)

Last edited Feb 13, 2015 at 12:25 PM by Juanito99, version 26