Konstantin Vlasenko

An engineer is someone who can make for a dollar what any fool could make for two. – Alan Kay

Tag Archives: kernel mode authentication

SPN checklist for Kerberos authentication with IIS 7.0/7.5

This post is more about the confusion that may arise around SPNs for setting up Kerberos authentication in IIS 7.0. IIS 7.0 has a new Kernel-mode authentication feature using which the ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose by default and in turn improves the performance.

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

IIS 7.0 Kernel Mode Authentication by default

In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.

Source: http://technet.microsoft.com/en-us/library/dd573004(office.13).aspx

Follow

Get every new post delivered to your Inbox.