IIS 6.0, IIS 7.0, IIS 7.5

The changes in Kerberos configuration in IIS7x (KernelModeAuthentication) makes it fairly easy to configure Kerberos on IIS. At the same time, it is critical for server admins to understand the implications of this. SPN is one of those area.

Here is a matrix of all SPN scenarios in context of IIS6.0 and IIS7x. This should make life little easier when it comes to decide which SPNs do we really need.

Notes -

1. Be wary of useAppPoolCredentials flag! This is critical.

Setting this on(useAppPoolCredentials=true) is as good as Disabling kernel mode Authentication

When and how to set, please refer - http://technet.microsoft.com/en-us/library/dd573004(office.13).aspx

<system.webServer>

   <security>

      <authentication>

         <windowsAuthentication enabled="true" useAppPoolCredentials="true" />

      </authentication>

   </security>

</system.webServer>

2.  For IIS6 settings, refer to sections where Kernel Mode Authentication is OFF

3.  In case of double hop scenario,

Verify that the Domain User is marked “Trust this User for delegation to any service”

  Active Directory Users and Computers MMC\UserAccount\Properties\Delegation Tab\

4. Use new SPN tool to find duplicate SPNs.

Simply run >setspn -x

5. Be careful while Port in SPNs. Default ports doesn’t need to be added.

E.g.  Port 80, 443, 21 doesn’t need to added which are default ports for TCP, SSL, FTP respectively

References:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5 -

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

How to use SPNs when you configure Web applications that are hosted on Internet Information Services

http://support.microsoft.com/kb/929650