First a short explanaition on how the Kerberos ticket is encrypted:
To decrypt the ticket, the IIS must know to the password of the domain account. The password is stored (encrypted) in the applicationHost.config, e.g.
<applicationPools> <add name="HRWeb"> <processModel identityType="SpecificUser" userName="mydomain\hrwebact" password="[enc:IISWASOnlyAesProvider:qu/80DmhQaUFn4DnDWsFF/uVty+WVR8WapGLJ77clKE=:enc]" /> </add></applicationPools>
That should therefore not be a problem. But a change were made in IIS 7.0 (and later) that in some cases breaks the Kerberos configuration when the IIS is trying to decrypt the ticket using the password of the computer account. Read here for more info: http://blogs.msdn.com/b/sudeepg/archive/2009/02/08/iis-7-kernel-mode-authentication.aspx
In our HRWeb application the application pool account is configured to use a domain account as identity with a matching SPN.
When a user is visiting the page he will be prompted for username and password, but even if he enters the corect credentials, the request will still fail with HTTP Error 401: Not Authorized.
A Failed Request Tracing log will show the following error:
ModuleName IIS Web Core Notification 2 HttpStatus 401 HttpReason Unauthorized HttpSubStatus 2 ErrorCode 2147942405 ConfigExceptionInfo Notification AUTHENTICATE_REQUEST ErrorCode Access is denied. (0x80070005)
To make this work in IIS 7.5 you have two choices:
You can easily disable Kernel-mode autentication in the GUI. Select the application in the IIS Manger, open the authentication feature, select Windows authentication, select Advanced Settings in the right panel, and uncheck Kernel-mode authentication:
While this configuration will fix the issue, it may not be the best option. A better approach would be to keep Kernel-mode autentication but tell IIS to use the password of the application pool account to decrypt the ticket.
I wish that there were a GUI for changing that parameter but it does not exist.
Instead you have to tweak the applicationHost.config file that usually is located in c:\windows\system32\inetsrv\config, and you need to add the attribute: useAppPoolCredentials="true" to the windowsAuthentication node of the configuration for the application.
You can also use the Appcmd.exe command tool to set this parameter instead of tweaking the xml by hand. I have used the following command line a couple of time where the customer wanted this parameter to be default for all applications on the server::
%windir%\system32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost
It should also be possible to do the a change for a single application, but I don't have a working sample to show you.