SharePoint 2010 and Kernel Mode Authentication

When IIS 7.0 shipped with Windows Server 2008, one of the many new features included this new doodad called Kernel Mode Authentication. Enabled by default, KMA moved authentication operations performed by IIS out of user mode and into the kernel. This had tremendous performance benefits! Additionally, when KMA was enabled, IIS no longer used the application pool identity for Kerberos ticket decryption – instead, it would use the machine account. This greatly simplified single server installations, as you wouldn’t need an SPN configured to perform Kerberos authentication to your web application if your web application used the same name as the machine.

Unfortunately, relying on the machine account for ticket decryption is entirely incompatible with web farms of any kind – SharePoint 2007 included. It’s obvious why – SharePoint web applications running in a farm configuration do not use the machine name for their web application, they’ll typically use a central DNS entry and host headers on each of the Web Front Ends. As a result, the ticket request from the browser client to Active Directory would pass an SPN that wouldn’t have a match of any sort, causing a Kerberos ticket failure on the client. As a result, SharePoint 2007 environment deployed on Windows 2008 had to configure their web applications to use the application pool identity for ticket decryption if Kernel Mode Authentication was to remain enabled.

Due to a variety of factors, SharePoint 2010 will provision web applications with Kernel Mode Authentication disabled by default. This will give you the IIS 6.0 behavior of leveraging application pool identities for ticket decryption, and will generally simplify web application management.

Comments (1)

  1. joekr says:

    This is great stuff.  Unfortunately, it appears, that although IIS7 will work faster better cheaper, we can’t use it in SharePoint for this purpose 🙂