What’s different about Kerberos Authentication on IIS 7.0

On IIS 6.0 if your web application ran under a custom user account you would have to setup Service Principal Names (SPNs) for that account. This detail is something that most users miss and as a result the authentication falls back to NTLM. The need for the custom SPNs arises because the authentication happens in the user mode.

In IIS 7.0 by default the authentication is moved into the kernel. This eliminates the need for setting up SPNs when you change the application pool user account as the authentication is happening in the context of the machine and every machine already has a default HOST/machine SPN in the Active Directory(AD).

IIS Manager > Global Level(MachineName) > Authentication > Windows Authentication > Advanced Settings…


For folks who are accustomed with IIS 6.0 this change may seem disturbing. Especially if your are migrating from an IIS 6.0 environment to IIS 7.0 this could lead to duplicate SPNs. Since you would have configured SPNs to the custom account in IIS 6.0 while moving to IIS 7.0 you need to ensure that you remove those. You can use this command to figure out which accounts have a particular SPN.

ldifde -f spn.txt -d"dc=contoso, dc=com" -l serviceprincipalname -r "(serviceprincipalname=http/www.contoso.com)" -p subtree

assuming your domain is contoso.com and your url for the web application is http://www.contoso.com/

Its a nifty command to figure out duplicate SPNs. The spn.txt file that is created will have a list of user accounts that have a particular SPN. Always ensure there is only one.

You can turn off this feature and make IIS 7.0 behave similar to IIS 6.0. However I strongly do not recommend it as the Kernel-mode authentication also increases performance.

If you have a history of setting up Kerberos authentication on websites by now you should be wondering how Kernel-mode can work in a load balanced(webfarm) scenario. In load balanced scenarios also you do not have to disable Kernel-mode authentication. Instead you can set the useAppPoolCredentials property to true. You do this in your configuration file under the system.webServer / security / authentication / windowsauthentication section.

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

With Win7 you will see a new option in the above screen called Extended Protection which can be set to Off / Accept / Required. This basically will support Channel Binding Token and helps in preventing Kerberos authentication forwarding attacks by a man in the middle.

Bookmark and Share

Comments (2)

  1. JANA ŠROUBKOVA,Prague says:

    I am laik at IT I dont know how donwload defaul website.

    aT MY pc WAS NOT INStaled basical components asWindows Instrumental managemernt I cannot conect and view intrernet siteand more.PC was at service and norepair it if Ihavewarantity.I must have page 404 for banking .previose PC and this have damage this modul,and my system reguest

    inerror.Iam from Czech republic,servicemen have not knowledeges and I for fife year recive not peny or cent to my bank account.I cannot use messenger and seeinternet site and work wizh,I kow then is bAD UJRL BUT i Cannor over wirte it, my english is not soexelent and have no knowledes from IT,Ihave not high speed internet but dial up provider ufon,cz with evdosignal.please about help without m assistence,I am 58year old woman and this PC is my sinGle chance have some funds,my proivacy is ekocentrum1cz15@hotmail.com.Font is smALL  i HAVE BAD EYES.

Skip to main content