Comment on page

Kerberos Authentication for IIS

Build
In Site Configuration -> Authentication, Enable Anonymous, ASP.NET Impersonation (if you need that) & Windows Authentication
Make sure AppPool is using integrated and not classic
On the same menu, click providers and make sure it only says Negoiate & NTLM
Create a service account which the apppool will be running as (e.g. web_service)
Give a SPN to that service account setspn -a HTTP/servername.test.com web_service
Change Identity of Appool to use the new user (Advanced Options)
Go to Configuration Editor -> system.webServer-> security -> authentication -> windowsAuthentication and check usingPoolCredentials & useKernelMode
References
​https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/347882​
​http://woshub.com/configuring-kerberos-authentication-on-iis-website/​

Kerberos Silver Tickets

Group Managed Service Accounts (GMSA)

Last modified 9mo ago