Kerberos Authentication for IIS


  • In Site Configuration -> Authentication, Enable Anonymous, ASP.NET Impersonation (if you need that) & Windows Authentication

  • Make sure AppPool is using integrated and not classic

  • On the same menu, click providers and make sure it only says Negoiate & NTLM

  • Create a service account which the apppool will be running as (e.g. web_service)

    • Give a SPN to that service account setspn -a HTTP/ web_service

  • Change Identity of Appool to use the new user (Advanced Options)

  • Go to Configuration Editor -> system.webServer-> security -> authentication -> windowsAuthentication and check usingPoolCredentials & useKernelMode


Last updated