Fun with IIS 7.5 and Kerberos

I’ve recently had some fun setting up load-balanced IIS 7.5 (Server 2008 R2) servers to use Kerberos with the Default Web Site running under an AppPool which uses a domain account.

Now that my monitors have been replaced, I’ve got my new keyboard and have glued my mouse buttons back on, I thought I’d share some resources that helped.

First, Ken Schaefer’s series on Kerberos itself, to remind me how it works:

Then Brian Murphy-Booth (a.k.a. Brian Booth) ‘s excellent tool DelegConfig:

The last one of those has four sections: Installing IIS; Installing the web application; Configuring Network Service as the AppPool Identity; and Configuring a domain based user account as the AppPool Identity.  This last section held the key for me: I’d remembered everything else from a previous smashing-my-face-into-the-desk exercise except unchecking “Enable Kernel-mode authentication” in the Advanced Settings on the Windows Authentication entry of the Authentication feature.  Talk about hidden away…

So, now it all works.  Today.  If I’m feeling brave, I’ll restart everything tomorrow morning and see if it’s still working.  🙂


I realised that the instructions in Addendum: Making the DelegConfig website work on IIS 7 refer to the Classic .NET AppPool.  My servers are built with an unattended build process so my starting point was an R2 server with IIS installed and the .NET Framework 4.0.  I created my own App Pool called DefaultWebSiteAppPool [there’s a time for originality and there’s a time for sticking to the bleedin’ obvious] with .NET Framework version v4.0.30319 and Managed Pipeline Mode: Integrated with the identity set to my domain account.