After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:
On the service account running the website in IIS 7 (commonly the computer account/Network Service account):
- Trust the security principal for delegation against the back-end server
- The minimum permissions required are for RPCSS and HOST services to be delegated
- Register the correct SPN on the service account (f.x. http/mypkisite.contoso.com and http/mypkisite.contoso.com)
The computer account will by default have a generic SPN (like host/computername.contoso.com) registered on it (in the ServicePrincipalNames attribute).
Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.
On the IIS configuration for the web site:
· Enable the ‘Windows Authentication’ option under IIS/Authentication
By default, IIS 7 web sites only have Anonymous authentication turned on.Security principals are also by default not trusted for delegation.
How does one "Trust the security principal for delegation against the back-end server"?
This should be covered for both user accounts and computer accounts in http://technet.microsoft.com/en-us/library/cc739764.aspx
In short it revolves around ticking the 'Trust this computer for delegation' box for the user/computer in ADU&C.This is however an option that you will only see in the Advanced view in ADU&C and only if an SPN has been registered on the security principal (also covered in that Technet article).