useAppPoolCredentials = True with Kerberos Delegation on 2008

useAppPoolCredentials = True with Kerberos Delegation on 2008

  • Comments 4
  • Likes

This has tripped me up a couple of times now when troubleshooting Kerberos delegation. It's time I wrote a post to keep it in memory and for posterity. When configuring Kerberos delegation while the web server is on Windows Server 2008 or later, and I'm using domain credentials for the application pool service account, I have to change useAppPoolCredentials from False to True.

 

1.       Install the IIS7 Admin Pack:  http://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).

2.       Open IIS Manager.

3.       Expand the server and then ‘Sites’, then select a website or application.

4.       Under Management, select ‘Configuration Editor’.

5.       In the ‘From:’ section above the properties, select ‘ApplicationHost.config <location path=…’

6.       For the ‘Section:’ location, select system.webServer > security > authentication > windowsAuthentication.

7.       In the properties page, set useAppPoolCredentials to True, then click Apply.

 

I like to restart my service, (IIS in this case), any time I make changes that affect service accounts in regards to Kerberos delegation.

 

Thank you to Sean Flanagan for repeatedly reminding me about this setting and providing the step-by-step instructions.

 

Enjoy!

 

-Joey

 

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment