This has tripped me up a couple of times now when troubleshooting Kerberos delegation. It's time I wrote a post to keep it in memory and for posterity. When configuring Kerberos delegation while the web server is on Windows Server 2008 or later, and I'm using domain credentials for the application pool service account, I have to change useAppPoolCredentials from False to True.
1. Install the IIS7 Admin Pack: http://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).
2. Open IIS Manager.
3. Expand the server and then ‘Sites’, then select a website or application.
4. Under Management, select ‘Configuration Editor’.
5. In the ‘From:’ section above the properties, select ‘ApplicationHost.config <location path=…’
6. For the ‘Section:’ location, select system.webServer > security > authentication > windowsAuthentication.
7. In the properties page, set useAppPoolCredentials to True, then click Apply.
I like to restart my service, (IIS in this case), any time I make changes that affect service accounts in regards to Kerberos delegation.
Thank you to Sean Flanagan for repeatedly reminding me about this setting and providing the step-by-step instructions.
Good Tip !
Thanks... too bad this isn't posted in more places!
totally agreed with WorkerMan. you solved my problem in setting up CRM 2011 on HAPROXY NLB.
We do not have the useAppPoolCredentials set and from my point of view kerberos is working with CRM 2011. Please take a look at blogs.msdn.com/.../service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx
I just stumbled on this fix out of ... "let me try every setting in IIS until something gives" mode... then googled "useAppPoolCredentials" and found your post... been looking for this for weeks!!! Spread the word... this is awesome! Thanks for sharing.
Thanks, this helped me fix the security window I get for my internal site.