Kerberos Kernel Authentication Issues

Why does IIS7 with Kerberos use the server machine's credentials to decrypt the ticket rather than the application pool's credentials?

What you're probably seeing here is the kernel mode authentication feature that was added in IIS7 for Windows Server 2008. Ordinarily, the service ticket would be decrypted by the user account that the application pool is running under. With kernel mode authentication, the service ticket would be decrypted by the machine account just as if the service was running as one of the built-in machine accounts such as NetworkService. The difference is significant because it affects the service principal you need to use when describing the service.

You can restore the old behavior of using the application pool's credentials by configuring the useAppPoolCredentials setting on the application or web site. You can also turn off kernel mode authentication entirely.

There are some advantages to using kernel mode authentication that you would be giving up though. First, kernel mode authentication is quite a bit faster. Second, if you use different identities for application pools that service different parts of the same web site, you'll quickly discover that using the application pool's credentials runs into the limitation of only being able to configure one service principal for the service. Using kernel mode authentication means that the different parts of the web site can use the same service principal even though the application pools have different identities.

Comments

• Anonymous
  February 20, 2009
  Can self-hosted WCF apps w/ Windows auth on Server 2008 opt into this behavior?

• Anonymous
  February 20, 2009
  Hi Matt, That depends on what the stack that is processing your requests in self host supports.  It will be different for each transport.  I would guess that self-host HTTP would get kernel mode auth since it uses the same underlying stack (http.sys) as IIS but I don't know that for sure or if configuration is required.