useAppPoolCredentials = True with Kerberos Delegation on 2008
This has tripped me up a couple of times now when troubleshooting Kerberos delegation. It's time I wrote a post to keep it in memory and for posterity. When configuring Kerberos delegation while the web server is on Windows Server 2008 or later, and I'm using domain credentials for the application pool service account, I have to change useAppPoolCredentials from False to True.
1. Install the IIS7 Admin Pack: https://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).
2. Open IIS Manager.
3. Expand the server and then ‘Sites’, then select a website or application.
4. Under Management, select ‘Configuration Editor’.
5. In the ‘From:’ section above the properties, select ‘ApplicationHost.config <location path=…’
6. For the ‘Section:’ location, select system.webServer > security > authentication > windowsAuthentication.
7. In the properties page, set useAppPoolCredentials to True, then click Apply.
I like to restart my service, (IIS in this case), any time I make changes that affect service accounts in regards to Kerberos delegation.
Thank you to Sean Flanagan for repeatedly reminding me about this setting and providing the step-by-step instructions.
Enjoy!
-Joey
Comments
Anonymous
January 01, 2003
totally agreed with WorkerMan. you solved my problem in setting up CRM 2011 on HAPROXY NLB.Anonymous
January 01, 2003
Good Tip !Anonymous
August 17, 2012
Thanks... too bad this isn't posted in more places!Anonymous
July 17, 2013
We do not have the useAppPoolCredentials set and from my point of view kerberos is working with CRM 2011. Please take a look at blogs.msdn.com/.../service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspxAnonymous
December 15, 2014
I just stumbled on this fix out of ... "let me try every setting in IIS until something gives" mode... then googled "useAppPoolCredentials" and found your post... been looking for this for weeks!!! Spread the word... this is awesome! Thanks for sharing.Anonymous
January 26, 2015
Thanks, this helped me fix the security window I get for my internal site.Anonymous
April 02, 2016
Thanks to Joey B. Pruett!! An informative post I got here. I have gotten some exceptional news on windows installer to read thishttp://finance.yahoo.com/news/installaware-installs-50-faster-installshield-140000577.html">webpage.