Understanding Kernel mode authentication in IIS 7

By default, IIS 7 enables kernel-mode authentication for the Windows (which use either Kerberos or NTLM), authentication scheme. Kernel-mode authentication provides the following advantages:

•Your Web applications can run using lower-privileged accounts.

•If you use Kerberos authentication, you can use a different account than the default account associated with the Service Principle Name (SPN) of the server.

•If you use kernel-mode authentication, you can use the Windows authentication Kerberos provider without performing explicit SPN configuration.

When the Kernel mode authentication is used, it's HTTP.sys which will be in charge to authenticate the request.

By default, it is only doing this with the machine account. So if the application pool has a specific identity, HTTP.sys is unable to authenticate the request even if the SPN is correctly set.

Sometimes Kerberos Authentication fails when we have kernel mode authentication enabled. We have two ways to solve this issue:

Ø Make HTTP.sys aware of the identity of the application pool

o You need to put the property "useAppPoolCredentials" in the applicationhost.config as explained in the following article:

§ https://technet.microsoft.com/en-us/library/dd573004(office.13).aspx

Ø Disable the Kernel mode authentication

Related Articles:


— Designing an Authentication System: a Dialogue in Four Scenes

— Kerberos Explained

— New in IIS 7 – Kernel Mode Authentication