Kernel-mode authentication

First a short explanaition on how the Kerberos ticket is encrypted:

  • The client application (e.g. a web browser) is requesting a Kerberos ticket from the Domain Controller (KDC). As part of the communication with the DC, the client is sending the SPN for the service
  • The DC find the domain account that matches the SPN, and create a ticket for the user.
  • The ticket is encrypted with the password for the domain account of the receiving application. (To be more accurate: encrypted with the hash of the password for the domain account).
  • The encrypted ticket is then sendt back to the client
  • The client is sending the ticket to the web application in the authentication header to prove the identity of the user
  • IIS is decrypting the ticket to get the identity of the user

To decrypt the ticket, the IIS must know to the password of the domain account. The password is stored (encrypted) in the applicationHost.config, e.g.

   <add name="HRWeb">
     <processModel identityType="SpecificUser" userName="mydomain\hrwebact" password="[enc:IISWASOnlyAesProvider:qu/80DmhQaUFn4DnDWsFF/uVty+WVR8WapGLJ77clKE=:enc]" />

That should therefore not be a problem. But a change were made in IIS 7.0 (and later) that in some cases breaks the Kerberos configuration when the IIS is trying to decrypt the ticket using the password of the computer account. Read here for more info:

In our HRWeb application the application pool account is configured to use a domain account as identity with a matching SPN.

When a user is visiting the page he will be prompted for username and password, but even if he enters the corect credentials, the request will still fail with HTTP Error 401: Not Authorized.

A Failed Request Tracing log will show the following error:

ModuleName IIS Web Core
Notification 2
HttpStatus 401
HttpReason Unauthorized
HttpSubStatus 2
ErrorCode 2147942405
ErrorCode Access is denied. (0x80070005)

To make this work in IIS 7.5 you have two choices:

  1. Disable Kernel-mode authentication for this application, or
  2. Configure IIS to use the application pool account when the the ticket is decrypted in Kernel mode

You can easily disable Kernel-mode autentication in the GUI. Select the application in the IIS Manger, open the authentication feature, select Windows authentication, select Advanced Settings in the right panel, and uncheck Kernel-mode authentication:

While this configuration will fix the issue, it may not be the best option. A better approach would be to keep Kernel-mode autentication but tell IIS to use the password of the application pool account to decrypt the ticket.

I wish that there were a GUI for changing that parameter but it does not exist.

Instead you have to tweak the applicationHost.config file that usually is located in c:\windows\system32\inetsrv\config, and you need to add the attribute: useAppPoolCredentials="true" to the windowsAuthentication node of the configuration for the application.

See sample:

 You can also use the Appcmd.exe command tool to set this parameter instead of tweaking the xml by hand. I have used the following command line a couple of time where the customer wanted this parameter to be default for all applications on the server::

%windir%\system32\inetsrv\appcmd.exe set config -section:windowsAuthentication /useAppPoolCredentials:"True" /commit:apphost

It should also be possible to do the a change for a single application, but I don't have a working sample to show you.