Tuesday, February 12, 2008 9:34 AM
New in IIS 7 - Kernel Mode Authentication
Windows Server 2003 SP1 introduces kernel mode SSL. Windows Server 2008 takes this one step further and introduces kernel mode authentication. This can be utilised by IIS 7.0 applications to improve performance. It also has implications for Kerberos authentication and management of SPNs.
Consider the following scenario:
Ensuring Kerberos AuthN for App1 wouldn’t be possible in IIS 6/5 (earlier versions were pre-Windows 2000 so didn’t support Kerberos). This was because SPNs are based on a FQDN and the SPN for http/website1.domain.com could only be registered under a single account (and not under the two different accounts that App Pool 1 and App Pool 2 are using).
In Windows Server 2008 there is support for a new kernel mode authentication. I am supposing that this is implemented in ksecdd.sys, but it may be implemented elsewhere. When using kernel mode authentication, the service ticket is decrypted by the server (aka machine account), not by the user account that the web app pool is running under.
Because of this, it’s possible to:
- Register every SPN for each application hosted webserver under the machine account in Active Directory, regardless of the identity of the web app pool that the application is being hosted in
- Run multiple web applications hosted at the same FQDN under web app pools that are, in turn, running under multiple Windows identities.
Edit: Anil from the IIS Product Group pointed out an error in my advice below (it's not necessary to actually disable Kernel Mode Authentication). I have updated the section below:
There is a caveat. This is because the service ticket decryption takes place using the server’s AD machine account. If you are using a web farm, then the KDC doesn’t know in advance which individual server will be servicing the request. In that case, it's impossible to deterministically register the SPN under a single machine account. Instead, you will need to:
Disable kernel mode authentication Configure IIS to use the web application pool's identity for Kerberos service ticket decryption
- Run the web app pool under a common domain user account
- Be restricted to running all web application accessible at that FQDN under web app pools that are using the same domain user account above
If you are in this situation, then you can
disable kernel mode authentication enable the use of the web app pool's identity for Kerberos service ticket decryption by setting the property useAppPoolCredentials to true for the web application or web site in question. An example would be:
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
If you're not sure how SPNs and Keberos work, then check out the earlier posts