Wednesday, February 20, 2008 8:56 PM
IIS and Kerberos Part 6 - New in IIS 7
Note: previous articles
Windows Server 2008 and IIS 7.0 introduce some changes to the way that you need to implement Kerberos support. The three major changes that I'm aware of are:
- Service Principal Names (SPNs) no longer need to be registered under the account that the web application pool is running under. Instead, in a default configuration you can run the web application pool under any account (custom user account, or LocalSystem, Local Service or Network Service) and register the SPN under the machine account in Active Directory. See this post for more details.
- Your web application pool does not need LocalSystem privileges to be able to perform protocol transition. You can do this using Network Service.
- If you want to use <identity impersonate="true" /> in web.config for your ASP.NET pages, you need to disable validateIntegratedModeConfiguration if you are using the Integrated Mode Pipeline. Otherwise you'll get a 500.24 error. You can either set validateIntegratedModeConfiguration to False or you can run in Classic Mode Pipeline
If I find any more things, I'll add them to the list.