Home
%3CLINGO-SUB%20id%3D%22lingo-sub-347882%22%20slang%3D%22en-US%22%3ESetting%20up%20Kerberos%20Authentication%20for%20a%20Website%20in%20IIS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-347882%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EI%20had%20previously%20blogged%20on%20the%20working%20of%20Kerberos%20and%20how%20to%20troubleshoot%20authentication%20issues%20with%20Kerberos%20when%20it%20fails.%20Then%20I%20thought%20it%20would%20be%20good%20if%20I%20can%20also%20document%20the%20basic%20steps%20we%20look%20into%20when%20configuring%20Kerberos%20for%20a%20site.%20Over%20here%20we%20look%20into%20step%20by%20step%20process%20of%20the%20changes%20we%20need%20to%20make%20when%20we%20want%20to%20setup%20Kerberos%20for%20a%20site.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EPlease%20go%20through%20the%20blog%20on%20%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22http%3A%2F%2Fblogs.msdn.com%2Fb%2Fchiranth%2Farchive%2F2013%2F09%2F20%2Fall-about-kerberos-the-three-headed-dog-with-respect-to-iis-and-sql.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Ehow%20Kerberos%20works%3C%2FSTRONG%3E%3C%2FA%3E%20before%20going%20through%20the%20setup%20blog.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EThe%20below%20steps%20will%20take%20you%20through%20the%20setup%20of%20Kerberos%20for%20a%20site.%20Steps%201-8%20should%20be%20sufficient%20when%20you%20want%20Kerberos%20for%20the%20site%20to%20be%20configured%20only%20for%20single%20HOP.%20The%20steps%20followed%20from%20Step%209%20shows%20you%20the%20configuration%20when%20you%20want%20to%20configure%20double%20hop%20i.e%20delegate%20the%20logged%20in%20account%20to%20a%20backend%20server%20(for%20eg%20a%20sql%20service).%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3ESteps%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EConfiguration%20for%20single%20hop%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E1)%20Click%20on%20the%20website%2C%20go%20to%20authentication%20and%20make%20sure%20that%20windows%20authentication%20is%20enabled.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F2350.clip_image002_32A0C99F.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22450%22%20height%3D%22164%22%20title%3D%22clip_image002%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image002%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F3113.clip_image002_thumb_1787FA91.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E2)%20Make%20sure%20that%20when%20you%20want%20to%20use%20windows%20authentication%2C%20anonymous%20authentication%20is%20not%20enabled%2C%20which%20is%20a%20common%20mistake%20I%20have%20observed.%20Because%20anonymous%20authentication%20takes%20more%20precedence%20than%20windows%20authentication.%20Below%20is%20the%20link%20which%20talks%20about%20precedence%20in%20authentication.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fee825205(v%3Dcs.10).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fee825205(v%3Dcs.10).aspx%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E3)%20Enabling%20windows%20authentication%20doesn%E2%80%99t%20mean%20Kerberos%20protocol%20will%20be%20used.%20It%20might%20also%20use%20NTLM%20which%20is%20also%20a%20provider%20in%20windows%20authentication.%20In%20order%20to%20setup%20Kerberos%20for%20the%20site%2C%20make%20sure%20%E2%80%9C%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ENegotiate%3C%2FSTRONG%3E%E2%80%9D%20is%20at%20the%20top%20of%20the%20list%20in%20providers%20section%20that%20you%20can%20see%20when%20you%20select%20windows%20authentication.%20Negotiate%20is%20a%20provider%20or%20container%20which%20supports%20Kerberos%20protocol%20and%20it%20also%20contains%20NTLM%20as%20a%20backup%20when%20Kerberos%20fails%20due%20to%20some%20reason.%20But%20one%20important%20thing%20to%20keep%20in%20mind%20over%20here%20is%20when%20we%20want%20to%20use%20Kerberos%20%E2%80%9C%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ENegotiate%3C%2FSTRONG%3E%E2%80%9D%20should%20be%20at%20the%20top.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F6787.clip_image004_2ED2FF02.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22495%22%20height%3D%2263%22%20title%3D%22clip_image004%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image004%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F3000.clip_image004_thumb_6D584CA8.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F4520.clip_image006_7DF04796.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22322%22%20height%3D%22265%22%20title%3D%22clip_image006%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image006%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F7215.clip_image006_thumb_5C246F05.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E4)%20So%20above%20three%20steps%20should%20be%20sufficient%20when%20you%20want%20to%20browse%20your%20site%20with%20the%20machine%20name%20as%20%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22http%3A%2F%2Fmachinename%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fmachinename%3C%2FA%3E%20or%20%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22http%3A%2F%2Ffqdn%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2FFQDN%3C%2FA%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%20of%20machine%20name%3C%2FU%3E%20and%20you%20need%20not%20create%20any%20SPN%E2%80%99s%20(concept%20of%20SPN%20is%20explained%20in%20my%20previous%20blog)%20as%20you%20will%20have%20a%20HOST%20SPN%20registered%20to%20your%20machine%20account%20by%20default%20when%20you%20join%20a%20machine%20to%20a%20domain.%20HOST%20SPN%20is%20similar%20to%20HTTP%20SPN%E2%80%99s%20and%20should%20be%20sufficient%20when%20you%20want%20to%20access%20a%20site%20over%20Kerberos.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EFor%20eg%3A%20If%20you%20have%20a%20machine%20with%20the%20name%20%E2%80%98illuminati%E2%80%99%20a%20host%20SPN%20for%20illuminati%20will%20be%20present%20and%20it%20will%20be%20registered%20to%20your%20inbuilt%20machine%20account.%20You%20can%20confirm%20this%20through%20running%20the%20below%20command%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ESetspn%20%E2%80%93l%20machineaccount%3C%2FSTRONG%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ESetspn%20%E2%80%93l%20illuminati%20%3A%20this%20will%20query%20for%20all%20the%20SPN%E2%80%99S%20registered%20to%20the%20machine%20account%20illuminati.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E5)%20If%20you%20want%20to%20access%20the%20site%20with%20a%20custom%20hostname%20we%20need%20to%20create%20appropriate%20SPN%20for%20the%20hostname%20and%20we%20need%20to%20register%20it%20either%20to%20the%20machine%20account%20or%20to%20the%20domain%20account.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EWe%20usually%20don%E2%80%99t%20register%20the%20SPN%20to%20a%20machine%20account%20and%20choose%20domain%20accounts%20when%20we%20have%20a%20web%20farm%20scenario%20(same%20site%20hosted%20in%20multiple%20servers%20behind%20a%20load%20balancer)%20and%20the%20same%20ticket%20from%20AD%20should%20be%20accessible%20in%20all%20the%20machines%20in%20the%20farm.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E6)%20Let%E2%80%99s%20consider%20the%20below%20scenario%20with%20imaginary%20hostname%2C%20machine%20name%20and%20a%20domain%20account.%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EFQDN%20Machine%20name%3A%20illuminatiserver.domain.com%3C%2FSTRONG%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EHostname%3A%20Kerberos.com%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EDomain%20account%3A%20domain%5Cchiranth%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ENote%3A%3C%2FSTRONG%3E%20Be%20careful%20while%20choosing%20a%20hostname.%20The%20hostname%20shouldn%E2%80%99t%20have%20%E2%80%9C%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22http%3A%2F%2Fwww.%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.%3C%2FA%3E%E2%80%9D%20If%20we%20have%20www%20in%20the%20hostname%20Kerberos%20will%20fail%2C%20because%20when%20a%20client%20tries%20to%20access%20a%20site%20with%20hostname%20www%20in%20it%2C%20it%20will%20try%20to%20go%20over%20internet%20rather%20than%20intranet%20zone.%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E7)%20For%20the%20above%20requirements%20with%20a%20custom%20hostname%20we%20can%20create%20SPN%E2%80%99s%20in%20either%20one%20of%20the%20two%20ways.%20It%20can%20be%20chosen%20on%20your%20requirement%20and%20the%20policies%20you%20have.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%201%3A%3C%2FU%3E%3C%2FSTRONG%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ERegistering%20a%20SPN%20to%20a%20machine%20account.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EWhen%20you%20have%20a%20custom%20hostname%20and%20you%20want%20to%20register%20it%20to%20a%20machine%20account%2C%20you%20need%20to%20create%20an%20SPN%20as%20below.%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ESetspn%20%E2%80%93a%20HTTP%2FHOSTNAME%20machineaccount%3C%2FSTRONG%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EEg%3A%20setspn%20%E2%80%93a%20HTTP%2FKerberos.com%20illuminatiserver%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%202%3A%3C%2FU%3E%3C%2FSTRONG%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3ERegistering%20a%20SPN%20to%20a%20domain%20account.%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EWhen%20you%20have%20a%20custom%20hostname%20and%20you%20want%20to%20register%20it%20to%20a%20domain%20account%2C%20you%20need%20to%20create%20a%20SPN%20a%20below.%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ESetspn%20%E2%80%93a%20HTTP%2FHOSTNAME%20domainaccount%3C%2FSTRONG%3E%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EEg%3A%20setspn%20%E2%80%93a%20HTTP%2FKerberos.com%20domain%5Cchiram%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ENote%3A%3C%2FSTRONG%3E%20These%20commands%20can%20be%20run%20on%20any%20machines%20within%20the%20domain%20but%20In%20order%20to%20create%20or%20delete%20SPN%E2%80%99s%20you%20need%20to%20be%20a%20domain%20admin%20privileges.%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E8)%3C%2Fimg%3E%20So%20once%20we%20have%20the%20proper%20SPN%20in%20place%20we%20need%20to%20modify%20the%20configuration%20of%20IIS%20such%20that%20we%20point%20IIS%20to%20the%20account%20to%20which%20we%20have%20the%20SPN%20registered%20and%20what%20account%E2%80%99s%20credentials%20IIS%20needs%20to%20use%20to%20decrypt%20the%20ticket%20forwarded%20by%20the%20client%20which%20obtained%20from%20AD.%20So%20again%20based%20on%20the%20above%20two%20variations%2C%20configuration%20settings%20will%20differ%20as%20below.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%201%3A%3C%2FU%3E%3C%2FSTRONG%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EConfiguration%20when%20we%20have%20SPN%20registered%20to%20machine%20account.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ea)%20Click%20on%20the%20site%20and%20go%20to%20configuration%20editor%20and%20traverse%20to%20the%20path%20system.webServer%2Fsecurity%2Fauthentication%2FwindowsAuthentication%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F4431.clip_image008_215CC62F.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22703%22%20height%3D%22161%22%20title%3D%22clip_image008%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image008%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F5468.clip_image008_thumb_7F90ED9D.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Eb)%20Make%20sure%20that%20usekernel%20mode%20is%20set%20to%20true.%20Usekernel%20mode%20setting%20tells%20IIS%20that%20it%20needs%20to%20use%20its%20machine%20account%20to%20decrypt%20the%20Kerberos%20token%2Fticket%20which%20was%20obtained%20from%20AD%20and%20forwarded%20by%20the%20client%20to%20the%20server%20to%20authenticate%20the%20user.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ec)%20Also%20when%20have%20usekernel%20mode%20set%20to%20true%20the%20decryption%20of%20the%20ticket%20happens%20at%20the%20kernel%20level%20which%20is%20performance%20effective%20and%20a%20faster%20process.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%202%3A%3C%2FU%3E%3C%2FSTRONG%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EConfiguration%20when%20we%20have%20SPN%20registered%20to%20the%20domain%20account.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ea)%20Go%20to%20advanced%20settings%20of%20your%20application%20pool%20under%20which%20your%20website%20is%20running%20and%20change%20the%20identity%20to%20the%20domain%20account.%20In%20our%20case%20it%20will%20be%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3Edomain%5Cchiranth%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F1526.clip_image010_2FD7C254.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22361%22%20height%3D%22296%22%20title%3D%22clip_image010%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image010%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F7457.clip_image010_thumb_625B1FC6.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F2364.clip_image012_25053514.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22244%22%20height%3D%22142%22%20title%3D%22clip_image012%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image012%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F3301.clip_image012_thumb_4A227F80.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F8547.clip_image014_08A7CD27.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22244%22%20height%3D%22183%22%20title%3D%22clip_image014%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20margin%3A%200px%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image014%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F1145.clip_image014_thumb_4DE02450.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Eb)%20Now%20Click%20on%20the%20site%20and%20go%20to%20configuration%20editor%20and%20traverse%20to%20the%20path%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3Esystem.webServer%2Fsecurity%2Fauthentication%2FwindowsAuthentication%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F4572.clip_image016_6B67AB47.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22476%22%20height%3D%22143%22%20title%3D%22clip_image016%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image016%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F1882.clip_image016_thumb_5E8D5529.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ed)%20Make%20sure%20that%20you%20have%20%E2%80%9C%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EuseAppPoolCredentials%3C%2FU%3E%3C%2FSTRONG%3E%E2%80%9D%20set%20to%20true.%20When%20you%20have%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%E2%80%9CuseAppPoolCredentials%3C%2FU%3E%3C%2FSTRONG%3E%E2%80%9D%20set%20to%20true%20you%20are%20telling%20IIS%20that%20it%20needs%20to%20use%20its%20application%20pool%20identity(which%20we%20have%20changed%20in%20the%20previous%20step%20to%20point%20to%20domain%20account)%20to%20decrypt%20the%20Kerberos%20token%2Fticket%20which%20was%20obtained%20from%20AD%20and%20forwarded%20by%20the%20client%20to%20the%20server%20to%20authenticate%20the%20user.%3C%2FP%3E%0A%3CTABLE%20style%3D%22background-color%3A%20transparent%3B%20border-collapse%3A%20collapse%3B%20border-spacing%3A%200px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20border%3D%221%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTR%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%0A%3CTD%20width%3D%22779%22%20valign%3D%22top%22%20style%3D%22box-sizing%3A%20border-box%3B%20padding%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3ENote%3A%3C%2FU%3E%3C%2FSTRONG%3E%20If%20we%20have%20both%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EuseAppPoolCredentials%3C%2FU%3E%3C%2FSTRONG%3E%20and%20kernel%20mode%20set%20to%20true%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EuseAppPoolCredentials%3C%2FU%3E%3C%2FSTRONG%3E%20takes%20precedence%20and%20application%20pool%20account%20is%20used%20for%20decryption%20of%20the%20ticket.%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EUsekernelmode%3C%2FU%3E%3C%2FSTRONG%3E%20setting%20was%20introduced%20from%20IIS%207%20and%20higher%20versions.%20In%20IIS%206%20and%20lower%20version%20always%20the%20application%20pool%20identity%20was%20used%20for%20decryption%20of%20the%20token%2Fticket.%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EConfiguration%20for%20double%20hop%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E9)%20The%20above%20steps%20should%20be%20sufficient%20if%20you%20expect%20your%20site%20to%20work%20over%20a%20single%20Hop.%20But%20if%20you%20want%20to%20delegate%20the%20logged%20in%20credentials%20to%20the%20backend%20server%2C%20For%20e.g.%20if%20you%20are%20passing%20the%20logged%20in%20credentials%20to%20the%20backend%20database%20server%20and%20have%20integrated%20security%20%3D%20true%20%2FSSPI%20you%20need%20to%20continue%20following%20the%20below%20steps.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E10)%20Click%20on%20site%20and%20in%20authentication%20section%20make%20sure%20that%20you%20have%20ASP.NET%20impersonation%20enabled%20along%20with%20windows%20authentication.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F5670.clip_image018_2359795E.jpg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22406%22%20height%3D%22131%22%20title%3D%22clip_image018%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22clip_image018%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F3365.clip_image018_thumb_53A04E14.jpg%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E11)%20Now%20you%20need%20to%20specify%20in%20AD%20that%20the%20account%20to%20which%20your%20HTTP%20service%2FSPN%20is%20registered%20(for%20the%20hostname)%20is%20authorized%20to%20delegate%20the%20user%20logged%20in%20credentials%20to%20any%20backend%20service%20(for%20eg%3A%20MSSQL%20service).%20This%20setting%20again%20varies%20on%20the%20type%20of%20SPN%20you%20have%20registered%20and%20might%20fall%20under%20any%20one%20of%20the%20below%20categories.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%201%3A%3C%2FU%3E%3C%2FSTRONG%3E%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EWhen%20SPN%20is%20registered%20to%20machine%20account.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ea)%20Go%20to%20Active%20directory%20Users%20and%20Computers.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Eb)%20Click%20on%20computers.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ec)%20Search%20for%20your%20computername%20(in%20our%20case%20illuminatiserver)%20and%20go%20to%20its%20properties.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ed)%20Select%20the%20delegation%20tab%20and%20choose%20the%20second%20option%20(unconstrained%20delegation)%20%E2%80%98%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETrust%20this%20computer%20for%20delegation%20to%20any%20service%3C%2FSTRONG%3E%E2%80%99%20where%20you%20are%20authorizing%20the%20machine%20account%20%E2%80%9Cilluminatiserver%E2%80%9D%20with%20the%20power%20to%20delegate%20the%20logged%20in%20credentials%20of%20an%20user%20to%20any%20backend%20service%20running%20on%20any%20machine.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F1526.image_0A9CECDF.png%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22271%22%20height%3D%22312%22%20title%3D%22image%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22image%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F6862.image_thumb_210F8B66.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3E%3CU%20style%3D%22box-sizing%3A%20border-box%3B%22%3EMethod%202%3C%2FU%3E%3A%20When%20SPN%20is%20registered%20to%20a%20domain%20account.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ea)%20Go%20to%20Active%20directory%20Users%20and%20Computers.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Eb)%20Click%20on%20Users.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ec)%20Search%20for%20your%20domain%20user%20account%20(in%20our%20case%20domain%5Cchiranth)%20and%20go%20to%20its%20properties.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3Ed)%20Select%20the%20delegation%20tab%20and%20choose%20the%20second%20option%20(unconstrained%20delegation)%20%E2%80%98%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETrust%20this%20account%20for%20delegation%20to%20any%20service%3C%2FSTRONG%3E%E2%80%99%20where%20you%20are%20authorizing%20the%20domain%20account%20%E2%80%9Cilluminatiserver%E2%80%9D%20with%20the%20power%20to%20delegate%20the%20logged%20in%20credentials%20of%20an%20user%20to%20any%20backend%20service%20running%20on%20any%20machine.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F2110.image_65DBAF9A.png%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CIMG%20width%3D%22273%22%20height%3D%22338%22%20title%3D%22image%22%20style%3D%22border-image-outset%3A%200%3B%20border-image-repeat%3A%20stretch%3B%20border-image-slice%3A%20100%25%3B%20border-image-source%3A%20none%3B%20border-image-width%3A%201%3B%20box-sizing%3A%20border-box%3B%20height%3A%20auto%3B%20max-width%3A%20100%25%3B%20padding-left%3A%200px%3B%20padding-right%3A%200px%3B%20padding-top%3A%200px%3B%20vertical-align%3A%20middle%3B%20border%3A%200px%20none%20currentColor%3B%22%20alt%3D%22image%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2FMSDNBlogsFS%2Fprod.evol.blogs.msdn.com%2FCommunityServer.Blogs.Components.WeblogFiles%2F00%2F00%2F01%2F61%2F50%2Fmetablogapi%2F1884.image_thumb_0E9714E4.png%22%20border%3D%220%22%20%2F%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E12)%20We%20might%20have%20policies%20where%20we%20don%E2%80%99t%20want%20to%20enable%20delegation%20to%20all%20the%20services%20i.e%20we%20don%E2%80%99t%20want%20to%20have%20unconstrained%20delegation%20setup%20due%20to%20some%20security%20policies%20in%20such%20cases%20we%20need%20to%20enable%20constrained%20delegation.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3ETo%20enable%20constrained%20delegation%20on%20the%20delegation%20tab%20select%20the%203%3CSUP%20style%3D%22box-sizing%3A%20border-box%3B%20font-size%3A%2075%25%3B%20line-height%3A%200%3B%20position%3A%20relative%3B%20top%3A%20-0.5em%3B%20vertical-align%3A%20baseline%3B%22%3Erd%3C%2FSUP%3E%20option%20where%20it%20says%20%E2%80%9C%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETrust%20this%20account%20for%20delegation%20to%20specified%20service%3C%2FSTRONG%3E%E2%80%9D%20and%20in%20the%20bottom%20windows%20you%20can%20add%20the%20list%20of%20backend%20services%20(MSSQLSVC%2C%20CIFS%20service)%20specific%20to%20the%20machines%20to%20which%20your%20SPN%20account%20can%20delegate%20the%20login%20credentials.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EFor%20eg%3A%20I%20have%20registered%20my%20HTTP%20SPN%20to%20domain%5Cchiranth%20and%20in%20the%20delagtion%20tab%20of%20chiranth%20I%20have%20selected%20the%20third%20option%20%E2%80%9C%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ETrust%20this%20account%20for%20delegation%20to%20specified%20service%3C%2FSTRONG%3E%E2%80%9D%20and%20in%20the%20list%20of%20service%20I%20have%20specified%20%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EMSSQLSvc%2FMySQLServer%3A1433.%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3EThe%20above%20setting%20specifies%20that%20domain%5Cchiranth%20account%20will%20be%20able%20to%20delegate%20the%20logged%20in%20credentials%20in%20IIS%20server%20to%20only%20MSSQLSvc%20running%20MySQLServer%20on%20port%201433%20and%20no%20other%20services%20or%20machines.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ENote%3C%2FSTRONG%3E%3C%2FSPAN%3E%3A%20One%20of%20my%20colleagues%20has%20recently%20developed%20a%20tool%20to%20troubleshoot%20the%20Kerberos%20issue%20and%20manage%20the%20settings%20and%20information%20regarding%20that%20can%20be%20found%20in%20the%20below%20link%3C%2FP%3E%0A%3CBLOCKQUOTE%20class%3D%22wp-embedded-content%22%20style%3D%22border-left-color%3A%20%23eeeeee%3B%20border-left-style%3A%20solid%3B%20border-left-width%3A%205px%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2017.5px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20padding%3A%2010px%2020px%2010px%2020px%3B%20margin%3A%200px%200px%2020px%200px%3B%22%20data-secret%3D%22jOi2IgMUKV%22%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%3B%22%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23337ab7%3B%20text-decoration%3A%20none%3B%22%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fsurajdixit%2F2018%2F02%2F07%2Fkerberos-configuration-manager-for-internet-information-services-server%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EKerberos%20Configuration%20Manager%20for%20IIS%20Server%3C%2FA%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CIFRAME%20width%3D%22500%22%20height%3D%22282%22%20title%3D%22%E2%80%9CKerberos%20Configuration%20Manager%20for%20IIS%20Server%E2%80%9D%20%E2%80%94%20Tech%20Blog%22%20class%3D%22wp-embedded-content%22%20src%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fsurajdixit%2F2018%2F02%2F07%2Fkerberos-configuration-manager-for-internet-information-services-server%2Fembed%2F%23%3Fsecret%3DjOi2IgMUKV%22%20frameborder%3D%220%22%20marginwidth%3D%220%22%20marginheight%3D%220%22%20scrolling%3D%22no%22%20style%3D%22box-sizing%3A%20border-box%3B%20clip%3A%20rect(1px%2C%201px%2C%201px%2C%201px)%3B%20position%3A%20absolute%3B%22%20sandbox%3D%22allow-scripts%22%20data-mce-fragment%3D%221%22%20data-secret%3D%22jOi2IgMUKV%22%20security%3D%22restricted%22%3E%3C%2FIFRAME%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FSurajDixit%2FKerberosConfigMgrIIS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FSurajDixit%2FKerberosConfigMgrIIS%3C%2FA%3E%3C%2FP%3E%0A%3CP%20align%3D%22center%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20center%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%200px%2010px%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EHope%20this%20helps%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20align%3D%22center%22%20style%3D%22margin%3A%200px%200px%2010px%3B%20text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20-webkit-text-stroke-width%3A%200px%3B%22%3E%3CSTRONG%3EAuthor%3A%20Chiranth%20Ramaswamy%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E

I had previously blogged on the working of Kerberos and how to troubleshoot authentication issues with Kerberos when it fails. Then I thought it would be good if I can also document the basic steps we look into when configuring Kerberos for a site. Over here we look into step by step process of the changes we need to make when we want to setup Kerberos for a site.

Please go through the blog on how Kerberos works before going through the setup blog.

The below steps will take you through the setup of Kerberos for a site. Steps 1-8 should be sufficient when you want Kerberos for the site to be configured only for single HOP. The steps followed from Step 9 shows you the configuration when you want to configure double hop i.e delegate the logged in account to a backend server (for eg a sql service).

Steps:

Configuration for single hop:

1) Click on the website, go to authentication and make sure that windows authentication is enabled.

clip_image002

2) Make sure that when you want to use windows authentication, anonymous authentication is not enabled, which is a common mistake I have observed. Because anonymous authentication takes more precedence than windows authentication. Below is the link which talks about precedence in authentication.

http://msdn.microsoft.com/en-us/library/ee825205(v=cs.10).aspx

3) Enabling windows authentication doesn’t mean Kerberos protocol will be used. It might also use NTLM which is also a provider in windows authentication. In order to setup Kerberos for the site, make sure “Negotiate” is at the top of the list in providers section that you can see when you select windows authentication. Negotiate is a provider or container which supports Kerberos protocol and it also contains NTLM as a backup when Kerberos fails due to some reason. But one important thing to keep in mind over here is when we want to use Kerberos “Negotiate” should be at the top.

clip_image004

clip_image006

4) So above three steps should be sufficient when you want to browse your site with the machine name as http://machinename or http://FQDN of machine name and you need not create any SPN’s (concept of SPN is explained in my previous blog) as you will have a HOST SPN registered to your machine account by default when you join a machine to a domain. HOST SPN is similar to HTTP SPN’s and should be sufficient when you want to access a site over Kerberos.

For eg: If you have a machine with the name ‘illuminati’ a host SPN for illuminati will be present and it will be registered to your inbuilt machine account. You can confirm this through running the below command.

Setspn –l machineaccount

 

Setspn –l illuminati : this will query for all the SPN’S registered to the machine account illuminati.

5) If you want to access the site with a custom hostname we need to create appropriate SPN for the hostname and we need to register it either to the machine account or to the domain account.

We usually don’t register the SPN to a machine account and choose domain accounts when we have a web farm scenario (same site hosted in multiple servers behind a load balancer) and the same ticket from AD should be accessible in all the machines in the farm.

6) Let’s consider the below scenario with imaginary hostname, machine name and a domain account.

FQDN Machine name: illuminatiserver.domain.com

 

Hostname: Kerberos.com

Domain account: domain\chiranth

Note: Be careful while choosing a hostname. The hostname shouldn’t have “www.” If we have www in the hostname Kerberos will fail, because when a client tries to access a site with hostname www in it, it will try to go over internet rather than intranet zone.

7) For the above requirements with a custom hostname we can create SPN’s in either one of the two ways. It can be chosen on your requirement and the policies you have.

Method 1: Registering a SPN to a machine account.

When you have a custom hostname and you want to register it to a machine account, you need to create an SPN as below.

Setspn –a HTTP/HOSTNAME machineaccount

 

Eg: setspn –a HTTP/Kerberos.com illuminatiserver

Method 2: Registering a SPN to a domain account.

When you have a custom hostname and you want to register it to a domain account, you need to create a SPN a below.

Setspn –a HTTP/HOSTNAME domainaccount

 

Eg: setspn –a HTTP/Kerberos.com domain\chiram

Note: These commands can be run on any machines within the domain but In order to create or delete SPN’s you need to be a domain admin privileges.

8) So once we have the proper SPN in place we need to modify the configuration of IIS such that we point IIS to the account to which we have the SPN registered and what account’s credentials IIS needs to use to decrypt the ticket forwarded by the client which obtained from AD. So again based on the above two variations, configuration settings will differ as below.

Method 1: Configuration when we have SPN registered to machine account.

a) Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication

clip_image008

b) Make sure that usekernel mode is set to true. Usekernel mode setting tells IIS that it needs to use its machine account to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

c) Also when have usekernel mode set to true the decryption of the ticket happens at the kernel level which is performance effective and a faster process.

Method 2: Configuration when we have SPN registered to the domain account.

a) Go to advanced settings of your application pool under which your website is running and change the identity to the domain account. In our case it will be domain\chiranth

clip_image010

clip_image012

clip_image014

b) Now Click on the site and go to configuration editor and traverse to the path system.webServer/security/authentication/windowsAuthentication

clip_image016

d) Make sure that you have “useAppPoolCredentials” set to true. When you have “useAppPoolCredentials” set to true you are telling IIS that it needs to use its application pool identity(which we have changed in the previous step to point to domain account) to decrypt the Kerberos token/ticket which was obtained from AD and forwarded by the client to the server to authenticate the user.

Note: If we have both useAppPoolCredentials and kernel mode set to true useAppPoolCredentials takes precedence and application pool account is used for decryption of the ticket. Usekernelmode setting was introduced from IIS 7 and higher versions. In IIS 6 and lower version always the application pool identity was used for decryption of the token/ticket.

Configuration for double hop:

9) The above steps should be sufficient if you expect your site to work over a single Hop. But if you want to delegate the logged in credentials to the backend server, For e.g. if you are passing the logged in credentials to the backend database server and have integrated security = true /SSPI you need to continue following the below steps.

10) Click on site and in authentication section make sure that you have ASP.NET impersonation enabled along with windows authentication.

clip_image018

11) Now you need to specify in AD that the account to which your HTTP service/SPN is registered (for the hostname) is authorized to delegate the user logged in credentials to any backend service (for eg: MSSQL service). This setting again varies on the type of SPN you have registered and might fall under any one of the below categories.

Method 1: When SPN is registered to machine account.

a) Go to Active directory Users and Computers.

b) Click on computers.

c) Search for your computername (in our case illuminatiserver) and go to its properties.

d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this computer for delegation to any service’ where you are authorizing the machine account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.

image

Method 2: When SPN is registered to a domain account.

a) Go to Active directory Users and Computers.

b) Click on Users.

c) Search for your domain user account (in our case domain\chiranth) and go to its properties.

d) Select the delegation tab and choose the second option (unconstrained delegation) ‘Trust this account for delegation to any service’ where you are authorizing the domain account “illuminatiserver” with the power to delegate the logged in credentials of an user to any backend service running on any machine.

image

12) We might have policies where we don’t want to enable delegation to all the services i.e we don’t want to have unconstrained delegation setup due to some security policies in such cases we need to enable constrained delegation.

To enable constrained delegation on the delegation tab select the 3rd option where it says “Trust this account for delegation to specified service” and in the bottom windows you can add the list of backend services (MSSQLSVC, CIFS service) specific to the machines to which your SPN account can delegate the login credentials.

For eg: I have registered my HTTP SPN to domain\chiranth and in the delagtion tab of chiranth I have selected the third option “Trust this account for delegation to specified service” and in the list of service I have specified MSSQLSvc/MySQLServer:1433.

The above setting specifies that domain\chiranth account will be able to delegate the logged in credentials in IIS server to only MSSQLSvc running MySQLServer on port 1433 and no other services or machines.

 

Note: One of my colleagues has recently developed a tool to troubleshoot the Kerberos issue and manage the settings and information regarding that can be found in the below link

Kerberos Configuration Manager for IIS Server

https://github.com/SurajDixit/KerberosConfigMgrIIS

Hope this helps

Author: Chiranth Ramaswamy