Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

SSO in IIS using Kerberos

Copper Contributor



I am a member of a 5000 plus personnel, government office.


We must share web based data from our subdomain, to everyone at  To do this we are told to use Kerberos under Windows Authentication.

Our labs, web server has an app pool named SITEAppPool and its app-pool identity is labs\SITEAppPoolUser.

According to this article online:


I set the spns on Machine Account for both HOST and HTTP.


I opened IIS Manager and I set the server_name node's, (just under the Start Page node), authentication to Windows Authentication and the Windows Authentication providers to Negotiate, followed by NTLM.

I also opened configuration editor for server_name node and set security/authentication/windowsAuthentication settings like so:

                    useAppPoolCredentials: true

                    useKernelMode: False

I applied the same settings to Default Web Site and to CompanyWideAccess web application.


after resetting my iss, neither I nor any person at the organization can reach the CompanyWidwAccess website without getting a login prompt and a 401 when clicking cancel on the prompt.


If I change the settings for security/authentication/windowsAuthentication on all three nodes to:


                    useAppPoolCredentials: false

                    useKernelMode: true


I and other member of our subdomain can connect, but those from top level domain and other sub domains still get the pecky login prompt.

I have not only read the above article but also a couple others, each with a slightly different take.


How may I get this SSO to work for all 5000 plus members of our organization without using anonymous, (a big no/no)?

I feel like I am running circles and nothing fully works. 



1 Reply



As far as I understand, you should register the SPN for the user from whom the pool "labs\SITEAppPoolUser" works.

useAppPoolCredentials must be true


Good link