I’ve been setting up Kerberos for a client that is using Windows Server 2008, I’ve found the following:
Since Windows Server 2008 uses http.sys which is a kernel mode driver designed to intercept web requests at the kernel level (thus improving performance) it required a little more configuration. By default http.sys will handle the authentication request using the local system account not the application pool account, this will cause problems if you want to use Kerberos. The solution is the following:
In the application.host file (located at: <system drive>/windows/System32/inetsrv/applicationHost.config )
Find the following xml fragment:
<configuration><system.webServer><security><authentication>
Change the windows authentication node:
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true”/>
This just tells the http.sys kernel module to use the application pool credentials.
Enable Kerberos logging:
Run regedit:
Find: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / LSA / Kerberos / Parameters
Add a new DWORD entry named: LogLevel and set it’s value to 1.
On windows server 2008 this will take effect immediately.
Now that logging has been turned on, you might want to reference the Common Kerberos Error Codes: http://support.microsoft.com/kb/230476
These error messages will show up in the System Tab of the Event Viewer.
Of course there are a few more steps involved in setting up Kerberos, but hopefully this will help with the windows server 2008 specific problems.