Kerberos authentication -- iis security

Ronald Ruijs
6/6/2007 6:01:34 PM

Hi,

For Kerberos authentication to work on Windows Server 2003/IIS 6 with IE 6
client, does the w3svc service need to run under a domain account, or is
Localsystem OK, too?

My IIS does NTLM only, and I can't figure out why...

Thanks,

Ronald

Ken Schaefer
6/7/2007 12:00:00 AM

There is no need to run under a domain account. Network Service (or Local
Server, or LocalSystem) is fine. You just need to register the SPN under the
correct account.

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/27/1282.aspx

Cheers
Ken

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about iis security

iis security : Kerberos authentication