Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings

Topic Last Modified: 2009-03-06

Internet Information Services (IIS) 7.0 enables kernel mode authentication by default. In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.

Instead of disabling kernel mode authentication in IIS, you can configure IIS to use the Web application pool’s identity for internal virtual directories used by Office Communications Server. You can do so by modifying the windowsAuthentication element for the default Web Site on the Web Components Server or Communicator Web Access server. For details about the windowsAuthentication element, see “IIS 7.0: windowsAuthentication Element (IIS Settings Schema)” in the Internet Information Services documentation at https://go.microsoft.com/fwlink/?LinkId=131083.

To configure useAppPoolCredentials using the ApplicationHost.config File

  1. Open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\.

  2. For all folders under the Default Web Site location path, set the value of the WindowsAuthentication element and the useAppPoolCredentials attribute to true. For example:

    <system.webServer>
       <security>
          <authentication>
             <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
          </authentication>
       </security>
    </system.webServer>