Configuring a Windows Server 2008 front-end web enrollment server for delegation


Offloading web enrollment in W2k8 

After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:

On the service account running the website in IIS 7 (commonly the computer account/Network Service account):

       Trust the security principal for delegation against the back-end server

       The minimum permissions required are for RPCSS and HOST services to be delegated

       Register the correct SPN on the service account (f.x. http/mypkisite.contoso.com and http/mypkisite.contoso.com)

The computer account will by default have a generic SPN (like host/computername.contoso.com) registered on it (in the ServicePrincipalNames attribute).

Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.

On the IIS configuration for the web site:

·         Enable the ‘Windows Authentication’ option under IIS/Authentication

By default, IIS 7 web sites only have Anonymous authentication turned on.
Security principals are also by default not trusted for delegation.

Comments (2)

  1. Garry Trinder says:

    This should be covered for both user accounts and computer accounts in http://technet.microsoft.com/en-us/library/cc739764.aspx

    In short it revolves around ticking the ‘Trust this computer for delegation’ box for the user/computer in ADU&C.
    This is however an option that you will only see in the Advanced view in ADU&C and only if an SPN has been registered on the security principal (also covered in that Technet article).

  2. Timothy Herrera says:

    How does one “Trust the security principal for delegation against the back-end server”?