After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:
On the service account running the website in IIS 7 (commonly the computer account/Network Service account):
- Trust the security principal for delegation against the back-end server
- The minimum permissions required are for RPCSS and HOST services to be delegated
- Register the correct SPN on the service account (f.x. http/mypkisite.contoso.com and http/mypkisite.contoso.com)
The computer account will by default have a generic SPN (like host/computername.contoso.com) registered on it (in the ServicePrincipalNames attribute).
Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.
On the IIS configuration for the web site:
· Enable the ‘Windows Authentication’ option under IIS/Authentication
By default, IIS 7 web sites only have Anonymous authentication turned on.
Security principals are also by default not trusted for delegation.