Configuring a Windows Server 2008 front-end web enrollment server for delegation

Offloading web enrollment in W2k8 

After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:

On the service account running the website in IIS 7 (commonly the computer account/Network Service account):

-       Trust the security principal for delegation against the back-end server

-       The minimum permissions required are for RPCSS and HOST services to be delegated

-       Register the correct SPN on the service account (f.x. http/ and http/

The computer account will by default have a generic SPN (like host/ registered on it (in the ServicePrincipalNames attribute).

Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.

On the IIS configuration for the web site:

·         Enable the ‘Windows Authentication’ option under IIS/Authentication

By default, IIS 7 web sites only have Anonymous authentication turned on.
Security principals are also by default not trusted for delegation.

Comments (2)

  1. Garry Trinder says:

    This should be covered for both user accounts and computer accounts in

    In short it revolves around ticking the ‘Trust this computer for delegation’ box for the user/computer in ADU&C.
    This is however an option that you will only see in the Advanced view in ADU&C and only if an SPN has been registered on the security principal (also covered in that Technet article).

  2. Timothy Herrera says:

    How does one “Trust the security principal for delegation against the back-end server”?

Skip to main content