Configuring a Windows Server 2008 front-end web enrollment server for delegation

Offloading web enrollment in W2k8 

After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:

On the service account running the website in IIS 7 (commonly the computer account/Network Service account):

- Trust the security principal for delegation against the back-end server

- The minimum permissions required are for RPCSS and HOST services to be delegated

- Register the correct SPN on the service account (f.x. http/mypkisite.contoso.com and http/mypkisite.contoso.com)

The computer account will by default have a generic SPN (like host/computername.contoso.com) registered on it (in the ServicePrincipalNames attribute).

Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.

On the IIS configuration for the web site:

· Enable the ‘Windows Authentication’ option under IIS/Authentication

By default, IIS 7 web sites only have Anonymous authentication turned on.
Security principals are also by default not trusted for delegation.