useAppPoolCredentials = True with Kerberos Delegation on 2008

This has tripped me up a couple of times now when troubleshooting Kerberos delegation. It's time I wrote a post to keep it in memory and for posterity. When configuring Kerberos delegation while the web server is on Windows Server 2008 or later, and I'm using domain credentials for the application pool service account, I have to change useAppPoolCredentials from False to True.

 

1. Install the IIS7 Admin Pack: https://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).

2. Open IIS Manager.

3. Expand the server and then ‘Sites’, then select a website or application.

4. Under Management, select ‘Configuration Editor’.

5. In the ‘From:’ section above the properties, select ‘ApplicationHost.config <location path=…’

6. For the ‘Section:’ location, select system.webServer > security > authentication > windowsAuthentication.

7. In the properties page, set useAppPoolCredentials to True, then click Apply.

I like to restart my service, (IIS in this case), any time I make changes that affect service accounts in regards to Kerberos delegation.

Thank you to Sean Flanagan for repeatedly reminding me about this setting and providing the step-by-step instructions.

Enjoy!

-Joey