We have some web content that is setup in virtual directories using integrated windows authentication. The virtual directories are running under application pools that are using a custom identity (custom user account). The problem is that NTLM authentication works however Kerberos authentication does not. This is the same configuration that worked under IIS 6 but we need to migrate to IIS 7 and Kerberos authentication isn't working.
Here's some more information about my environment:
Virtual Directory Authentication Settings:
App Pool Settings:
Web.config Settings:
Virtual Directory Permissions:
OS settings:
Here is the analysis I get from fiddler comparing IIS 6 to IIS 7. Kerberos authentication is working fine in IIS 6 with a app pool running with a custom identity.
Fiddler:
(Using domain\user)
Request 1 (no auth)
No Proxy-Authorization Header is present.
No Authorization Header is present.
Response 1 (401) (challenge)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Request 2 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 2 (401) (Kerberos reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
Request 3 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 3 (401) (Kerberos reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
Request 4 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 4 (200) (Kerberos Reply)
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
<data>
And the transaction completes and the browser displays the page.
Fiddler:
(Using domain\user)
Request 1 (no auth)
No Proxy-Authorization Header is present.
No Authorization Header is present.
Response 1 (401) ( Negotiate)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Request 2 (Kerberos ticket)
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
<data>
Response 2 (401) (Negotiate)
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
Notice that IIS 7 isn't accepting my Kerberos ticket in Response 2. Any idea why not? Do I need to reconfigure some stuff in IIS 7 to get Kerberos authentication to work?