IIS7 - Kernel Mode Authentication

One of my customer was running into a kerberos issue on IIS 7.0. While working on this issue, I remembered this kernel-mode windows authentication which would make your kerberos life easier if you are using domain user to run your AppPool as. I was trying to look out to enable kernel mode windows authentication (which is in fact would be enabled by default if the feature is available). But I was not able to find it.

"By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity"

If you are looking to make Windows Authentication to happen on Kernel mode on IIS7 Vista (pre SP1), you may not be able to do it. In fact, it has been introduced only in Vista SP1 and in the WS2008 on IIS7. You can confirm this by opening the IIS_Schema.xml file which would be in %windir%\system32\inetsrv\config\schema folder; you will not see “useKernelMode” attribute for system.webServer/security/authentication/windowsAuthentication if you are on Vista (without SP1).

So, if you want to make your kerberos life easier, make sure you have SP1 for Vista which also comes with a lot of other features on IIS7 (Logging UI, et al) or buy WS2008.

You can check this post by Bill Staples (response 3) if you are looking out for an official confirmation on this. You might also want to Mike Volodarsky's blog where he discussed discussed about what a kernel mode windows authentication might do to your applications here (point # 5).

Hope this helps!

No Comments