IIS & Kerberos Kernel Mode

A new post about kerberos.. indeed some techno stuff nobody seems to understand but is very important for security. A new feature in Windows 2008 IIS7 is the kernel mode support, what does it do, and more important how can it help you?

Kerberos works with Service Principal Names (SPN’s). Each service you want to contact with kerberos authentication requires an SPN registered in Active Directory. Now why and how kerberos works is not in this post, but lets focus on this new feature in IIS7.

Prior to IIS7 when we wanted to use Kerberos for a website that was not reached through the servername URL (http://<servername> we needed an SPN registered on the server host (setspn –A HTTP/<URL>   <Servername>  ). When the website was a web application and running under a service account, the SPN needed to be registered to the service account. Now let’s assume we have one website with multiple web applications. Each application runs under a different service account but the main URL is the same for all applications (http://MyURL/App1, http://MyURL/App2, etc).

We can only register the MyURL to a single object (computer or useraccount) and in this case we need to register it to each service account, or run all applications under the local system account (ouch) or a generic service account. Here comes Kernel mode to the rescue. While each service can run under a different service account, the IIS computer will take care of the authentication! The SPN of MyURL needs to be registered to the serverobject in AD, and each application pool will use the computer for authentication and delegation!

Easy hey.. and now the downside or the catch.. the above architecture works, as long as the web applications are ONLY on the same server, when using Load Balancing with multiple web servers the SPN needs to be registered on a service account that is used on all nodes of the NLB cluster. Since the fact that the SPN cannot be registered on multiple computer objects kernel mode cannot be used for NLB web clusters.