Return to HomePage

---

To use Kerberos authentication to authenticate the end users of your Web application, all computers must be in a Windows Server 2000 or later domain. Your clients must be using Internet Explorer version 5.5 or later. Your application's virtual directory must be configured for Integrated Windows authentication and anonymous access must be disabled. You must set <authentication mode="Windows" /> in your Web.config file.

If you run your application using a domain service account, you must register a service principal name (SPN) for that account in Active Directory to associate the account with the HTTP service on the Web server. To register an SPN, use the Setspn.exe utility as follows:

		 setspn -A HTTP/webservername [domain\customAccountName]
	

		 setspn -A HTTP/webservername.fullyqualifieddomainname [domain\customAccountName]
	

Note that you cannot have multiple Web applications with the same host name if you want them to have multiple identities and to use Kerberos authentication. This is an HTTP limitation, not a Kerberos limitation. The workaround is to have multiple Domain Name System (DNS) names for the same host, and start the URLs for each Web application with a different DNS name. For example, you would use http://app1 and http://app2 instead of http://site/app1 and http://site/app2.

Note By default, Integrated Windows authentication is not enabled in Internet Explorer 6.

If your clients run Internet Explorer 6, you must enable the browser to respond to a negotiate challenge and perform Kerberos authentication. To do this, select the Enable Integrated Windows Authentication check box in the Security section of the Advanced tab of the Internet Options menu, and then restart the browser. Administrators can enable Integrated Windows authentication by setting the EnableNegotiate DWORD value to 1 in the following registry key: HKEYCURRENTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

---

return to HomePage