Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
After you install the web enrollment pages on an external IIS7 web server, 2 additional steps are required:
On the service account running the website in IIS 7 (commonly the computer account/Network Service account):
- Trust the security principal for delegation against the back-end server
- The minimum permissions required are for RPCSS and HOST services to be delegated
- Register the correct SPN on the service account (f.x. http/mypkisite.contoso.com and http/mypkisite.contoso.com)
The computer account will by default have a generic SPN (like host/computername.contoso.com) registered on it (in the ServicePrincipalNames attribute).
Registering an additional and more specific SPN on the same account is however not a bad thing and a requirement if you’re accessing it through a DNS alias for example.
On the IIS configuration for the web site:
· Enable the ‘Windows Authentication’ option under IIS/Authentication
By default, IIS 7 web sites only have Anonymous authentication turned on.
Security principals are also by default not trusted for delegation.
Comments
- Anonymous
January 01, 2003
The comment has been removed - Anonymous
March 31, 2009
How does one "Trust the security principal for delegation against the back-end server"?