How to Activate delegation settings for IIS 7.0 web application

Configuring Kerberos is an advanced task and should only be performed by an appropriately trained professional. The steps and configurations given in this help file are to be used as a guide - your system may require additional configuration due to different hardware and software compatibilities.

Folder paths provided are the default paths used during installation. If they have been changed, then they must be amended accordingly

Two options are available when activating delegation for a web application. The difference between the two is the level of security that is provided. Option 1 is the most secure because delegation activation is specific to each individual application.

Option 1 - High Security

This option only activates Kerberos delegation for this specific application pool account. This method is more secure, but requires more administration to implement, especially if multiple application pool accounts are active that require Kerberos delegation.

	Locate the applicationhost.config, configuration file in the following location : C:\Windows\System32\inetsrv\config\applicationHost.config:
	Open the configuration file using a text editor: Copy Expected, current config file <location path="[YOUR WEB APPLICATION]"> <system.webServer> <security>               <authentication>                   <anonymousAuthentication enabled="true" userName="IUSR" />                   <basicAuthentication enabled="false" />                   <clientCertificateMappingAuthentication enabled="false" />                    <digestAuthentication enabled="false" />                   <iisClientCertificateMappingAuthentication enabled="false">                   </iisClientCertificateMappingAuthentication>                   <windowsAuthentication enabled="false">                        <providers>                             <add value="Negotiate" />                             <add value="NTLM" />                        </providers>                   </windowsAuthentication>
	change to the following: Copy  Implemented changes... <location path="[YOUR WEB APPLICATION]"> <system.webServer> <security>               <authentication>                   <anonymousAuthentication enabled="false" userName="IUSR" />                   <basicAuthentication enabled="false" />                   <clientCertificateMappingAuthentication enabled="false" />                    <digestAuthentication enabled="false" />                   <iisClientCertificateMappingAuthentication enabled="false">                   </iisClientCertificateMappingAuthentication> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">                        <providers>                             <add value="Negotiate" />                             <add value="NTLM" />                        </providers>                   </windowsAuthentication>

Option 2 - Medium to Low Security

The second option sets authentication at the root for all IIS 7.0 applications, rather than at the application level. The cautionary point here is that setting this at root level will affect ALL sites that are under the designated application pool account.

	Locate the applicationhost.config, configuration file in the following location : C:\Windows\System32\inetsrv\config\applicationHost.config:
	Open the configuration file using a text editor: Copy Expected, current config file <system.webServer> <security>             <authentication>                  <anonymousAuthentication enabled="true" userName="IUSR" />                  <basicAuthentication enabled="false" />                  <clientCertificateMappingAuthentication enabled="false" />                <digestAuthentication enabled="false" />                  <iisClientCertificateMappingAuthentication enabled="false">                  </iisClientCertificateMappingAuthentication>                  <windowsAuthentication enabled="false">                       <providers>                         <add value="Negotiate" />                         <add value="NTLM" />                       </providers>                  </windowsAuthentication>
	Make the following changes: Copy  <system.webServer> <security>           <authentication>                  <anonymousAuthentication enabled="false" userName="IUSR" />                  <basicAuthentication enabled="false" />                  <clientCertificateMappingAuthentication enabled="false" />              <digestAuthentication enabled="false" />                  <iisClientCertificateMappingAuthentication enabled="false">                  </iisClientCertificateMappingAuthentication> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">                       <providers>                         <add value="Negotiate" />                         <add value="NTLM" />                       </providers>                  </windowsAuthentication>

If you are not using kernel mode, then you will just need to enable windows authentication.

Option 3: Utilizing the AdminPack for IIS7.0 enables the user to configure system settings from a user interface, rather than editing configuration files manually.

While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes.