You may know that kernel-mode authentication is faster then user-mode authentication. You also may know that when you have a webfarm, network service isn’t the “user” you can use for kernel-mode authentication. With thew following command you can configure that the application pool user is used for kernel-mode authentication.
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true
This wil result in the following configuration in the applicationHost.config
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
You can configure this at the webserver/website/application level.
Ken Schaefer has written a great article about total application pool isolation in IIS 7.0. I didn’t yet know this, but the guys and girls at the IIS team are making a beautiful product.
Wanna know if a particular service principal name is registered?
Add the following command to a batch file (called something like “get-spns.bat”) and you get a list of SPN’s registered with a given name and which account is associated with the SPN.
ldifde -f spns.txt -s domaincontroller -r “(|(msDS-AllowedToDelegateTo=*%1*)(servicePrincipalName=*%1*))” -l msDS-AllowedToDelegateTo,servicePrincipalName
usage: get-spns.bat servername/hostheader
open up the created spns.txt and voila.
This is a favorite link I use very often to generate complex passwords.
Hope you find it usefull.