Internet Information Services (IIS) 7.0 enables kernel mode authentication by default. In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.
Instead of disabling kernel mode authentication in IIS, you can
configure IIS to use the Web application pool’s identity for
internal virtual directories used by Office Communications Server.
You can do so by modifying the
windowsAuthenticationelement for the default Web Site on the
Web Components Server or Communicator Web Access server. For
details about the
windowsAuthenticationelement, see “IIS 7.0:
windowsAuthentication Element (IIS Settings Schema)” in the
Internet Information Services documentation at
-
Open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\.
-
For all folders under the Default Web Sitelocation path, set the value of the WindowsAuthenticationelement and the useAppPoolCredentialsattribute to true. For example:
Copy Code
<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>