Internet Information Services (IIS) 7.0 enables kernel mode authentication by default. In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.

Instead of disabling kernel mode authentication in IIS, you can configure IIS to use the Web application pool’s identity for internal virtual directories used by Office Communications Server. You can do so by modifying the windowsAuthenticationelement for the default Web Site on the Web Components Server or Communicator Web Access server. For details about the windowsAuthenticationelement, see “IIS 7.0: windowsAuthentication Element (IIS Settings Schema)” in the Internet Information Services documentation at http://go.microsoft.com/fwlink/?LinkId=131083 .

To configure useAppPoolCredentials using the ApplicationHost.config File
  1. Open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\.

  2. For all folders under the Default Web Sitelocation path, set the value of the WindowsAuthenticationelement and the useAppPoolCredentialsattribute to true. For example:

    Copy Code
    <system.webServer>
       <security>
    	<authentication>
    		 <windowsAuthentication enabled="true"
    useAppPoolCredentials="true" />
    	</authentication>
       </security>
    </system.webServer>