[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-04-15

Internet Information Services (IIS) 7.0 enables kernel mode authentication by default. In Windows Server 2008 operating system, kernel mode authentication runs under the machine account, but Microsoft Communications Server 2010 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you deploy on a computer running the Windows Server 2008 operating system , Setup disables kernel mode authentication in IIS to support Kerberos.

Instead of disabling kernel mode authentication in IIS, you can configure IIS to use the Web Services pool’s identity for internal virtual directories used by Communications Server. You can do so by modifying the windowsAuthentication element for the default Web Site on the Web Services server. For details about the windowsAuthentication element, see "IIS 7.0: windowsAuthentication Element (IIS Settings Schema)" in the Internet Information Services documentation at http://go.microsoft.com/fwlink/?LinkId=131083.

To configure useAppPoolCredentials using the ApplicationHost.config File
  1. Open the ApplicationHost.config file in a text editor. By default, this file is located at %windir%\system32\inetsrv\config\.

  2. For all folders under the Default Web Site location path, set the value of the WindowsAuthentication element and the useAppPoolCredentials attribute to true. For example:

    Copy Code
    <system.webServer>
       <security>
    	<authentication>
    		 <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
    	</authentication>
       </security>
    </system.webServer>