Assume the following site layout

  1. www.contoso.com - runs as CONTOSO\sitePool
  2. www.contoso.com/subSite1 - runs as CONTOSO\subPool1
  3. www.contoso.com/subSite2 - runs as CONTOSO\subPool2

The pages should use Kerberos for authentication - so I assigned the SPN HTTP/www.contoso.com to CONTOSO\sitePool, which works nice for the www.contoso.com site.

Now I want to use Kerberos for subsite1 and subsite2, too.
I cannot assign the SPN to the pools, since it is already assigned.
I also can't assign an SPN in the form of HTTP/www.contoso.com/subSiteX, since browser are not aware of this (they calculate the needed SPN with the domain name only).

So how can I use Kerberos Authentication in the sub-sites?

2 Answers2


To put it short, you can't use Kerberos for subsites with different delegated pricipals.

Kerberos SPN has no provisions beyond [service]/[name]:[port/service] .

Your options are:

  • Run subsites at different ports and create SPN with Delegation for each service user with different ports.
  • Use NTLM
  • Use same Application Pool account for all subsites
  • That's a pity... Exchange does it with an "Alternate Service Account" (or similar). – TGlatzer Jan 26 '15 at 08:29
  • ASA still will not allow duplicate SPN's. It's basically sharing a service user account across servers. As Exchange runs in machine context (not using AD service accounts), it uses ASA "machine account" to handle Kerberos and SPNs. – Don Zoomik Jan 26 '15 at 19:17
  • I know, but one could use this in IIS to allow Kerberos in subapplications easily - specify an spn holding account per web application - independent from the app pool account. – TGlatzer Jan 26 '15 at 22:24
  • You could use different URLs for subsites with different SPNs. Eg server site.com/subsite from subsite.com/subsite1 etc.That's what ASA is essentially for - loadbalancer has different URL/SPN than your main application at root URL/SPN. This is not a solution for what you're asking though. – Don Zoomik Jan 26 '15 at 23:30

This article/blog post might apply.

It indicates that using negotiate will automatically use kerberos.

Here is a cmd to disable NTLM appcmd.exe set config "mysite" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='NTLM']" /commit:apphost

the /-"providers.[value='NTLM']" is to remove. If you wanted to add an auth provider you would do this.

appcmd.exe set config "mysite" -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='NTLM']" /commit:apphost

Your just changing the - to + in front of the provider.

Here is just a good article from IIS.com regarding windows auth providers.

Best of luck, hopefully this is helpful

  • My question was not about how to use Kerberos or how to force Kerberos, but how to use Kerberos with subsitees. Thanks for hints anyway. – TGlatzer Jan 26 '15 at 08:28