{"id":11896,"date":"2025-04-23T16:29:57","date_gmt":"2025-04-23T07:29:57","guid":{"rendered":"https:\/\/chat-messenger.com\/?p=11896"},"modified":"2026-03-02T01:32:20","modified_gmt":"2026-03-01T16:32:20","slug":"windowsauthentication-setspn","status":"publish","type":"post","link":"https:\/\/chat-messenger.com\/en\/blog\/windowsauthentication-setspn","title":{"rendered":"IIS settings for successful IIS Integrated Windows Authentication in an L4 load balancer environment"},"content":{"rendered":"

summary<\/h2>\n\n\n\n

The following article explains how to configure Integrated Windows Authentication (IWA) in IIS in an L4 load balancer + SSL termination environment.<\/p>\n\n\n

\t\t\t
\n\t\t\t\t
\n\t\t\t\t\tChat&Messenger for web conferencing<\/span>\n\t\t\t\t\t
\"\"<\/figure><\/div>\t\t\t\t\t
\n\t\t\t\t\t\tHow to configure IIS Integrated Windows Authentication successfully in a load balancer + SSL environment | Web conferencing Chat&Messenger<\/a>\n\t\t\t\t\t\tAbout Integrated Windows Authentication Integrated Windows Authentication is a feature that automatically authenticates users when IIS and users belong to the same Active Directory domain.<\/span>\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t<\/div>\n\n\n

When configuring this method, there are many cases where authentication fails due to incorrect or duplicated SPN (Service Principal Name) settings.<\/p>\n\n\n\n

This article provides a comprehensive explanation of SPN registration and the required tasks.<\/p>\n\n\n\n

Configuration example in this article<\/h2>\n\n\n\n
   [Client Browser] \n          |\n          | HTTPS Access\n          v\n  [L4 Load Balancer (TCP 443)]\n       |                |\n       v                v\n  [Server1 (IIS)]   [Server2 (IIS)]<\/code><\/pre>\n\n\n\n
  • FQDN: sso.chat-messenger.com<\/code><\/li>
  • IIS Hostname: Server1<\/code>, Server2<\/code><\/li>
  • Shared Services Accounts:CAMTEST\\cam-svc<\/code><\/li><\/ul>\n\n\n\n
    Problem: Duplicate SPN error<\/h2>\n\n\n\n
    With Integrated Windows Authentication, the client looks up the SPN for the FQDN it is accessing and obtains a Kerberos ticket for the appropriate service account.<\/p>\n\n\n\n
    setspn -S HTTP\/sso.chat-messenger.com Server1$ setspn -S HTTP\/sso.chat-messenger.com Server2$<\/code><\/pre>\n\n\n\n
    As shown above, the same FQDN (sso.chat-messenger.com<\/code>When you register the SPN for the .NET Framework 2.0.1 on different hosts (Server1, Server2), the following error occurs:<\/p>\n\n\n\n
    Duplicate SPN found, aborting operation.<\/code><\/pre>\n\n\n\n
    Solution: Register the SPN in the shared service account<\/h2>\n\n\n\n
    If multiple hosts use the same FQDN, only one SPN needs to be registered in the shared service account.<\/p>\n\n\n\n
    Creating a Shared Services Account<\/h3>\n\n\n\n
    \n
    \n
    A service account running in an IIS application pool can be a domain user (as long as it belongs to Domain Users), but to separate normal users and service accounts and to clarify the scope of password policy and prevent operational errors,OU=ServiceAccounts<\/code> Like, OU Users<\/code> In distinction from Active Directory domain controllers,cam-svc<\/code> Create a new one.<\/p>\n<\/div>\n\n\n\n
    \n
    \"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n
    Register SPN with service account<\/h3>\n\n\n\n
    Register the SPN using the service account created above.<\/p>\n\n\n\n
    setspn -S HTTP\/sso.chat-messenger.com CAMTEST\\cam-svc<\/code><\/pre>\n\n\n\n
    - Any terminal that is part of the domain can be used. However, domain administrator privileges are required.
    \u30fbThe SPN is also used in HTTPS communication.HTTP\/hostname<\/code>You must register in the format:<\/p>\n\n\n\n
    IIS Application Pool Settings<\/h3>\n\n\n\n
    \n
    \n
    Server1<\/code>, Server2<\/code> Change the application pool execution user on both servers to the service account you created. CAMTEST\\cam-svc<\/code> Set to<\/p>\n<\/div>\n\n\n\n
    \n
    \"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n
    IIS Manager "Configuration Editor"<\/h3>\n\n\n\n
    \n
    \n
    To change the IIS Application Pool to a Service Account and have Windows Authentication work correctly with Kerberos, you must configure the following in the "Configuration Editor" feature of IIS Manager:<\/p>\n\n\n\n
    • system.webServer\/security\/authentication\/windowsAuthentication<\/code> section<\/li>
    • useAppPoolCredentials<\/code> indicates object of desire, like, hate, etc. True<\/code> Set to<\/li>
    • useKernelMode<\/code> indicates object of desire, like, hate, etc. False<\/code> Set to<\/li><\/ul>\n<\/div>\n\n\n\n
      \n
      \"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n
      If IIS is running on a domain controller, this setting may not be necessary.<\/p>\n\n\n\n
      Setting "Log on as a batch job" permission for the Shared Services account<\/h3>\n\n\n\n
      The application pool responds to web requests. w3wp.exe<\/code>(Worker process). If you run this under a shared service account, the process will be denied and an HTTP 503 error will occur if the account does not have the "Log on as a batch job" permission, so the shared service account must have the "Log on as a batch job" permission set (GPO-based).<\/p>\n\n\n\n
      The following settings can be controlled by the local security policy of each IIS terminal, but there may be restrictions imposed by organizational policies in GPO (Group Policy Object) on the Active Directory domain controller. In that case, control is required in the GPO itself, and this article explains how to do so.<\/p>\n\n\n\n
      If IIS is running on a domain controller, "Log on as a batch job" may not be necessary.<\/p>\n\n\n\n
      Steps to link the GPO to OU=ServiceAccounts<\/h4>\n\n\n\n
      Service AccountCAMTEST\\cam-svc<\/code>indicates object of desire, like, hate, etc.OU=ServiceAccounts<\/code>If you create it in
      If you do not link a group policy (e.g. IIS-BatchLogon-GPO) to this OU,cam-svc<\/code>The policy is not applied to. The target of the GPO is determined by "which OU it is linked to", so it is important to match the location of the account with the linked GPO.<\/p>\n\n\n\n
      \n
      \n
      1. gpmc.msc<\/code> Run the command to start the Group Policy Management Editor.<\/li>
      2. In the left panecamtest.com\/ServiceAccounts<\/code> Right-click on the OU \u2192 "Create a GPO in this domain and link it to this container<\/strong>" \u2192 Enter any name (e.g.IIS-BatchLogon-GPO<\/code>)<\/li>
      3. CreatedIIS-BatchLogon-GPO<\/code>Edit with<\/li>
      4. Computer Configuration \u2192 Windows Settings \u2192 Security Settings \u2192 Local Policies \u2192 User Rights Assignment \u2192 Log on as a batch job<\/strong><\/li>
      5. Double-click to open the dialogCAMTEST\\cam-svc<\/code> Add a User<\/li><\/ol>\n<\/div>\n\n\n\n
        \n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n<\/div>\n<\/div>\n\n\n\n
        About GPO settings<\/h4>\n\n\n\n
        To apply the GPO correctly, you must <\/strong>gpupdate \/force<\/code> <\/strong>It is important to run this command. This will ensure that the GPO settings take effect immediately. In particular, when granting the "Log on as a batch job" right, the policy may take effect at a later time. w3wp.exe<\/code> This can lead to startup failures.<\/p>","protected":false},"excerpt":{"rendered":"
        \u6982\u8981 \u4ee5\u4e0b\u306e\u8a18\u4e8b\u3067L4\u30ed\u30fc\u30c9\u30d0\u30e9\u30f3\u30b5\u30fc + SSL\u7d42\u7aef\u74b0\u5883\u3067\u3001IIS\u306b\u304a\u3051\u308b\u7d71\u5408Windows\u8a8d\u8a3c\uff08Integ […]<\/p>","protected":false},"author":1,"featured_media":11704,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"swell_btn_cv_data":""},"categories":[9,33],"tags":[],"_links":{"self":[{"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/posts\/11896"}],"collection":[{"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/comments?post=11896"}],"version-history":[{"count":10,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/posts\/11896\/revisions"}],"predecessor-version":[{"id":12574,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/posts\/11896\/revisions\/12574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/media\/11704"}],"wp:attachment":[{"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/media?parent=11896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/categories?post=11896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chat-messenger.com\/en\/wp-json\/wp\/v2\/tags?post=11896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}