Wow, what a day for Windows Server 2008 and Kerberos. There is a new step now that needs to be performed in order to get Kerberos working correctly.
One of the major changes incorporated into IIS 7.0 is that Kernel mode authentication for Windows Authentication is performed by default. So what does this mean? Well, HTTP.sys (which by default runs as the local system account) is now being used to handle the authentication, this essentially means that application pool account used for your SharePoint web application is being ignored.
NB: this only seems to be happening if you are using A records in DNS, if you are using CNAME records (which is not recommended) then you will not have this issue, this is also true if you are not using host headers. UPDATE: if you are using CNAME records, then ignore this.
In order to overcome this, I highly recommend adding the attribute useAppPoolCredentials="true" to the applicationHost.config file located in Windows\system32\inetsrv\config directory.
- You have a web application called "Company-A"
- Browse to the directory: Windows\System32\InetSrv\Config
- Open the "ApplicationHost.config" file in Notepad.
Search for the following tag: <local path="Company-A"
- Now locate the following: <security><authentication>
- Directly below this tag is where you want to add your attribute, by default you should see this tag: <windowsAuthentication enabled="true">
- Now change this so it reads as follows: <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">
NB: do this on a web application basis and you will need to do this on all servers in the farm running the web application service!!
As far as I can see there is no "better" way to do this at the moment, but I will post about it if once becomes available.