If you need to continue to use Kerberos authentication rather than NTLM (say the MDS website is being accessed through WAP (Windows Application Proxy), you will need to do the following in addition to the standard setup. This is assuming that the baseline setup has gone with hitch.
- You will need to register the Service Principal Name in Active Directory. Say you have configured the MDS web site to run under MyDomain\MDSServiceAccount and the webserver is called MDS.mydomain.local, you will need to run the following command with an account with the relevant Active Directory permissions
SETSPN -S HTTP/MDS.mydomain.local
- In the IIS Manager, using the "Configuration Editor" you will need to set the useAppPoolCredentials to be True. This option is located in system.webServer/security/authentication/windowsAuthentication. At what level in the IIS you chose to do this is up to you, depending on what you using the server for. The safest is at lowest level, ie. the web application, or /MDS in this example
Depending on the size of your server estate there may be a delay before this configuration takes effect. To speed up this process, run the SETSPN command from the Web Server and run KLIST PURGE from the command line of the web server and client machines for good measure.