Configuring IIS for Kerberos authentication

When IIS is installed, it creates two Kerberos service principal names for itself. These principal names will conflict with the newly created service principal name for DOMAIN.EXT\nexjsvr. They must be deleted for single sign-on authentication to work with native Windows Authentication or Java Kerberos.
Note: These instructions assume that IIS is running on the host.domain.ext machine.
To remove the conflicting IIS Kerberos service principal names:
  1. Log into the domain controller where Windows Support Tools are installed.
  2. Open the Command Prompt.
  3. Run the following command in the Command Prompt:
    setspn -d HTTP/host.domain.ext host
  4. Run the following command in the Command Prompt:
    setspn -d HTTP/host host
Important: Removing the conflicting Kerberos service principal names will conflict with SPNEGO authentication for any existing services being provided by IIS that already use SPNEGO, including the HTTP redirector. The application pools in IIS that have to use Kerberos authentication (including the one with the redirector) must be modified to run under the NexJ service user (in this example, nexjsvr). This user should be made a member of the IIS_WPG user group.

The conflicting IIS Kerberos service principal names are now removed. Kerberos service principal names will now be compatible with Windows Authentication or Java Kerberos single sign-on.