Kerberos Setting Request

I'm requesting assistance to enable seamless Windows Authentication (password-less login) for an internal IIS-hosted PHP application. To support both Kerberos and NTLM fallback, we need the following:

Requested Actions:

  1. Create a dedicated domain service account

    • Suggested name: svc_iis_[appname]
    • Standard user privileges
    • "Log on as a service" right

  2. Assign this account as the Identity for IIS Application Pool: [DefaultAppPool] on server [BRUATEMOHONAPP (10.1.101.89)]

  3. Register SPNs to the new account:

    • HTTP/eformuat.bankrakyat.com.my
    • HTTP/eformuat

  4. Deploy a GPO to all domain-joined workstations for automatic credential delegation:

    • Policy: AuthServerWhitelist
    • Value: *.bankrakyat.com.my,eformuat.bankrakyat.com.my,eformuat

This configuration ensures reliable Single Sign-On using Kerberos when available, with NTLM as a secure fallback. No manual registry changes or per-PC configuration will be required for end users.

Once implemented, I will validate end-to-end authentication and confirm successful user resolution in the application. Please let me know if you prefer a specific naming convention or need additional details.

Thank you for your support.

Revision #2
Created 17 April 2026 07:11:55 by Admin
Updated 17 April 2026 07:26:10 by Admin