# Kerberos Setting Request

I'm requesting assistance to enable seamless Windows Authentication (password-less login) for an internal IIS-hosted PHP application. To support both Kerberos and NTLM fallback, we need the following:

### Requested Actions:

1. **Create a dedicated domain service account**
   - Suggested name: `svc_iis_[appname]`
   - Standard user privileges
   - "Log on as a service" right

2. **Assign this account** as the Identity for IIS Application Pool: `[DefaultAppPool]` on server `[BRUATEMOHONAPP (10.1.101.89)]`

3. **Register SPNs** to the new account:
   - `HTTP/eformuat.bankrakyat.com.my`
   - `HTTP/eformuat`

4. **Deploy a GPO** to all domain-joined workstations for automatic credential delegation:
   - Policy: `AuthServerWhitelist`
   - Value: `*.bankrakyat.com.my,eformuat.bankrakyat.com.my,eformuat`

This configuration ensures reliable Single Sign-On using Kerberos when available, with NTLM as a secure fallback. No manual registry changes or per-PC configuration will be required for end users.

Once implemented, I will validate end-to-end authentication and confirm successful user resolution in the application. Please let me know if you prefer a specific naming convention or need additional details.

Thank you for your support.