Fredrik von Werder
Oct 1, 2008
(0 votes)

EPiServer Authentication using Kerberos and Custom App Pool Identity

This article describes how to get Kerberos handshake to work when the website is running with a pre configured account. It will only happen if you are browsing to the "computer's name", otherwise NTLM is used, which is the most common scenario.

I recently had a hard time to get Windows authentication working properly.

I installed a standard EPiServer CMS SP3, with Authentication mode "windows", and configured the site to use integrated security against the Sql Server.

This was going to be the intranet site, or at least the test site for the intranet.

The window dialog appeared and despite supplying all kinds of usernames and passwords, the site refused to accept my credentials.

What has happened? This is usually working fine out of the box with a minimum of necessary brain activity.

It took half a day before I found the solution, and I hope that anyone that encounter the same problem, will find some help here.


The problem was that the site (Application pool) was running under a custom identity, and that browsing was against the computer name, which means that Kerberos authentication is being used.

Browsing with the IP or the DNS alias, was no problem at all, since NTLM handshake works fine. Single sign on without any hesitation.


Log on the webserver using a domain admin account.

Download the SPN tool, and install it.

Start command prompt in the same directory as you installed setspn.

Use the setspn command to authenticate the account on the server/domain.
setspn -A HTTP/<servername> <domain>\<account>

"setspn -A HTTP/srv01 domain1\episervice"
"setspn -A HTTP/ domain1\episervice"

You must authenticate all hosts, otherwise it won't work.

You can list all hosts with "setspn -l <servername>"

Note that this is only necessary to do when you run the website under a pre configured account, in other more common scenarios, the Kerberos authentication will work just fine.
Oct 01, 2008


Svante Seleborg
Svante Seleborg Sep 21, 2010 10:32 AM

On a similar note. I recently had an issue where I kept getting prompted for credentials after enabling Integrated Windows authentication. The environment is typical development machine, a Windows Server 2003 with IIS, EPiServer, Visual Studio and Internet Explorer all running locally on the server. For whatever reason, it appears that IIS will insist on using Negotiate authentication, and thus try Kerberos and fail. It should fall back to NTML I think, but it doesn't. The solution in this case was to edit C:\Windows\system32\inetsrv\MetaBase.xml . Add/Change the NTAuthenticationProviders attribute to "NTML" under the IISWebServer element for the affected virtual servers. For convenience you might want to add the site to the Intranet zone, since you'll not get prompted at all then using the standard settings. Anyone know a better solution, or the exact reason why it fails to fallback to NTLM automatically?

Please login to comment.
Latest blogs
IDX21323 - RequireNonce is true, Nonce was null

We have multiple clients configured with Azure Active Directory (Microsoft Entra) for requiring authentication when accessing their website. The...

David Drouin-Prince | Oct 1, 2023 | Syndicated blog

Minimum Detectable Effect in Optimizely Web Experimentation

Understanding Minimum Detectable Effect Minimum Detectable Effect (MDE) is a core statistical calculation in Optimizely Web Experimentation. In...

Matthew Dunn | Oct 1, 2023 | Syndicated blog

Configured Commerce - Introduction to Long-Term Support (LTS) Releases

First off, for those who have not had a chance to meet me yet, my name is John McCarroll, and I am the Technical Product Manager for the Optimizely...

John McCarroll | Sep 29, 2023

Auto-translate with OpenAI in Optimizely CMS

You can now auto-translate content using your favorite online AI service, inside the old trustworthy Episerver.Labs.LanguageManager!

Tomas Hensrud Gulla | Sep 29, 2023 | Syndicated blog

Vulnerability in CMS 12 shell module configuration

Introduction A potential security vulnerability has been identified in Optimizely CMS 12, triggered by a certain shell module configuration. To be...

Magnus Rahl | Sep 28, 2023

AI-Assistant: The 'Change Tone' Shortcut

The AI-Assistant for Optimizely is constantly evolving, adjusting, and transforming to meet your digital needs, providing a cutting-edge advantage...

Luc Gosso (MVP) | Sep 27, 2023 | Syndicated blog