IIS (Random) Kerberos Authentication Failures

Published on Thursday, April 11, 2013 in

Lately I assisted in troubleshooting an issue where users trying to start an App-v application where continuously prompted to enter their credentials. Entering the correct credentials did not matter. We found out pretty fast that this had to do with IIS not being able to handle the Kerberos tickets. If we’d put the NTLM authentication on top of the Negotiate provider all was fine. Rebooting also did the trick. But these are just workarounds…

Eventually after some googling I stumbled across this KB article: KB2545850 It seems that whenever a server (computer) changes its password and IIS is restarted somewhere after that, the application pool no longer can decrypt the tickets it receives resulting in an authentication failure. This is a patch which applies to both RTM and SP1 for Windows 2008 R2.