🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

After changing app pool identities or host headers, IIS on Windows Server 2016 returns 401 Negotiate or falls back to NTLM, breaking Kerberos SSO to internal web apps.

Environment & Reproduction

Reproducible by browsing the site as a domain user using FQDN.

Get-WebConfiguration 'system.webServer/security/authentication/windowsAuthentication' /Site/IISApp
Get-WebAppPoolState
Import-Module WebAdministration

Root Cause Analysis

Missing SPN on the pool identity, kernel-mode auth conflict, or wrong useAppPoolCredentials setting causes Negotiate to fail.

Quick Triage

Capture failed request info.

Get-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4625)]]" -MaxEvents 20

Step-by-Step Diagnosis

Validate SPNs and pool identity.

setspn -L CORPsvc-iis
setspn -Q HTTP/app.corp.local
Get-WebAppPoolState -Name IISApp
Illustrative mockup for windows-server-2016 β€” error_dialog
IIS 401 Negotiate error β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Register correct SPNs and enable useAppPoolCredentials.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

setspn -S HTTP/app.corp.local CORPsvc-iis
Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value True
iisreset
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
setspn output for app pool β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Disable kernel-mode auth when SPN is on the pool identity and not the machine.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useKernelMode -Value False

Verification & Acceptance Criteria

Site returns 200 OK and klist shows Kerberos ticket for the HTTP service.

klist get HTTP/app.corp.local
Invoke-WebRequest http://app.corp.local -UseDefaultCredentials | Select StatusCode

Rollback Plan

Restore previous SPN and auth settings if downstream apps regress.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value False

Prevention & Hardening

Use gMSA for app pools, document SPN ownership, and monitor 4625 in security logs.

Install-ADServiceAccount svc-iis
Get-WebAppPool | Select Name,ProcessModel | Format-List

Linked with Kerberos SPN duplication and NTLM fallback issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: IIS Windows Authentication and Kerberos configuration.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.