🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

After changing app pool identities or host headers, IIS on Windows Server 2012 R2 returns 401 Negotiate or falls back to NTLM, breaking Kerberos SSO to internal web apps.

Environment & Reproduction

Reproducible by browsing the site as a domain user using FQDN.

Get-WebConfiguration 'system.webServer/security/authentication/windowsAuthentication' /Site/IISApp
Get-WebAppPoolState
Import-Module WebAdministration

Root Cause Analysis

Missing SPN on the pool identity, kernel-mode auth conflict, or wrong useAppPoolCredentials setting causes Negotiate to fail.

Quick Triage

Capture failed request info.

Get-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4625)]]" -MaxEvents 20

Step-by-Step Diagnosis

Validate SPNs and pool identity.

setspn -L CORPsvc-iis
setspn -Q HTTP/app.corp.local
Get-WebAppPoolState -Name IISApp
Illustrative mockup for windows-server-2012-r2 β€” error_dialog
IIS 401 Negotiate error β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Register correct SPNs and enable useAppPoolCredentials.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

setspn -S HTTP/app.corp.local CORPsvc-iis
Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value True
iisreset
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
setspn output for app pool β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Disable kernel-mode auth when SPN is on the pool identity and not the machine.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useKernelMode -Value False

Verification & Acceptance Criteria

Site returns 200 OK and klist shows Kerberos ticket for the HTTP service.

klist get HTTP/app.corp.local
Invoke-WebRequest http://app.corp.local -UseDefaultCredentials | Select StatusCode

Rollback Plan

Restore previous SPN and auth settings if downstream apps regress.

Set-WebConfigurationProperty -Filter 'system.webServer/security/authentication/windowsAuthentication' -PSPath 'IIS:SitesIISApp' -Name useAppPoolCredentials -Value False

Prevention & Hardening

Use gMSA for app pools, document SPN ownership, and monitor 4625 in security logs.

Install-ADServiceAccount svc-iis
Get-WebAppPool | Select Name,ProcessModel | Format-List

Linked with Kerberos SPN duplication and NTLM fallback issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: IIS Windows Authentication and Kerberos configuration.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.