I was looking through the web SSPR deployment guide and the recommended SPN configuration is to use the machine identity rather than the app pool identity. Is there a reason this option is preferred? I switched to using the app pool identity so I could load balance multiple registration and reset servers and everything works fine - but the question of which option is better in a single server environment has me curious.. Frank C. Drewes III - Architect - Oxford Computer Group

I think using the machine identity is advised as that's the option which requires the least amount of configuration work. Knowing that this Kerberos/SPN is still causing a lot of issues it might be a good idea to keep things as simple as possible for the majority out there. However, once you master the Kerberos/SPN/application pool stuff I would _always_ use a custom identity. It makes more sense and allows for (possible future) scale out over multiple servers. But for non load balanced scenario's using the machine identity is technically as good as a user account I think. http://setspn.blogspot.com