SharePoint 2010: Configuring Kerberos Authentication

SharePoint 2010: Configuring Kerberos Authentication

Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled

1

Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)

 

1

Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.

* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.

1

Get the exact machine names that will host the sites that will support kerberos authentication

Right mouse key on Computer Management and click properties

1

Make a note of the machine’s actual name (you will not be using the alias)

1

Open Active Directory Users and Computers

1

Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation

1

Locate the servers(s) in Active Directory Users and Computers as well

Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later). In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.

11

Enable Kerberos for SharePoint Web Application

First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard. Follow the steps below to enable kerberos authentication for a SharePoint web application.

Open central administration, note that the port may be different (I typically use 8080 for central administration) *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***

1

Click on Manage Web Applications

1

1

In the dialog that opens, click on the zone (which is typically default although you may choose intranet)

1

In the Edit Authentication dialog that opens, scroll down to IIS Authentication Settings and choose “Negotiate (Kerberos)”. A JavaScript alert will appear warning you of the manual steps you will have to complete, these manual steps are detailed later in this article)

1

Click save and close the remaining dialogs.

Run SETSPN command line tool for the SharePoint Application Pool Account

The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server. These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.

Open a command prompt as administrator

1

First run the SETSPN command for the application pool account.

Correct the names in bold below to match the names in your environment. Also note that the “http“does not have a “://”.

 

setspn –A http/servername corp\spapppool

1

Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct

 

setspn –A http/spapp10 spapp10

1

 

Open Active Directory Users and Computers and Trust the Application Pool for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.

1

On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)

1

Open Active Directory Users and Computers and Trust the Server(s) for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool

1

On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”

1

Verifying Service Principal Names (SPNs) using SETSPN

The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.

Run setspn for the service account

 

setspn –L corp\spapppool

1

Run setspn for the server

 

setspn –L spapp10

1  



Reference:


SharePointassist.com 
Leave a Comment
  • Please add 5 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Gokan Ozcifci edited Revision 6. Comment: Added Reference

  • Richard Mueller edited Revision 3. Comment: Removed (en-US) from title, added tags

  • Gokan Ozcifci edited Revision 2. Comment: New Site -> gknzcfc.net

  • Gokhan Ozcifci edited Revision 1. Comment: Title & Contact

  • Craig Lussier edited Original. Comment: added en-US to tags and title

Page 1 of 1 (5 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Great article!

  • Craig Lussier edited Original. Comment: added en-US to tags and title

  • Gokhan Ozcifci edited Revision 1. Comment: Title & Contact

  • Good one. Keep going

  • Gokan Ozcifci edited Revision 2. Comment: New Site -> gknzcfc.net

  • Richard Mueller edited Revision 3. Comment: Removed (en-US) from title, added tags

  • Gokan Ozcifci edited Revision 6. Comment: Added Reference

  • I think this article is severely lacking

Page 1 of 1 (8 items)