Configuring SharePoint 2010 with Kerberos Authentication


Determine the application pool account that will be responsible for authenticating users.

Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled

image

Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)

image

Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.

* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.

image

Get the exact machine names that will host the sites that will support kerberos authentication

Right mouse key on Computer Management and click properties

image

Make a note of the machine’s actual name (you will not be using the alias)

image

Open Active Directory Users and Computers

image

Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation”

image

Locate the servers(s) in Active Directory Users and Computers as well

Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later). In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.

image

Enable Kerberos for SharePoint Web Application

First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard. Follow the steps below to enable kerberos authentication for a SharePoint web application.

Open central administration, note that the port may be different (I typically use 8080 for central administration) *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***

image

Click on Manage Web Applications

image

image

In the dialog that opens, click on the zone (which is typically default although you may choose intranet)

image

In the Edit Authentication dialog that opens, scroll down to IIS Authentication Settings and choose “Negotiate (Kerberos)”. A JavaScript alert will appear warning you of the manual steps you will have to complete, these manual steps are detailed later in this article)

image

Click save and close the remaining dialogs.

Run SETSPN command line tool for the SharePoint Application Pool Account

The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server. These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.

Open a command prompt as administrator

image

First run the SETSPN command for the application pool account.

Correct the names in bold below to match the names in your environment. Also note that the “http“does not have a “://”.

setspn –A http/servername corp\spapppool

image

Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct

setspn –A http/spapp10 spapp10

image

Open Active Directory Users and Computers and Trust the Application Pool for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.

image

On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)”

image

Open Active Directory Users and Computers and Trust the Server(s) for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool

image

On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”

image

Verifying Service Principal Names (SPNs) using SETSPN

The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.

Run setspn for the service account

setspn –L corp\spapppool

image

Run setspn for the server

setspn –L spapp10

image

Testing Kerberos

There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly.

When it’s enabled but not working the following symptoms may be present

  1. Login prompts may appear when the previously did not under NTLM Authentication
  2. Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
  3. Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.

When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.image

Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log. If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis.

For particular users logged in, events will appear similar to the one below

image

In addition, many messages similar to the one below will appear in the event log.

Determine the application pool account that will be responsible for authenticating users.

Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled

image

Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)

image

Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.

* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.

image

Get the exact machine names that will host the sites that will support kerberos authentication

Right mouse key on Computer Management and click properties

image

Make a note of the machine’s actual name (you will not be using the alias)

image

Open Active Directory Users and Computers

image

Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation”

image

Locate the servers(s) in Active Directory Users and Computers as well

Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later). In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.

image

Enable Kerberos for SharePoint Web Application

First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard. Follow the steps below to enable kerberos authentication for a SharePoint web application.

Open central administration, note that the port may be different (I typically use 8080 for central administration) *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***

image

Click on Manage Web Applications

image

image

In the dialog that opens, click on the zone (which is typically default although you may choose intranet)

image

In the Edit Authentication dialog that opens, scroll down to IIS Authentication Settings and choose “Negotiate (Kerberos)”. A JavaScript alert will appear warning you of the manual steps you will have to complete, these manual steps are detailed later in this article)

image

Click save and close the remaining dialogs.

Run SETSPN command line tool for the SharePoint Application Pool Account

The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server. These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.

Open a command prompt as administrator

image

First run the SETSPN command for the application pool account.

Correct the names in bold below to match the names in your environment. Also note that the “http“does not have a “://”.

setspn –A http/servername corp\spapppool

image

Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct

setspn –A http/spapp10 spapp10

image

Open Active Directory Users and Computers and Trust the Application Pool for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.

image

On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)”

image

Open Active Directory Users and Computers and Trust the Server(s) for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool

image

On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”

image

Verifying Service Principal Names (SPNs) using SETSPN

The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.

Run setspn for the service account

setspn –L corp\spapppool

image

Run setspn for the server

setspn –L spapp10

image

Testing Kerberos

There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly.

When it’s enabled but not working the following symptoms may be present

  1. Login prompts may appear when the previously did not under NTLM Authentication
  2. Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
  3. Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.

When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.image

Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log. If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis.

For particular users logged in, events will appear similar to the one below

image

In addition, many messages similar to the one below will appear in the event log.

image

About thangletoan

Hallo Aloha

Posted on 16/05/2012, in Active Directory AD, AD developer, Công nghệ và Giáo dục, Chính sách CNTT, KDC, Kerberos, Sống và đam mê khoa học, Service Principal Names, SPN. Bookmark the permalink. Để lại bình luận.

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: