Setting Up Kerberos Authentication for SharePoint

From WSSWiki

Jump to: navigation, search

Setting up Kerberos can be a difficult task for anybody that has never done it before. This article will hopefully assist you in configuring your SharePoint environment to use Kerberos as opposed to NTLM.

Contents

[edit] Sample Scenario

The following section will outline some server names, urls, account names, etc that will help understand the upcoming sections.

[edit] Server Direct

Server Name: Server01
SharePoint URL: http://Server01
Application Pool Account: DOMAIN\spsadmin

[edit] Using Host Headers

Server Name: Server01
SharePoint URL: http://portal.company.com
Application Pool Account: DOMAIN\spsadmin

[edit] Creating Service Principal Names (SPNs)

The following outlines the process of creating the necessary SPNs that will be required before Kerberos will function.

You can download SETSPN.EXE from http://support.microsoft.com/kb/892777/.

Execute the following commands (substitute the URLs and account names with your own):

Server Direct 


setspn -a http/Server01 DOMAIN\spsadmin

Using Host Headers 


setspn -a http/portal.company.com DOMAIN\spsadmin

[edit] Trusted for Delegation

The account running the application pool must be trusted for delegation in order for Kerberos to work. To do this, follow these steps:

  1. On the domain controller, open Active Directory Users and Computers.
  2. Locate the account, DOMAIN\spsadmin, that is running your application pool.
  3. Right-click on the account and click Properties.
  4. Click the Delegation tab and then insure Trust this user/computer for delegation to any service is checked.
  5. Click OK.

[edit] Configure Central Administration

To configure Kerberos authentication on a web application, follow these steps:

  1. Start SharePoint 3.0 Central Administration
  2. Click the Application Management tab and select Authentication Providers.
  3. Select the web application you want to change (http://server01 or http://portal.company.com) from the Web Application list.
  4. Click the Zone that you want.
  5. Select Kerberos in the Edit Authentication page.
  6. Click OK to apply the changes.

[edit] Enable Kerberos for Shared Service Provider (SSP)

  1. Open a command prompt and navigate to your 12 Hive folder.
  2. Run: 
STSADM -o SetSharedWebServiceAuthn -negotiate

[edit] Troubleshooting

  1. Troubleshooting Kerberos Errors

[edit] External Links

  1. How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication
  2. A Marvellous Point / Configuring Kerberos for SharePoint 2007: Part 1
  3. Liam Cleary (MVP SharePoint) / MOSS2007 – Configuration process for Kerberos Authentication
Retrieved from "http://www.wsswiki.com/Setting_Up_Kerberos_Authentication_for_SharePoint"
Personal tools