Step 1: Set up the SPN for the user accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D

After you download and install the Windows Support Tools, follow these steps:

1. Set the SPN for the server farm account. At a command prompt, type the following to set the SPN for the server farm account, and then press ENTER:

setspn.exe -A HTTP/ SharePoint_server . domain .com domain \ SharePoint_Server_farm_acct

For example, type the following command at the command prompt, and then press ENTER:

setspn.exe -A HTTP/mossserver.contoso.com contoso\ SharePoint_Server_farm_acct

2. Set the SPN for the SharePoint WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:

setspn.exe -A HTTP/ SharePoint_WebApplication:port domain \ application_pool_account

setspn.exe -A HTTP/ FQDN_of_the_WebApplication:port domain \ application_pool_account

For example, type the following commands, and press ENTER after each one:

setspn.exe -A HTTP/mossserver:80 contoso\ application_pool_account

setspn.exe -A HTTP/mossserver.contoso.com:80 contoso\ application_pool_account

3. Set the SPN for the SharePoint Shared Services WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:

setspn.exe -A HTTP/ SharedServices_WebApplication:port domain \ SharedServices_application_pool_account

setspn.exe -A HTTP/ FQDN_of_the_SharedServices_WebApplication:port domain \ SharedServices_application_pool_account

For example, assume that My Shared Services Web Application is hosted on port 8001. In this case, type the following commands, and press ENTER after each one:

setspn.exe -A HTTP/mossserver:8001 contoso\ application_pool_account

setspn.exe -A HTTP/mossserver.contoso.com:8001 contoso\ application_pool_account

4. After you set the SPN, verify that the SPN is set correctly on the server. To do this, type the following commands at a command prompt, and press ENTER after each one:

setspn –L Domain\ User_account_UsedtosetSPN

For example, type one of the following commands, and then press ENTER:

setspn -L contoso\ SharePoint_Server_farm_acct

setspn -L contoso\ application_pool_account

setspn -L contoso\ SharedServices_application_pool_account

If the SPN is configured correctly, the account URL address and the port number will be displayed. At the command prompt, you would see the SPN set for the user account:

HTTP/mossserver.contoso.com

HTTP/mossserver:80

HTTP/mossserver.contoso.com:80

HTTP/mossserver:8001

HTTP/mossserver.contoso.com:8001

Note Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.

For more information, see the "Configure Kerberos authentication (Office SharePoint Server)" topic on the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/cc263449.aspx

Step 2: Trust for delegation on the user accounts and on the computer accounts

Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:

1. Microsoft Office SharePoint Server 2007 Servers, computer account

2. Microsoft SQL Server/Analysis server, computer account

3. Microsoft Office SharePoint Server 2007 farm, user account

4. Web Application Pool, user account

To configure a computer account so that it is trusted for delegation, follow these steps:

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

2. In the navigation pane, click Computers.

3. Right-click the computer that you want to configure, and then click Properties.

4. Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.

To configure a user account so that it is trusted for delegation, follow these steps:

1. Click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

2. In the navigation pane, click Users .

3. Right-click the user who you want to configure, and then click Properties .

4. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only) , and then click OK .

Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication. To do this, follow these steps:

1. Click Start , click Control Panel , double-click Administrative Tools , and then double-click SharePoint Central Administration .

2. Click the Application Management tab, and then click Authentication Providers .

3. In the Web Application list, select the Web application that you have to update.

4. Click the zone that you want.

5. On the Edit Authentication page for IIS Authentication Settings , click Negotiate (Kerberos) . When you are prompted for confirmation, click OK .

6. Click Integrated Windows authentication , click Negotiate (Kerberos) , and then click OK .

7. To apply the change, click Save .

For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:

832769 How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication

Additionally, if you run Internet Information Services 7.0 on a server that is running SharePoint Server 2007, you must also set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. This file is located in the following folder:

C:\Windows\System32\Inetsrv\Config

After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following:

<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>

Step 4: Configure Component Services on Windows Server 2003 or Windows Server 2008

1. On the server that is running SharePoint Server 2007, click Start , click Run , type dcomcnfg in the Open box, and then click OK .

2. Expand Component Services , expand Computers , right-click My Computer , and then click Properties .

3. Do one of the following:

• For Windows Server 2003, click the Default Properties tab, click Delegate in the Default Impersonation Level box, and then click OK .

• For Windows Server 2008, click the Default Properties tab, click Identify in the Default Impersonation Level box, and then click OK .

For more information about how to set an impersonation level, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms681722.aspx

4. Expand Component Services , expand Computers , and then double-click My Computer .

5. Double-click the DCOM Config folder, and then right-click IIS WAMREG admin Service .

6. Click Properties , click the Security tab, and then under Launch and Activate Permissions , click Edit .

7. In the Launch Permission dialog box, click Add .

8. In the Select Users, Computers, or Groups dialog box, type the user account that you specified as the SharePoint Server 2007 application pool account, click Check Names , and then click OK .

9. In the Permissions for UserName list, click to select the Allow check box that is next to Local Activation , and then click OK .

10. If you have more than one application pool account, repeat steps 7 to 9 for each one.

11. Click OK .

Step 5: Enable the Kerberos protocol on the SSP

You must enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, follow the steps in the "Configure your SSP infrastructure for Kerberos authentication" topic. On the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/cc263449.aspx#section14

Make sure to set the SPN for all the servers, for example

clip_image002[1]

Then, use the STSADM command to enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, at a command prompt, type the following, and then press ENTER:

STSADM -o SetSharedWebServiceAuthn -negotiate