Thanks to ajjose for this posting..

  Provisioning PWA Using Kerberos Authentication

Step 1:

Create web application with Kerberos Auth.

clip_image002

Step 2:

Download Windows 2003 Support tools (http://support.microsoft.com/kb/892777)

Steps 3:

Create SPN’s for the web application/s

Syntax:

Setspn.exe -A HTTP/%SHAREPOINTSERVERFQDN% %SERVERFARMACCOUNT%

Example: Setspn.exe –A HTTP/Servername.domain.com:20266 domain\account

Step 4:

In addition to setting the SPNs for each of your service accounts, you also need to trust each of the computer accounts and some of the service accounts for delegation. Trusting for delegation means that the accounts are allowed to delegate on a user's behalf.

In order to trust for delegation you need to open Active Directory Users and Computers as a user with domain administration rights and follow these instructions

  • Locate the account and click 'properties'
  • Navigate to the 'Delegation' tab
  • Choose 'Trust this user/computer for delegation to any service (Kerberos)'

clip_image004

Note: if you do not see Delegation tab, Make sure you have raised the domain functionality level to Windows Server 2003 (Open Active Directory -> Right Click on Domain name -> Select Raise Domain Functional Level -> Select Windows Server 2003 -> Click on Apply

Step 6:

Login into MOSS server, Configure Component services to allow Kerberos

Open Component Services on the MOSS server

                > Navigation to Component Services > Computers > My Computer

                                  • Right Click on My Computer -> Properties - > Default Properties -> Default Impersonation Level = Delegate (see http://support.microsoft.com/kb/917409)

clip_image006

> Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service

Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab

>Edit Launch and Activate Permissions

>Grant all three of your application pool account 'Local Activation' permissions

clip_image008

Step 7:

Create a new SSP using the new web application

Change SSP to Kerberos ('STSADM.exe -o SetSharedWebServiceAuthn -negotiate')

Enable Kerberos on IIS

                cscript adsutil.vbs set w3svc/NTAuthenticationProviders "Negotiate,NTLM"

Provision PWA on new SSP

Additional Links

http://technet.microsoft.com/en-us/library/cc263449.aspx

http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx