If you have ever tried to programmatically create a Web Application using Kerberos as authentication provider you noticed that the Authentication Provider resets to NTLM. The cmdlet to create a new Web Application is New-SPWebApplication (or New-SPWebApplicationExtension to extending an exixting one) which comes with the toggle parameter to disable Kerberos authentication (DisableKerberosAuthentication). It happens, though, that by default DisableKerberosAuthentication is set to True and as it is toggle type it does not enable the use of “DisableKerberosAuthentication $true”.

Making a few tests to help respond a forum question I found out that we can circumvent this behavior in two ways:

 

Mode 1 - Setting Authentication Provider’s property DisableKerberos to false after creating an instance and passing this instance to New-SPWeb*. See example below:

 

> $ap = (New-SPAuthenticationProvider)
> $ap | fl

DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : True          <<<< Note that Kerberos is disabled by default
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        :

> $ap.DisableKerberos = $false

> $ap | fl *

DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : False   <<< Now I made sure that Kerberos is enabled
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        : {}

> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url http://www.contoso.com -AuthenticationProvider $ap

 

Mode 2 - Forcing the property DisableKerberos to be false during instantiation using a hack (thanks to Dan Holme):

 

> $ap = New-SPAuthenticationProvider -DisableKerberos:$false

> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url http://www.contoso.com -AuthenticationProvider $ap

 

Or using all in one single line:

> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url http://www.contoso.com –AuthenticationProvider (New-SPAuthenticationProvider -DisableKerberos:$false)

 

*** SECOND WORKAROUND CREDIT ***

Binging around before posting this I found a post where Dan Holme suggests the second workaround:

http://www.windowsitpro.com/article/sharepoint/Power-Trip-PowerShell-Bug-and-Claims.aspx