SharePoint Brew
The official blog of Russ Maxwell, Microsoft SharePoint Premier Field Engineer
  • Advanced search options...
Common Tasks
recent posts
Tags
Office Blogs
Blog Roll
Archives
Archives

Configuring Kerberos Authentication in SharePoint 2010

MSDN Blogs > SharePoint Brew > Configuring Kerberos Authentication in SharePoint 2010

Configuring Kerberos Authentication in SharePoint 2010

Rate This
20 Oct 2009 11:14 AM
  • Comments 20

Configure Kerberos Authentication in SharePoint 2010 

When configuring Kerberos with SharePoint 2010 you will be using IIS 7.0.

Integrated windows authentication is now handled in kernel mode and enabled by default.  This technically was primarily for ease of use and performance boosts since auth is no longer happening in user mode.  The problem is that Kernel mode authentication is not supported in SharePoint 2010.  Kernel mode authentication is disabled by default in SharePoint 2010 so will not go into further detail.

The basic steps for enabling Kerberos in a web “SharePoint” farm is to specify the application pool identity for the associated web application.  Then you need to create an SPN using setspn tool.

Farm scenario task:

Enable Kerberos for the following:

·         SharePoint Web Application “Sharepoint – 80”

·         Site is named contoso.com

·         Web Application is using domain account, ”contoso\farmadmin”, as application pool identity.

 

Step 1: Setting useAppPoolCredentials to true in application.config file.

The first step is setting the useAppPool Credentials to true in application.config file for the associated web site. 

In this example, I want to set this attribute on my “SharePoint – 80” web application:

Locate the application.config file in the following dir:

c:\windows\system32\inetsrv\config\

When you open application.config host file with notepad you will see something like this for web application “WebApplicationName”:

<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" </authentication> </security> </system.webServer>

A.) Run appcmd and set useAppPoolCredentials attribute to true for the associated web application.

Appcmd set config “SharePoint - 80” /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

Now checking application.host config file you should see the following for the associated web application:

<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>

 

Step 2: Set SPN

SPN is required to map the service/host name to the Application Pool identity. 

A.) Install SPN from the following location:

http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en

B.) From cmd prompt, run the following cmd:

Setspn.exe –a http/contoso.com contoso\farmadmin

Note:  Run setspn from a member server and not a domain controller  :) 

 

Step 3: Trust the service account for delegation

A.) Launch Active Directory Users and Computers

B.) Locate account running as the application pool identity

C.) Go to properties on the account, select delegation tab

D.) Select “Trust this user for delegation to any service (Kerberos only)

 

Step 4: Enable Kerberos on the Web Application

A.) Launch Central Admin and select Application Management

B.) Select Manage Web Application and choose the appropriate web application

C.) From the ribbon, select Auth Providers

D.) Select the associated zone and enable Negotiate (Kerberos) and save

 

Step 5: Verify that Kerberos authentication is working

A.) Go to the security log on the WFE

B.) Filter on all Event ID’s 4624’s

clip_image001

In the above event, you can see the logon process is using Kerberos.  If you scroll up on the event further, you can also get the source computer as well as user account used to log in.  It’s easier to filter on this event with the logon account to confirm on a high traffic server.

 

Leave a Comment
  • Please add 3 and 5 and type the answer here:
  • Post
Comments
  • John
    21 Oct 2009 4:48 PM

    Hi Russmax,

    Great post.

    Also, will SharePoint Foundation use FBA the same way wss v3.0 used FBA?

    Thanks,

    John

  • 18 Dec 2009 1:04 PM

    Great post!  I found that you need to set the spn first.  Otherwise, the Delegation tab will not be present.

  • 6 Feb 2010 5:28 AM

    Any plans for Part II?????

  • Albert
    8 Feb 2010 1:40 PM

    Hi!

    Worked well after getting it right :). When specifying setting SPN I could not use the short machine name (moss) for the site, but it worked when I used the full full machine name though (moss.corp.ab.com).

    Thanx, Albert

  • mcodyw
    2 Jun 2010 8:35 AM

    So does this mean we don't need to set the mssp\servername:32843 SPN like we did in 2007 (using 56xxx?) to get all of the web services (especially Excel and PPS) to run in Kerberos?

    Thanks!

  • Fabio
    17 Jun 2010 7:14 AM

    Hi,

    could you explain this: MACHINE/WEBROOT/APPHOST?  I cannot find Application.config but only AapplicationHost.config: it's the same?

    King Regards

  • Daniel Sanders
    22 Jun 2010 4:07 PM

    Thank you so much, it worked perfectly.

    Iv'e been trying to configure Kerberons on my web app for two days now - the technet guides are not very accurate.

  • Timm
    29 Jun 2010 1:13 PM

    Thanks,

    Step 3 must be done before Step 2 can be done though.  The Delegation tab will not appear on the account properties until the SPN has been set.

  • 15 Sep 2010 10:02 AM

    Timm, you are correct!  Good catch and will fix now...

  • 29 Sep 2010 5:10 AM

    Thanks! Solved our kerberos problem on MOSS 2007 and Performance Point Server. Never would've thought this was IIS issue :)

  • Amir
    30 Oct 2010 5:09 AM

    Thanks for this guide,

    Just to be sure can we configure Kerberos on web applications that have already been created using NTLM? We are in a  production environment we hope we don't have to change the app pool identities or recreat the web apps.

    Looking forward to your response.

    amir.khan@productivitypartners.nl

  • Mark_N
    2 Nov 2010 12:38 PM

    The Microsoft whitepaper  "Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products " states that SharePoint 2010 does not support kernel mode in IIS. Quote:

    Verify Kernel Mode Authentication is disabled

    Kernel mode authentication is not supported in SharePoint Server 2010. By default all SharePoint Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. Even in situations where the web application was configured on an existing IIS web site, SharePoint will disable kernel mode authentication as it provisions a new web application on the existing IIS site.

    See

    www.microsoft.com/.../details.aspx

  • Umar
    9 Nov 2010 2:30 PM

    Very Nice . It works only  when i am log in on my machine as me .

    if i try to sign in as diff users e on my machine (while log in as me ) site does not respond .

  • Dre
    4 Feb 2011 10:14 AM

    Any response to Mark N's comment about kernel mode not being supported in 2010 Sharepoint?

  • 18 Feb 2011 9:05 AM

    Hello Dre and Marc_N,

    I agree 100% with the authors/contributers of the whitepaper.  Kernel mode auth is not supported so will update this blog to reflect this.

    Thanks for bringing this to my attention.  

    Russ Maxwell, MSFT

Page 1 of 2 (20 items) 12