How to configure Microsoft Office SharePoint Server 2007 site for Kerberos authentication
Step 1: Set up the Service Principal Name for the user accounts
You have to set the Service Principal Name (SPN) for the farm account and the application pool account. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 32-bit Support Tools on any machine within the domain. To obtain the Windows Support Tools, download the Windows Support Tools from the Microsoft Download Center:
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D
After you have downloaded and installed the Windows Support Tools, follow these steps:
|
1. |
Set the SPN for the Server farm account. To do this, follow these steps:
|
setspn.exe -A HTTP/SharePoint_serverName.domain.com Domain\SharePoint_Server_farm_acct
Eg: setspn.exe -A HTTP/mossserver.contoso.com contoso\SharePoint_Server_farm_acct |
|
| |
|
2. |
Set the SPN for Microsoft Office SharePoint Server 2007 Web site. To do this, follow these steps:
setspn.exe -A HTTP/SharePoint_serverName:portnumber Domain\application_pool_account
Eg: setspn.exe -A HTTP/mossserver:80 contoso\application_pool_account
setspn.exe -A HTTP/SharePoint_serverName.domain.com:portnumber Domain\ application_pool_account
Eg: setspn.exe -A HTTP/mossserver.contoso.com:80 contoso\application_pool_account
|
|
3. |
After you set the SPN, run the following command to verify that the SPN is set correctly on the server.
Setspn –L Domain\SharePoint_Server_farm_acct
Eg: setspn -L contoso\SharePoint_Server_farm_acct
HTTP/mossserver.domain.com
Setspn –L DomainName\application_Pool_Account
Eg: setspn -L contoso\application_pool_account
HTTP/mossserver.domain.com:80
HTTP/mossserver:80 |
Step 2: Trust for delegation on the user accounts and computer accounts
Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:
|
• |
Microsoft Office SharePoint Server 2007 Servers, computer account. |
|
• |
SQL Server/ Analysis Server, computer account. |
|
• |
Microsoft Office SharePoint Server 2007 farm, user account. |
|
|
|
• |
Web Application Pool, user account. |
To configure a computer account so that it is trusted for delegation, follow these steps:
|
1. |
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. |
|
2. |
In the navigation pane, click Computers. |
|
3. |
Right-click the computer that you want to configure, and then click Properties. |
|
4. |
Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK. |
To configure a user account so that it is trusted for delegation, follow these steps:
|
1. |
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. |
|
2. |
In the navigation pane, click Users. |
|
3. |
Right-click the user who you want to configure, and then click Properties. |
|
4. |
Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK. |
Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication
|
1. |
Click Start, Administrative Tools, and then double-click SharePoint Central Administration. |
|
2. |
Click the Application Management tab, and then click Authentication Providers. |
|
3. |
In the Web Application list, select the Web application that you have to update. |
|
4. |
Click the Zone that you want. |
|
5. |
On the Edit Authentication page for the IIS Authentication Settings, Integrated Windows authentication, click Negotiate (Kerberos). You will be prompted for confirmation, please click OK. |
|
6. |
To apply the change, click Save. |
Step 4: Enable Kerberos on the Shared Services Provider (SSP)
You must enable Kerberos on the Shared Services Provider (SSP). At a command prompt, type the following and then press ENTER:
STSADM -o SetSharedWebServiceAuthn -negotiate
For Known issues:
http://technet.microsoft.com/en-us/library/cc263449.aspx
