After you have configured SharePoint Server 2007 for Kerberos authentication, you can now configure Excel Services for Kerberos authentication. Follow these steps in the order in which they are presented to configure Excel Services for Kerberos authentication.

Step 1: Configure user permissions in SQL Server 2005 Analysis Services

1. Start SQL Server Management Studio, and then connect to the instance of SQL Server 2005 Analysis Services.

2. Right-click the Analysis Services folder, and then click Properties .

3. Click Security in the navigation pane.

4. Under NT Users and Groups , click Add , and then add each user who you want to grant access to Excel services. If you want to grant access to all users, add Authenticated users .

5. Close Analysis Services Properties .

Step 2: Configure SQL Server 2005 Analysis Services to use Kerberos authentication

For more information about how to configure SQL Server 2005 Analysis Services to use Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:

917409 How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

Step 3: Configure Excel Services for delegation

To configure Excel Services for delegation, follow these steps:
1. At a command prompt, type the following, and then press ENTER:

STSADM -o set-ecssecurity -ssp Shared Services Provider Name -accessmodel delegation

2. Type the following, and then press ENTER:

STSADM -o execadmsvcjobs

Prerequisites:
Visual Studio Team System 2008

Access to the Site that you want to do performance test.

Setup:
There are 2 steps to create a Load test.

1. Creating a "Web Test", We basically record all the Links while we browse to the site. Typical end users action.
2. "Load Test". Here we set what kind of load that we need to assert on the Web Test, like Number of users, type of users, Different type of clients Browsers and Different networks.

First step is to create a TEST project:

We now create a Web Test.

While creating a Web Test we can separate it based on the users accessing the site, like Read only users and contributors. The readers are users who access the site , whereas the contributors modify and add data to the SharePoint site.

To create a Web Test, right click on the Project Name --> ADD --> New Item (Select "Web Test" and give it a name "Reader.webtest"). This would bring up a browser with a "Web Test Recorder" within the browser. Browse to the SharePoint site and make sure to navigate around the site. After navigating, click on Stop to finish the recording.
Now you have create a Web Test based on reader users.

We could now create another Web test where the users modify and add data to the site. right click on the Project Name --> ADD --> New Item (Select "Web Test" and give it a name "Contributors.webtest").

Now browse to the site and make the changes to the sites, I would modify the list items or to add some items to a list.

Note: While added anything to the site please consider not to create a list or Document library. Basically when you run the test, it would try to create a same List with the same name and the test would error out. The Same hold good for uploading a document, Each time you upload a document VSTS would not know here to pickup the document for the upload and would error out, however we could create a folder within the project have all the documents listed and refer to the upload parameter.

Now we have created Web tests called Reader.webtest & Contributors.webtest

Now for creating a Load Test on the Web app.

To create a Load Test, right click on the Project Name --> ADD --> Load Test. This would bring up a nice easy wizard

Make sure to select the web tests that we created earlier Reader.webtest & Contributors.webtest

The next step would give you an option to select the type of browse and the distribution of the load across the browsers.

The next step would give you an option to select the type of Network and the distribution of the load across the network.

Finish the wizard and also make sure to select the duration of this load test to run.

Now all you need to do is to run the Load Test which you created and watch for the Perfmon counter like "Request Current" ASP .Net counter on the WFE to check the load on the site.

Note: I have used this setup for internal testing purpose. This configuration might be different in a production environment.

Step1: Prerequisite for Installing ISA server 2006:

We need to have 2 Network Adapters configured.

Rename one of the Network Adapter to Internal & the other to External.Just for identification.

The Key point to note that we don’t have a Default Gateway or DNS server specified for External adapter. This is the configuration we need to have for the ISA server route the packets correctly.

Step2: Now that we have the network Adapter setup, we can now install ISA server 2006

We can have the ISA server within the MOSS domain or within a workgroup, but need to make sure the internal NIC is able to access the MOSS server thru an IP or ServerName.

While Installing ISA server we need to install both the Server Services and configuration Storage Server.

Use the default configuration settings provided by the step up and continue.

Now you would be provided with the below option to select the Internal Network. Make sure to select the Internal network.

Click on ADD à Add Adapter à Select Internal network Adapter.

Use the default configuration settings provided by the step up and continue to finish the installation.

Step3: Now that we have the ISA server installed we need to configure a few Firewall rules

Firewall Rule to allow all protocol communication:

We need to create an Access rule to allow RDP and Ping. So usually I would allow all protocol to communicate with ISA server to the outside world.

We need to select both External and the Internal network for communication. And this applies to both traffic originating and traffic sent to.

Now we are going to configure SharePoint Publishing Firewall Rule: We are not using SLL termination!!

Internal Site Name: Is the MOSS Site address only without the port number. For E.g. let’s say that we have a moss site http://lc1-6a06:8080 the Internal Site Address would be only http://lc1-6a06 without the port number. We need to bridge the port number in the later wizard.

The Computer Name: is the MOSS Servers IP or the customer name. I would prefer gving the IP if the ISA server is not part of the MOSS Domain.

The Accept Request should be “This domain Name”

And Public name is the external URL of the MOSS site which the client would use to access the MOSS Site.

We need to configure a Listener for the SharePoint Publishing Rule:

Click on New to create a listener.

Click on Next and finish the listener creation.

Now we continue creating the publishing rule.

My AAM look like :

http://lc1-6a06:8080 Default http://www.externalurl.domain.com
http://www.externalurl.domain.com:8080 Default http://www.externalurl.domain.com
http://www.externalurl.domain.com Default http://www.externalurl.domain.com

We use All User to allow any user to connect to the ISA server for any requests.

Click next and finish the Publishing rule.

Once we have created the Publishing rule we need change few settings:

Changing the bridging info

We need to make sure have port 8080 for HTTP port since our site is running under 8080 in the MOSS Server. So the ISA server bridges the port 80 from external to port 8080 internally.

We need to change the publishing rule to allow

Go to the Properties of the Publishing Rule à Listener àproperties à Authentication à Advance .

Make sure to have checked the “Allow client Authentication over HTTP”

This completes the configuring ISA Server 2006 with the Publishing Rule.

Now try to access the SharePoint site from the client. If you get prompted for credentials then the publishing rule is working.

Step 1: Set up the SPN for the user accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D

After you download and install the Windows Support Tools, follow these steps:

1. Set the SPN for the server farm account. At a command prompt, type the following to set the SPN for the server farm account, and then press ENTER:

setspn.exe -A HTTP/ SharePoint_server . domain .com domain \ SharePoint_Server_farm_acct

For example, type the following command at the command prompt, and then press ENTER:

setspn.exe -A HTTP/mossserver.contoso.com contoso\ SharePoint_Server_farm_acct

2. Set the SPN for the SharePoint WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:

setspn.exe -A HTTP/ SharePoint_WebApplication:port domain \ application_pool_account

setspn.exe -A HTTP/ FQDN_of_the_WebApplication:port domain \ application_pool_account

For example, type the following commands, and press ENTER after each one:

setspn.exe -A HTTP/mossserver:80 contoso\ application_pool_account

setspn.exe -A HTTP/mossserver.contoso.com:80 contoso\ application_pool_account

3. Set the SPN for the SharePoint Shared Services WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:

setspn.exe -A HTTP/ SharedServices_WebApplication:port domain \ SharedServices_application_pool_account

setspn.exe -A HTTP/ FQDN_of_the_SharedServices_WebApplication:port domain \ SharedServices_application_pool_account

For example, assume that My Shared Services Web Application is hosted on port 8001. In this case, type the following commands, and press ENTER after each one:

setspn.exe -A HTTP/mossserver:8001 contoso\ application_pool_account

setspn.exe -A HTTP/mossserver.contoso.com:8001 contoso\ application_pool_account

4. After you set the SPN, verify that the SPN is set correctly on the server. To do this, type the following commands at a command prompt, and press ENTER after each one:

setspn –L Domain\ User_account_UsedtosetSPN

For example, type one of the following commands, and then press ENTER:

setspn -L contoso\ SharePoint_Server_farm_acct

setspn -L contoso\ application_pool_account

setspn -L contoso\ SharedServices_application_pool_account

If the SPN is configured correctly, the account URL address and the port number will be displayed. At the command prompt, you would see the SPN set for the user account:

HTTP/mossserver.contoso.com

HTTP/mossserver:80

HTTP/mossserver.contoso.com:80

HTTP/mossserver:8001

HTTP/mossserver.contoso.com:8001

Note Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.

For more information, see the "Configure Kerberos authentication (Office SharePoint Server)" topic on the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/cc263449.aspx

Step 2: Trust for delegation on the user accounts and on the computer accounts

Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:

1. Microsoft Office SharePoint Server 2007 Servers, computer account

2. Microsoft SQL Server/Analysis server, computer account

3. Microsoft Office SharePoint Server 2007 farm, user account

4. Web Application Pool, user account

To configure a computer account so that it is trusted for delegation, follow these steps:

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

2. In the navigation pane, click Computers.

3. Right-click the computer that you want to configure, and then click Properties.

4. Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.

To configure a user account so that it is trusted for delegation, follow these steps:

1. Click Start , click Control Panel , double-click Administrative Tools , and then double-click Active Directory Users and Computers .

2. In the navigation pane, click Users .

3. Right-click the user who you want to configure, and then click Properties .

4. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only) , and then click OK .

Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication. To do this, follow these steps:

1. Click Start , click Control Panel , double-click Administrative Tools , and then double-click SharePoint Central Administration .

2. Click the Application Management tab, and then click Authentication Providers .

3. In the Web Application list, select the Web application that you have to update.

4. Click the zone that you want.

5. On the Edit Authentication page for IIS Authentication Settings , click Negotiate (Kerberos) . When you are prompted for confirmation, click OK .

6. Click Integrated Windows authentication , click Negotiate (Kerberos) , and then click OK .

7. To apply the change, click Save .

For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:

832769 How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication

Additionally, if you run Internet Information Services 7.0 on a server that is running SharePoint Server 2007, you must also set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. This file is located in the following folder:

C:\Windows\System32\Inetsrv\Config

After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following:

<system.webServer> <security> <authentication> <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" /> </authentication> </security> </system.webServer>

Step 4: Configure Component Services on Windows Server 2003 or Windows Server 2008

1. On the server that is running SharePoint Server 2007, click Start , click Run , type dcomcnfg in the Open box, and then click OK .

2. Expand Component Services , expand Computers , right-click My Computer , and then click Properties .

3. Do one of the following:

• For Windows Server 2003, click the Default Properties tab, click Delegate in the Default Impersonation Level box, and then click OK .

• For Windows Server 2008, click the Default Properties tab, click Identify in the Default Impersonation Level box, and then click OK .

For more information about how to set an impersonation level, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms681722.aspx

4. Expand Component Services , expand Computers , and then double-click My Computer .

5. Double-click the DCOM Config folder, and then right-click IIS WAMREG admin Service .

6. Click Properties , click the Security tab, and then under Launch and Activate Permissions , click Edit .

7. In the Launch Permission dialog box, click Add .

8. In the Select Users, Computers, or Groups dialog box, type the user account that you specified as the SharePoint Server 2007 application pool account, click Check Names , and then click OK .

9. In the Permissions for UserName list, click to select the Allow check box that is next to Local Activation , and then click OK .

10. If you have more than one application pool account, repeat steps 7 to 9 for each one.

11. Click OK .

Step 5: Enable the Kerberos protocol on the SSP

You must enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, follow the steps in the "Configure your SSP infrastructure for Kerberos authentication" topic. On the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/cc263449.aspx#section14

Make sure to set the SPN for all the servers, for example

Then, use the STSADM command to enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, at a command prompt, type the following, and then press ENTER:

STSADM -o SetSharedWebServiceAuthn -negotiate

 To change the  user account you can use STSADM migrateuser option and change user name in the MySettings pages for that user.

stsadm.exe -o migrateuser -oldlogin <Domain name\Old user name> -newlogin <Domain name\New user name> -ignoresidhistory