Essential Tips On Kerberos for SharePoint Deployers

A Marvellous Point : Configuring Kerberos for SharePoint 2007: Part 1 - Base Configuration for SharePoint

Mon, 20 Aug 2007 18:22:17 GMT

PingBack from http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

Link Listing - August 20, 2007

Christopher Steen — Tue, 21 Aug 2007 07:02:38 GMT

Link Listing - August 20, 2007

More Kerberos: The lifetime of the a Kerberos ticket

James World — Tue, 21 Aug 2007 09:46:46 GMT

I had a great follow-up question from my last post on Kerberos in SharePoint : "We are using Kerberos

re: Essential Tips On Kerberos for SharePoint Deployers

halomez — Fri, 24 Aug 2007 20:12:47 GMT

Under what circumstances would you want to trust the computer accounts for delegation? What are the risks if you do?

re: Essential Tips On Kerberos for SharePoint Deployers

James World — Sat, 25 Aug 2007 04:26:44 GMT

A computer account is a principal that acts very much like a user account. When you are running a service as "System" or "Network Service" the computer presents itself as this principal to other machines on the network, including the KDC.

If you want a service running under these special accounts to be able to impersonate a client on another machine, then you must trust the computer account for delegation.

This carries a risk that if the computer is compromised by a malicious agent, that agent can use client credentials on the machine to access other systems as the owner of those credentials.

Since typically there are many services that run under the "System" and "Network Service" accounts that do not require to have delegation rights, this approach violates the principal of least-privilege, which is why it is recommended that you use a dedicated service account instead.

In Windows 2000, delegation was a rather powerful "on/off" switch since once turned on, you could delegate to any other service on the network. Under Windows 2003, constrained delegation (only available running at the Native domain functional level) allows you to specify precisely to which services, identified by SPNs, you will allow an account to delegate. This mitigates a lot of the risk and is advisable when you feel compelled to run a service that requires delegation under the computer account.

Despite this, I rarely come across situations where use of the computer account to delegate credentials is required.

re: Essential Tips On Kerberos for SharePoint Deployers

Peter Chow — Mon, 22 Oct 2007 01:08:46 GMT

Great article James. I have one question.

Is it required to have the Security policy

"Impersonate a client after authentication"

in order for Kerberos Contrained Delegation

to work? Or is it only required in the

Protocol Transition case, which I believe

also requires "Act as part of Operating

System".

Strong Reminder

cgjerdingen — Fri, 14 Dec 2007 04:50:36 GMT

You provide a pretty strong reminder when you say "So remember: you can not have two identical SPNs registed to different accounts in your forest. If you do this, neither will work."

Could you provide to pair of setspn.exe command line inputs that would create these two identical SPNs. I'm not quite following and an example would be helpful. Thanks for the follow up to Martin's posts.

re: Essential Tips On Kerberos for SharePoint Deployers

James World — Fri, 14 Dec 2007 06:18:11 GMT

Sure thing:

setspn -a HTTP/portal.mydomain.com DOMAIN\ServiceA

setspn -a HTTP/portal.mydomain.com DOMAIN\ServiceB

These commands add two identical SPNs to the principals ServiceA and ServiceB. Because of this, the key distribution center will not be able to provide a Kerberos ticket for requests to portal.mydomain.com because it can't uniquely resolve the SPN to a single principal. So, after setting up the SPNs like this, you'll never get kerberos authentication.

Unfortunately, some texts have given examples that imply configuring SPNs for SharePoint in just this manner - they'll never work.

Configuring Kerberos Autentication on MOSS 2007

SharePoint From Scratch — Mon, 11 Feb 2008 22:04:14 GMT

If you've been through the install, you're probably ready to get Kerberos authentication. Now

Configuring Kerberos Autentication on MOSS 2007

SHAREPOINTBlogs.com Mirror — Mon, 11 Feb 2008 22:40:51 GMT

If you've been through the install, you're probably ready to get Kerberos authentication. Now

re: Essential Tips On Kerberos for SharePoint Deployers

daneedwards1 — Thu, 20 Mar 2008 15:48:03 GMT

hi in regards to setting a the SPN with 2 different accounts.. is there any way around this?

or DR farm uses different service accounts but the same URLS for the sites.

any ideas?

re: Essential Tips On Kerberos for SharePoint Deployers

mattaniah — Fri, 25 Apr 2008 15:57:59 GMT

I ran the query against sqlserver and did not see Kerberos. Do I need to change something about MSSLQSvc account?

re: Essential Tips On Kerberos for SharePoint Deployers

YoelHor — Fri, 30 May 2008 13:18:52 GMT

It's truly great article James

I have a question what about Publishing web site?

I know that Kerberos doesn't work over the internet but what about the communication between the MOSS, SQL and active directory servers? Can I use it in order to improve performance (and not for delegation)?

re: Essential Tips On Kerberos for SharePoint Deployers

James World — Mon, 02 Jun 2008 15:41:24 GMT

The short answer is yes. The medium answer follows, the long answer would require a book :) .

A point to remember is the SharePoint itself does no authentication of users - it relies on the ASP.NET provider model to do this, and by default uses Windows authentication (NTLM or Kerberos). In web based scenarios Forms based authentication is more common and you can easily roll your own as well.

None of this has any effect on how SharePoint is configured for authenticating it's various service accounts to its own and other services or applications.

So, for example, its perfectly fine to combine forms based user authentication with a SharePoint installation configured to use Kerberos internally.

If you use Kerberos rather than NTLM then there is a performance boost - without getting into to much complexity this is because the Kerberos protocol takes a more efficient approach that uses better credential caching and reduces the number of server-side hops involved in authentication. How noticeable this is depends on too many factors to get into here - here are some articles you might want to look at - I warn you that you are opening pandora's box!

I will say that my guess would be that the performance gain is less noticeable than when your users are authenticating kerberos as well, and that in either case unless you are dealing with a fairly complex and sizeable AD forest a doubt any performance gain would be significant. It's worth mentioning that Kerberos is also more secure than NTLM although there haven't been any significant demonstrations of NTLM hacking since Microsoft closed the door on the l0phtcrack style SAM hacks of several years back.

A general landing page on the Microsoft site:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerberos/default.mspx

http://www.isi.edu/~brian/security/kerberos.html

http://support.microsoft.com/kb/319723/

This one is quite important to be aware of when considering performance-related issues:

http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx

http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

Hope that helps,

James

re: Essential Tips On Kerberos for SharePoint Deployers

James World — Wed, 11 Jun 2008 23:04:57 GMT

This is a reply to mattaniah's question - the domain account you are using for the MSSQL service may not have write permission on its servicePrincipalName attribute. You can check this with adsiedit.msc (in the windows 2003 support tools).

Once you have launched adsiedit.msc, locate the sqlserver account, right-click it and select Properties. Go to the Security tab highlight SELF and click Advanced. The Advanced Security Setings dialog opens. On the Permissions tab click Add..., enter SELF as the object name and hit OK. Then go to the Properties tab and tick Read servicePrincipalName and Write servicePrincipalName permissions. Then OK yourself out of all the dialogs.

If you now restart the MSSQL service on the database server and check the servicePrincipalName attribute value in adsiedit.msc, you should see that it has created an SPN.

Hope that helps, James.

Kerberos anyone?

chrisg — Mon, 16 Jun 2008 20:25:14 GMT

I sent out a collection of links that I have book marked on Kerberos and thought I would share them with

Configuring Kerberos for SharePoint 2007

Microsoft Business Intelligence Blog — Tue, 01 Jul 2008 17:30:33 GMT

If you want your credentials to pass throughout all your servers for PPS to work correctly, you really

Kerberos przyjacielem mym

.neting in the free world — Fri, 11 Jul 2008 15:49:37 GMT

Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protokół Kerberos ,

Kerberos przyjacielem twym

.neting in the free world — Fri, 11 Jul 2008 16:21:24 GMT

Coraz częściej w pracy stykam się z koniecznością ustawienia autentykacji poprzez protokół Kerberos ,

re: Essential Tips On Kerberos for SharePoint Deployers

blueflake — Tue, 29 Jul 2008 17:53:02 GMT

Thanks for a good article about a complex subject!

I have a question. :) I know that the RSS viewer webpart in MOSS requires Kerberos authentication to display feeds from other internal MOSS sites. I'm running a single virtual machine with MOSS 2007 & SQL Server 2005 on it, and my cross-site RSS feeds work as expected when I enable Kerberos.

What I _don't_ understand is how Kerberos can work on a single workgroup server? (And I don't think it actually is in use on my server, because I can't find any mention of Kerberos in my security Event Log.) I thought that Kerberos needed a KDC (a Windows DC) and an AD infra structure.

Thanks for any insights!

Configuración de Excel Services y Autenticación con Kerberos

Luis Du Solier G. - SharePoint en Español — Thu, 04 Dec 2008 01:41:11 GMT

Kerberos The basics of using Kerberos in a Sharepoint environment. http://www.windowsecurity.com/articles