Welcome to MSDN Blogs Sign in | Join | Help

MOSS and Kerberos Deployment

During a recent POC, I was reminded (again) that the double-hop problem is a thorn in the side.  For those living on another planet or a big rock and haven't heard or experieced the double-hop, basically this occurs when our SharePoint page (or Web parts on the page) attempts to access resources on a server different from the SharePoint Web server.  In our scenario, we were utilizing Excel Services to present data contained inside a SQL Analysis Services cube.  In order to do everything we needed to do, we had to configure Kerberos for the MOSS installation.  Although it's not rocket science, it can be painful the first time through.  I had done this a couple of times and had surprisingly written down some notes,...go figure...

Today I was browsing some blog posts and came across this 2-part description and thought I would share it.

Configuring Kerberos for SharePoint 2007: Part 1 - Base Configuration for SharePoint

Configuring Kerberos for SharePoint 2007: Part 2 - Excel Services and SQL Analysis Services 

</steve>

Published Thursday, June 07, 2007 8:59 PM by gcarava@microsoft.com

Comments

# re: MOSS and Kerberos Deployment

Friday, June 08, 2007 9:53 AM by jcm.net

I have followed all steps precisely in Martin Kearn's kerberos part 1 post.  Still no luck, can't load anything on server except CA.  I have enabled kerb debugging.  Do I need to create an SPN for the search users?  I have 2 MOSS servers, 64bit, 1 for CA/web and the other for search/index.  I have spns set up correctly for CA/Web, but what about Search/Index box? thanks for any help you can provide.

# Link Listing - June 10, 2007

Sunday, June 10, 2007 11:13 PM by Christopher Steen

Give it a REST! [Via: Anil John ] GWT a Year Later: Was it the correct level of abstraction? [Via: Dietrich...

# re: MOSS and Kerberos Deployment

Thursday, June 14, 2007 1:40 PM by Jereme Watts

Yes all of your accounts must have SPN's in my case I did it this way:

Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER:

setspn -A HTTP/[ServerName].Microsoft.com microsoft\SRV_OSS_DEV_Farm

setspn -A HTTP/[ServerName].Microsoft.com microsoft\SRV_OSS_DEV_App001

setspn -A HTTP/[ServerName] microsoft\SRV_OSS_DEV_App001

setspn -A HTTP/[ServerName].Microsoft.com microsoft\SRV_OSS_DEV__SSPROC

setspn -A HTTP/[ServerName] microsoft\SRV_OSS_DEV__SSPROC

setspn -A HTTP/[ServerName].Microsoft.com microsoft\SRV_OSS_DEV_App002

setspn -A HTTP/[ServerName] microsoft\SRV_OSS_DEV_App002

Second Step

To configure the IIS server to be trusted for delegation, using a domain account follow these steps:

1. Start Active Directory Users and Computers.

2. In the left pane, click Computers.

3. In the right pane, right-click the name for each these IIS servers, and then click Properties.

4. Click the General tab, click to select the Trust computer for delegation check box, and then click OK.

a. microsoftportaldev02

b. microsoftportaldev03

c. microsoftindexdev01

5. Quit Active Directory Users and Computers.

# SharePoint and Kerberos...

Wednesday, January 02, 2008 10:48 PM by SharePoint Products and Technologies - Pointing to Share the Knowledge - Luis Du Solier G.

What about Kerberos in SharePoint 2007... From Steve Carvajal&#39;s Blog , some links to Martin Kearn&#39;s

Anonymous comments are disabled
 
Page view tracker