Home MOSS Programming WSS 3.0 Windows Server Configuring Kerberos Authentication for SharePoint

Configuring Kerberos Authentication for SharePoint

Posted on June 19, 2009 ujludwig
2 Comments BOOKMARK

When you install SharePoint you have a choice to use NTLM and Kerberos authentication. There’s pros and cons for each and I’m not going to get into that here, let’s just go through the steps for configuring Kerberos on a SharePoint site running on port 80.

Prerequisites

  • Download and install the Windows Server 2003 Service Pack 2 32-bit Support Tools Note that they will still run on a 64 bit machine.
  • Install the Windows 2003 Admin Pack (AdminPak.msi) located in your server’s %\windows\system32 or %\Windows\SysWOW64 directory
  • Locate the app pool account that will run the web application that you would like to use Kerberos. If it’s more than one account then you’ll need to run through the steps below for each account

Configuration

1) Login to SharePoint’s central administration console and Enable Kerberos delegation for your App Pool account and SharePoint Server.  Remember to complete the steps below for each SharePoint server.

2) Open Active Directory Users and Computers and locate your Application Pool user

Locate the app pool user, right mouse key and choose properties and note the delegation tab is NOT visible

clip_image001

3) On a domain controller Grant delegation to your app pool account by typing the command below. Note that you will use the setspn command installed by the Windows 2003 Support tools. (you might want to run setspn for every url)

*** Watch out, it’s “http/” not “http://” ***

setspn –A http://spapp1 domain\spapppool

image

Run the command again with -L to view the existing SPNs

setspn –L domain\spapppool

clip_image003

After you run the setspn command above you will see the Delegation tab in Active Directory Users and Computers for the app pool account

clip_image004

5) Modify DCOM Launch Permissions for the IISWamReg Admin Service

  • Open the component services mmc by typing the run command below or by visiting Component Services in Administrative Tools.

clip_image005

Locate the IIS WamReg Admin service and select properties

clip_image006

Edit the Launch and Activation Permissions

clip_image007

Grant the App Pool account local activation privileges

clip_image008

6) Change the server’s default impersonation level to Delegate

  • Within the component services mmc Modify the server’s impersonation level

clip_image009

7) Test – Open the web application for which you enabled Kerberos and monitor the server’s security logs in event viewer for errors.  Remember, if Kerberos doesn’t function properly the server falls back to NTLM

VN:F [1.8.1_1037]
Rating: 0.0/10 (0 votes cast)
VN:F [1.8.1_1037]
Rating: 0 (from 0 votes)

Popularity: 6% [?]

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
Share this Post:
Digg Google Bookmarks reddit Mixx StumbleUpon Technorati Yahoo! Buzz DesignFloat Delicious BlinkList Furl
Tagged with: , , , , , , , , ,

2 Responses to “Configuring Kerberos Authentication for SharePoint”

Configuring Kerberos Authentication for SharePoint | Ulysses …
  • Þröstur Jónasson says:
    February 2, 2010 at 8:42 am

    When running sharepoint on Windows Server 2008 please do not change the impersonation level. http://stsadm.blogspot.com/2008/09/windows-server-2008-default.html

    UN:F [1.8.1_1037]
    Rating: 0.0/5 (0 votes cast)
    UN:F [1.8.1_1037]
    Rating: 0 (from 0 votes)
    Reply

    • Leave a Reply:

    Name (required):
    Mail (will not be published) (required):
    Website:
    Comment (required):
    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Powered by eShop v.4