When you install SharePoint you have a choice to use NTLM and Kerberos authentication. There’s pros and cons for each and I’m not going to get into that here, let’s just go through the steps for configuring Kerberos on a SharePoint site running on port 80.
Install the Windows 2003 Admin Pack (AdminPak.msi) located in your server’s %\windows\system32 or %\Windows\SysWOW64 directory
Locate the app pool account that will run the web application that you would like to use Kerberos. If it’s more than one account then you’ll need to run through the steps below for each account
1) Login to SharePoint’s central administration console and Enable Kerberos delegation for your App Pool account and SharePoint Server. Remember to complete the steps below for each SharePoint server.
2) Open Active Directory Users and Computers and locate your Application Pool user
Locate the app pool user, right mouse key and choose properties and note the delegation tab is NOT visible
3) On a domain controller Grant delegation to your app pool account by typing the command below. Note that you will use the setspn command installed by the Windows 2003 Support tools. (you might want to run setspn for every url)
Run the command again with -L to view the existing SPNs
setspn –L domain\spapppool
After you run the setspn command above you will see the Delegation tab in Active Directory Users and Computers for the app pool account
5) Modify DCOM Launch Permissions for the IISWamReg Admin Service
Open the component services mmc by typing the run command below or by visiting Component Services in Administrative Tools.
Locate the IIS WamReg Admin service and select properties
Edit the Launch and Activation Permissions
Grant the App Pool account local activation privileges
6) Change the server’s default impersonation level to Delegate
Within the component services mmc Modify the server’s impersonation level
7) Test – Open the web application for which you enabled Kerberos and monitor the server’s security logs in event viewer for errors. Remember, if Kerberos doesn’t function properly the server falls back to NTLM
Ulysses Ludwig is a SharePoint architect with over 16 years in the IT and computer industry. Ulysses' primary focus is SharePoint but he dabbles in the latest web technologies and likes to develop software in his spare time.
2 Comments for Configuring Kerberos Authentication for SharePoint