Ulysses Ludwig’Blog

Determine the application pool account that will be responsible for authenticating users. 

Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication.  If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled

Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)

Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”. 

* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.

Get the exact machine names that will host the sites that will support kerberos authentication

Right mouse key on Computer Management and click properties

Make a note of the machine’s actual name (you will not be using the alias)

Open Active Directory Users and Computers

Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation”

Locate the servers(s) in Active Directory Users and Computers as well

Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later).  In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.

Enable Kerberos for SharePoint Web Application

First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard.  Follow the steps below to enable kerberos authentication for a SharePoint web application.

Open central administration, note that the port may be different (I typically use 8080 for central administration)  *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***

Click on Manage Web Applications

In the dialog that opens, click on the zone (which is typically default although you may choose intranet)

In the Edit Authentication dialog that opens, scroll down to IIS Authentication Settings and choose “Negotiate (Kerberos)”.  A JavaScript alert will appear warning you of the manual steps you will have to complete, these manual steps are detailed later in this article)

Click save and close the remaining dialogs.

Run SETSPN command line tool for the SharePoint Application Pool Account

The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server.  These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.

Open a command prompt as administrator

First run the SETSPN command for the application pool account. 

Correct the names in bold below to match the names in your environment.  Also note that the “http“does not have a “://”.

setspn –A http/servername  corp\spapppool

Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct

setspn –A http/spapp10  spapp10

Open Active Directory Users and Computers and Trust the Application Pool for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.

On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)”

Open Active Directory Users and Computers and Trust the Server(s) for Delegation

Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool

On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”

Verifying Service Principal Names (SPNs) using SETSPN

The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.

Run setspn for the service account

setspn –L corp\spapppool

Run setspn for the server

setspn –L spapp10

Testing Kerberos

There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly. 

When it’s enabled but not working the following symptoms may be present

1. Login prompts may appear when the previously did not under NTLM Authentication
2. Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
3. Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.

When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.

Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log.  If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis. 

For particular users logged in, events will appear similar to the one below

In addition, many messages similar to the one below will appear in the event log.

Configuring SharePoint 2010 with Kerberos Authentication, 9.2 out of 10 based on 19 ratings