Determine the application pool account that will be responsible for authenticating users.
Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled
Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)
Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.
* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.
Get the exact machine names that will host the sites that will support kerberos authentication
Right mouse key on Computer Management and click properties
Make a note of the machine’s actual name (you will not be using the alias)
Open Active Directory Users and Computers
Open the Application Pool account in Active Directory Users and Computers (ADUC) and note that there is no tab “Delegation”
Locate the servers(s) in Active Directory Users and Computers as well
Repeat the step above for the computer, the Delegation tab will typically not be visible until the SETSPN tool is run (that will come later). In the screenshot below, the Delegation tab is visible because the server is an all in one with a domain controller.
Enable Kerberos for SharePoint Web Application
First things first, Kerberos can be enabled for an existing SharePoint web application if it was not specified during the initial installation wizard. Follow the steps below to enable kerberos authentication for a SharePoint web application.
Open central administration, note that the port may be different (I typically use 8080 for central administration) *** NOTE, IF YOU CAN NOT OPEN CENTRAL ADMINISTRATION, DO NOT HAVE RIGHTS, OR DO NOT KNOW HOW THEN STOP, YOU SHOULD NOT BE DOING THIS ***
Click on Manage Web Applications
In the dialog that opens, click on the zone (which is typically default although you may choose intranet)
Click save and close the remaining dialogs.
Run SETSPN command line tool for the SharePoint Application Pool Account
The enable kerberos authentication a domain administrator will need to run the following commands via command line on each SharePoint Server. These commands use the SETSPN tool which is delivered by default in all Windows Server 2008 machines, if the tool is missing it is readily available for download from Microsoft.com.
Open a command prompt as administrator
First run the SETSPN command for the application pool account.
Correct the names in bold below to match the names in your environment. Also note that the “http“does not have a “://”.
setspn –A http/servernamecorp\spapppool
Run a similar command for each server (the results below are atypical since the machine used is already a domain controller, however, the command is still correct
setspn –A http/spapp10 spapp10
Open Active Directory Users and Computers and Trust the Application Pool for Delegation
Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the application pool account.
On the delegation tab of the SharePoint Application Pool’s properties window “Trust this user for delegation to any service (Kerberos only)”
Open Active Directory Users and Computers and Trust the Server(s) for Delegation
Once the SETSPN command has been run, the delegation tab will appear in Active Directory Users and Computers (ADUC) for the servers registered using the SETSPN tool
On the Delegation tab check the box “Trust this computer for delegation to any service (Kerberos only)”
Verifying Service Principal Names (SPNs) using SETSPN
The setspn tool does support the –L or list switch that allows administrators to display the SPNs for a particular computer or user account.
Run setspn for the service account
setspn –L corp\spapppool
Run setspn for the server
setspn –L spapp10
There are tools available for testing Kerberos but it’s quite easy to determine if it is running properly.
When it’s enabled but not working the following symptoms may be present
Login prompts may appear when the previously did not under NTLM Authentication
Login Errors appear in the Windows Security Event Log typically stating that Kerberos authentication failed
Users are required to login using Office applications when their machines are domain members and the logged in user should have rights.
When Kerberos is first configured for the application pool account a message will appear in the Windows Security Logs stating that a ticket was requested.
Open SharePoint in a browser using the URL where Kerberos is now configured and then refresh the security log. If Kerberos is running properly messages similar to the one below will appear in the logs on a regular basis.
For particular users logged in, events will appear similar to the one below
In addition, many messages similar to the one below will appear in the event log.
Rating: 9.3/10 (29 votes cast)
Rating: +11 (from 13 votes)
Configuring SharePoint 2010 with Kerberos Authentication, 9.3 out of 10 based on 29 ratings
Ulysses Ludwig is a SharePoint architect with over 16 years in the IT and computer industry. Ulysses' primary focus is SharePoint but he dabbles in the latest web technologies and likes to develop software in his spare time.
11 Comments for Configuring SharePoint 2010 with Kerberos Authentication