When you install SharePoint you have a choice to use NTLM and Kerberos authentication. There’s pros and cons for each and I’m not going to get into that here, let’s just go through the steps for configuring Kerberos on a SharePoint site running on port 80.
Prerequisites
- Download and install the Windows Server 2003 Service Pack 2 32-bit Support Tools Note that they will still run on a 64 bit machine.
- Install the Windows 2003 Admin Pack (AdminPak.msi) located in your server’s %\windows\system32 or %\Windows\SysWOW64 directory
- Locate the app pool account that will run the web application that you would like to use Kerberos. If it’s more than one account then you’ll need to run through the steps below for each account
Configuration
1) Login to SharePoint’s central administration console and Enable Kerberos delegation for your App Pool account and SharePoint Server. Remember to complete the steps below for each SharePoint server.
2) Open Active Directory Users and Computers and locate your Application Pool user
Locate the app pool user, right mouse key and choose properties and note the delegation tab is NOT visible
3) On a domain controller Grant delegation to your app pool account by typing the command below. Note that you will use the setspn command installed by the Windows 2003 Support tools. (you might want to run setspn for every url)
*** Watch out, it’s “http/” not “http://” ***
setspn –A http://spapp1 domain\spapppool
Run the command again with -L to view the existing SPNs
setspn –L domain\spapppool
After you run the setspn command above you will see the Delegation tab in Active Directory Users and Computers for the app pool account
5) Modify DCOM Launch Permissions for the IISWamReg Admin Service
- Open the component services mmc by typing the run command below or by visiting Component Services in Administrative Tools.
Locate the IIS WamReg Admin service and select properties
Edit the Launch and Activation Permissions
Grant the App Pool account local activation privileges
6) Change the server’s default impersonation level to Delegate
- Within the component services mmc Modify the server’s impersonation level
7) Test – Open the web application for which you enabled Kerberos and monitor the server’s security logs in event viewer for errors. Remember, if Kerberos doesn’t function properly the server falls back to NTLM
a WordPress rating system
a WordPress rating system
Popularity: 6% [?]
When running sharepoint on Windows Server 2008 please do not change the impersonation level. http://stsadm.blogspot.com/2008/09/windows-server-2008-default.html
a WordPress rating system
a WordPress rating system