Jesper M. Christensen

SharePoint and Security

Notes on configuring Sharepoint to use Kerberos


Update: After this blog-entry I had an article published that gives an overview of Kerberos in a Sharepoint environment

Having trouble getting Kerberos set up on your Microsoft Office Sharepoint Server? Kerberos is the preferred authentication type for Sharepoint Server 2007 because it is faster, more secure than NTLM and reduces the number of errors you can get with username and passwords. If your webparts interacts with other servers/services such as SQL Reporting Services, Excel Calculation Services and Data Connections you will have a dual-hop authentication issue (read more in this article). But why isn’t Kerberos the default authentication type in Sharepoint if it is so good? Well, it isn’t always easy to set up if you are new to Kerberos. Knowing what to set up and how it is done can be overwhelming for some IT administrators – including myself, but we are all learning as we ride the IT-wave through time.

So, some functions in the MOSS 2007 requires Single Sign-on and Kerberos to be setup. And in the beginning you can soon enough hit the wall with these "default"-error-screens build into the Sharepoint Server. What this really means is: look through the log-files of you IIS, Sharepoint, SQL Reporting Services etc. until you find the problem. I found out my problem with the Kerberos authentication between servers in this way, and when you think about it "how should the Sharepoint Webserver know that what error occurred in a submodule on a completely different SQL Reporting Server ?". I tested the SPN configuration on the domain controller with the SetSPN-command and found out that I missed a server in this configuration.

If you have been following the guidelines to enable Kerberos you should be okay, but it can be tricky to implement e.g. on a Sharepoint after the initial installation. Microsoft have published an article that I recommend you to check out (http://support.microsoft.com/kb/832769), and Martin Kearn has a great article here named Configuring Kerberos for SharePoint 2007. Martin Kearn have som great steps to configure Kerberos so go on read that article of his J

I have some guidelines for you also with some command-lines also:

  • Check your eventlog in Windows, Sharepoint and other servers you cannot get to work properly
  • Make sure your clients and Web Frontend(s) can see your KDC (Kerberos Distribution Center).
  • Make sure you have configured the delegation for all servers that needs to use Kerberos and your Sharepoint accounts in Active Directory Users and Computers
  • Make sure your web application and SSP has been configured to use kerberos in the Central Administration Site
  • Check you configured SPN’s with the command setspn –L <DOMAIN>\< WebApp Identity account >

    Sample Output:
    C:\>setspn -L domain\spcontentpool
    Registered ServicePrincipalNames for CN=SPContentPool,OU=Sharepoint,DC=domain,DC=local:
        http/wss1.domain.local
        http/wss2.domain.local
        http/intranet.domain.local
        http/wss2
        http/wss1

    Reconfigure the SPN’s on your Web Frontend Server if needed with:
    setspn.exe –A HTTP/<Web frontend NETBIOS Servername> <DOMAIN>\<WebApp Identity account>
    setspn.exe –A HTTP/<Web frontend FQDN> <DOMAIN>\<WebApp Identity account>

  • (Note: The SetSPN.exe is a tool from the Server Resource Kit and the Windows Server 2003 Support tools on the CD. You can also download it from Microsoft here: for Windows 2000 Server and for Windows Server 2003 SP2 32-bit)

  • Check if Kerberos is configured for your IIS Website with the command lines:
    c:

    cd c:\inetpub\adminscripts
    cscript adsutil.vbs get w3svc/<id of your
    website>/root/NTAuthenticationProviders
    (you will find the id of your website through IIS Management under identifier)

    The result should look like this: NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
    If you see NTAuthenticationProviders : (STRING) "NTLM", then you need to configure the website for Kerberos on every Web Frontend Server – remember that the identifiers are the same for every server, so you can make script for an easier process:
    c:
    cd c:\inetpub\adminscripts
    cscript adsutil.vbs set w3svc/<id of your
    website>/root/NTAuthenticationProviders "Negotiate,NTLM"

You can troubleshoot the Kerberos errors from your system eventlog with Microsoft’s Troubleshooting Kerberos Errors or read my blog-post about Troubleshooting the KRB_AP_ERR_MODIFIED.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: