Configure Kerberos Authentication in SharePoint 2010
When configuring Kerberos with SharePoint 2010 you will be using IIS 7.0.
Integrated windows authentication is now handled in kernel mode and enabled by default. This technically was primarily for ease of use and performance boosts since auth is no longer happening in user mode. The problem is that Kernel mode authentication is not supported in SharePoint 2010. Kernel mode authentication is disabled by default in SharePoint 2010 so will not go into further detail.
The basic steps for enabling Kerberos in a web “SharePoint” farm is to specify the application pool identity for the associated web application. Then you need to create an SPN using setspn tool.
Farm scenario task:
Enable Kerberos for the following:
· SharePoint Web Application “Sharepoint – 80”
· Site is named contoso.com
· Web Application is using domain account, ”contoso\farmadmin”, as application pool identity.
Step 1: Setting useAppPoolCredentials to true in applicationHost.config file.
The first step is setting the useAppPool Credentials to true in applicationHost.config file for the associated web site.
In this example, I want to set this attribute on my “SharePoint – 80” web application:
Locate the applicationHost.config file in the following dir:
When you open applicationHost.config file with notepad you will see something like this for web application “WebApplicationName”:
<system.webServer> <security> <authentication> <windowsAuthentication enabled=”true” </authentication> </security> </system.webServer>
A.) Run appcmd and set useAppPoolCredentials attribute to true for the associated web application.
Appcmd set config “SharePoint – 80” /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST
Now checking application.host config file you should see the following for the associated web application:
<system.webServer> <security> <authentication> <windowsAuthentication enabled=”true” useAppPoolCredentials=”true” /> </authentication> </security> </system.webServer>
Step 2: Set SPN
SPN is required to map the service/host name to the Application Pool identity.
A.) Install SPN from the following location:
B.) From cmd prompt, run the following cmd:
Setspn.exe –a http/contoso.com contoso\farmadmin
Note: Run setspn from a member server and not a domain controller 🙂
Step 3: Trust the service account for delegation
A.) Launch Active Directory Users and Computers
B.) Locate account running as the application pool identity
C.) Go to properties on the account, select delegation tab
D.) Select “Trust this user for delegation to any service (Kerberos only)
Step 4: Enable Kerberos on the Web Application
A.) Launch Central Admin and select Application Management
B.) Select Manage Web Application and choose the appropriate web application
C.) From the ribbon, select Auth Providers
D.) Select the associated zone and enable Negotiate (Kerberos) and save
Step 5: Verify that Kerberos authentication is working
A.) Go to the security log on the WFE
B.) Filter on all Event ID’s 4624’s
In the above event, you can see the logon process is using Kerberos. If you scroll up on the event further, you can also get the source computer as well as user account used to log in. It’s easier to filter on this event with the logon account to confirm on a high traffic server.