Configuring Kerberos Authentication in SharePoint 2010

Configure Kerberos Authentication in SharePoint 2010 

When configuring Kerberos with SharePoint 2010 you will be using IIS 7.0.

Integrated windows authentication is now handled in kernel mode and enabled by default.  This technically was primarily for ease of use and performance boosts since auth is no longer happening in user mode.  The problem is that Kernel mode authentication is not supported in SharePoint 2010.  Kernel mode authentication is disabled by default in SharePoint 2010 so will not go into further detail.

The basic steps for enabling Kerberos in a web “SharePoint” farm is to specify the application pool identity for the associated web application.  Then you need to create an SPN using setspn tool.


Farm scenario task:

Enable Kerberos for the following:

·         SharePoint Web Application “Sharepoint – 80”

·         Site is named

·         Web Application is using domain account, ”contoso\farmadmin”, as application pool identity.



Step 1: Setting useAppPoolCredentials to true in applicationHost.config file.

The first step is setting the useAppPool Credentials to true in applicationHost.config file for the associated web site. 

In this example, I want to set this attribute on my “SharePoint – 80” web application:

Locate the applicationHost.config file in the following dir:


When you open applicationHost.config file with notepad you will see something like this for web application “WebApplicationName”:

<system.webServer> <security> <authentication> <windowsAuthentication enabled=”true” </authentication> </security> </system.webServer>

A.) Run appcmd and set useAppPoolCredentials attribute to true for the associated web application.

Appcmd set config “SharePoint – 80” /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

Now checking config file you should see the following for the associated web application:

<system.webServer> <security> <authentication> <windowsAuthentication enabled=”true” useAppPoolCredentials=”true” /> </authentication> </security> </system.webServer>



Step 2: Set SPN

SPN is required to map the service/host name to the Application Pool identity. 

A.) Install SPN from the following location:

B.) From cmd prompt, run the following cmd:

Setspn.exe –a http/ contoso\farmadmin



Note:  Run setspn from a member server and not a domain controller  🙂 


Step 3: Trust the service account for delegation

A.) Launch Active Directory Users and Computers

B.) Locate account running as the application pool identity

C.) Go to properties on the account, select delegation tab

D.) Select “Trust this user for delegation to any service (Kerberos only)




Step 4: Enable Kerberos on the Web Application

A.) Launch Central Admin and select Application Management

B.) Select Manage Web Application and choose the appropriate web application

C.) From the ribbon, select Auth Providers

D.) Select the associated zone and enable Negotiate (Kerberos) and save




Step 5: Verify that Kerberos authentication is working

A.) Go to the security log on the WFE

B.) Filter on all Event ID’s 4624’s


In the above event, you can see the logon process is using Kerberos.  If you scroll up on the event further, you can also get the source computer as well as user account used to log in.  It’s easier to filter on this event with the logon account to confirm on a high traffic server.


Comments (24)

  1. John says:

    Hi Russmax,

    Great post.

    Also, will SharePoint Foundation use FBA the same way wss v3.0 used FBA?



  2. johnwpowell says:

    Great post!  I found that you need to set the spn first.  Otherwise, the Delegation tab will not be present.

  3. Golfrocker says:

    Any plans for Part II?????

  4. Albert says:


    Worked well after getting it right :). When specifying setting SPN I could not use the short machine name (moss) for the site, but it worked when I used the full full machine name though (

    Thanx, Albert

  5. mcodyw says:

    So does this mean we don't need to set the msspservername:32843 SPN like we did in 2007 (using 56xxx?) to get all of the web services (especially Excel and PPS) to run in Kerberos?


  6. Fabio says:


    could you explain this: MACHINE/WEBROOT/APPHOST?  I cannot find Application.config but only AapplicationHost.config: it's the same?

    King Regards

  7. Daniel Sanders says:

    Thank you so much, it worked perfectly.

    Iv'e been trying to configure Kerberons on my web app for two days now – the technet guides are not very accurate.

  8. Timm says:


    Step 3 must be done before Step 2 can be done though.  The Delegation tab will not appear on the account properties until the SPN has been set.

  9. Russ Maxwell says:

    Timm, you are correct!  Good catch and will fix now…

  10. jpalo says:

    Thanks! Solved our kerberos problem on MOSS 2007 and Performance Point Server. Never would've thought this was IIS issue 🙂

  11. Amir says:

    Thanks for this guide,

    Just to be sure can we configure Kerberos on web applications that have already been created using NTLM? We are in a  production environment we hope we don't have to change the app pool identities or recreat the web apps.

    Looking forward to your response.

  12. Mark_N says:

    The Microsoft whitepaper  "Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products " states that SharePoint 2010 does not support kernel mode in IIS. Quote:

    Verify Kernel Mode Authentication is disabled

    Kernel mode authentication is not supported in SharePoint Server 2010. By default all SharePoint Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. Even in situations where the web application was configured on an existing IIS web site, SharePoint will disable kernel mode authentication as it provisions a new web application on the existing IIS site.


  13. Umar says:

    Very Nice . It works only  when i am log in on my machine as me .

    if i try to sign in as diff users e on my machine (while log in as me ) site does not respond .

  14. Dre says:

    Any response to Mark N's comment about kernel mode not being supported in 2010 Sharepoint?

  15. Russ Maxwell says:

    Hello Dre and Marc_N,

    I agree 100% with the authors/contributers of the whitepaper.  Kernel mode auth is not supported so will update this blog to reflect this.

    Thanks for bringing this to my attention.  

    Russ Maxwell, MSFT

  16. Andy says:


    I have the same question as Fabio, and I tried to run appcmd at the cmd prompt and it doesn't exist.

    Any suggestions?

  17. Nitin says:

    I did the steps that you mentioned in this blog(Also used the 'Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products' document), But when i open the corresponding webapplication it is prompting for username and password repeteadly. I'm giving correct user name and password but still then web page failed to load. Please help me.

  18. rojomisin says:

    Step 1 didn't work for me, you must use the following command:

    C:WindowsSystem32inetsrv>appcmd.exe set config "IIS site name" /section:windowsauthentication /useAppPoolCredentials:true /commit:apphost /debug

    where "IIS Site name" is the name of the site you want to apply to.  To get a list you can issue the command:

    C:WindowsSystem32inetsrv>appcmd.exe list site

  19. Nitin says:

    I followed the steps said by  rojomisin also.But still it is not working….

  20. Reginald Richardson says:


    I notice that you are enabling Kerberos for the WEB APPLICATION.  I am currently working with my team to install Sharepoint 2010 on our servers.  There will be three instances of the environment on 3 virtual servers.  We have created 9 service accounts. 3 of which I have been told need to have SPN's created.  Why do we need SPN's for the service accounts and we don't even have a web application created yet.  We are just intalling!!

  21. BlueSky2010 says:

    Very concise and neat how-to guide. Thanks Mark!!

    Regarding your Step 1: I find setting useAppPoolCredentials through IIS Configuration manager easy to remember (below is a ref. – for your readers) 🙂…/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

  22. BlueSky2010 says:

    I mean Russ NOT Mark (who is Mark?) 🙂

  23. Richard Pettigrew says:

    Hi folks,

    So far so good, I have SP 2010 foundation installed and working on Server 2012 R2. I've completed the installation of my single server farm and created my first web app. All done without seeing any errors!

    I wish to implement Kerberos auth rather than NTLM auth for the site.

    I came across this article:…/configuring-kerberos-authentication-in-sharepoint-2010-part-1.aspx

    The part I am stuck with is the "application.config" file. I can not find it in c:windowssystem32inetsrvconfig on Server 2012 R2. Is this something to do with the IIS version being 8 on 2012 R2 and not IIS 7 as described in the blog article.?

    In ISS* it seems the closet match is "AapplicationHost.config" and the innards of the file are different structure.

    Is anybody able to advise on this aspect of the configuration?

    Many thanks….

  24. BlueSky2010 says:

    Million thanks Russ – easy and simple guide to follow.
    As for the Step 1 – I used the GUI version as explained here:
    Hope this helps someone out there.