MOSS and Kerberos Deployment


During a recent POC, I was reminded (again) that the double-hop problem is a thorn in the side.  For those living on another planet or a big rock and haven't heard or experieced the double-hop, basically this occurs when our SharePoint page (or Web parts on the page) attempts to access resources on a server different from the SharePoint Web server.  In our scenario, we were utilizing Excel Services to present data contained inside a SQL Analysis Services cube.  In order to do everything we needed to do, we had to configure Kerberos for the MOSS installation.  Although it's not rocket science, it can be painful the first time through.  I had done this a couple of times and had surprisingly written down some notes,...go figure...


Today I was browsing some blog posts and came across this 2-part description and thought I would share it.


Configuring Kerberos for SharePoint 2007: Part 1 - Base Configuration for SharePoint


Configuring Kerberos for SharePoint 2007: Part 2 - Excel Services and SQL Analysis Services 


</steve>

Comments (4)

  1. jcm.net says:

    I have followed all steps precisely in Martin Kearn’s kerberos part 1 post.  Still no luck, can’t load anything on server except CA.  I have enabled kerb debugging.  Do I need to create an SPN for the search users?  I have 2 MOSS servers, 64bit, 1 for CA/web and the other for search/index.  I have spns set up correctly for CA/Web, but what about Search/Index box? thanks for any help you can provide.

  2. Give it a REST! [Via: Anil John ] GWT a Year Later: Was it the correct level of abstraction? [Via: Dietrich…

  3. JeremeW says:

    Yes all of your accounts must have SPN’s in my case I did it this way:

    Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER:

    setspn -A HTTP/[ServerName].Microsoft.com microsoftSRV_OSS_DEV_Farm

    setspn -A HTTP/[ServerName].Microsoft.com microsoftSRV_OSS_DEV_App001

    setspn -A HTTP/[ServerName] microsoftSRV_OSS_DEV_App001

    setspn -A HTTP/[ServerName].Microsoft.com microsoftSRV_OSS_DEV__SSPROC

    setspn -A HTTP/[ServerName] microsoftSRV_OSS_DEV__SSPROC

    setspn -A HTTP/[ServerName].Microsoft.com microsoftSRV_OSS_DEV_App002

    setspn -A HTTP/[ServerName] microsoftSRV_OSS_DEV_App002

    Second Step

    To configure the IIS server to be trusted for delegation, using a domain account follow these steps:

    1. Start Active Directory Users and Computers.

    2. In the left pane, click Computers.

    3. In the right pane, right-click the name for each these IIS servers, and then click Properties.

    4. Click the General tab, click to select the Trust computer for delegation check box, and then click OK.

    a. microsoftportaldev02

    b. microsoftportaldev03

    c. microsoftindexdev01

    5. Quit Active Directory Users and Computers.

  4. What about Kerberos in SharePoint 2007… From Steve Carvajal&#39;s Blog , some links to Martin Kearn&#39;s

Skip to main content