Kerberos

I am curious how many people are using Kerberos on their MOSS sites vs NTLM?  If you are using Kerberos how hard was it to get working? 

I had a difficult time setting up Kerberos for our site and decided to postpone it for a later time.  I will be trying again next week and see if I can get pass the HTTP401.1 Error that I kept getting when I tried accessing the SSP admin site.  The best documentation I have seen out on the web is by Martin Kearns - it's a 2 part series on Kerberos and he really details it out very well.  I will post my experience when I tackle this again next week.

Hi Irina,

I prefer Kerberose for many reasons; greater security and it helps reduce the "double-hop" issues found with NTLM.

 We have had a lot of experience in configuring Kerberos for our clients - as it should be the default choice for SharePoint implementations.

Here's the process to go through:

Step 1: Ensure MOSS servers are configured correctly.

Your MOSS server must be running:

• Windows Server 2003 SP2
• Internet Explorer 7
• MOSS (either with or without SP1)

Step 2: Set SPNs

The first thing you need to do in order to enable Kerberos for SharePoint is configure Service Principal Names (SPNs) for your SharePoint service accounts in Active Directory.

SPNs are used by Kerberos to ensure that only certain accounts have permission to delegate a specific service on a user's behalf. An SPN needs to be configured for each necessary service and port. SPNs are configured by using SetSPN.exe, which is a command line tool provided as part of the Windows 2003 Resource Kit.

You will need to configure SPNs for the user account(s) necessary for:

• SQL Server communication from the MOSS farm
• Your MOSS portal
• SharePoint Central Administration (OPTIONAL)

Microsoft indicates that you can also configure SPNs for the user account running your Shared Service Provider. We do not recommend this practice because of unusual issues we have experienced. Also note that the Office SharePoint Server Web Services do not work under Kerberos.

THE FOLLOWING COMMANDS MUST BE RUN BY A DOMAIN ADMINISTRATOR!

Create a batch file with these two lines for each of your servers:

<path>\setspn.exe -A http/netbiosname domain\serviceaccount
<path>\setspn.exe -A http/fqdn domain\serviceaccount
<path>\setspn.exe -A MSSQLSvc/sqlserver:1433 domain\serviceaccount
<path>\setspn.exe -A MSSQLSvc/sqlserver.domain.com:1433 domain\serviceaccount

Step 3: Enable Kerberos on your web applications

Kerberos is a protocol which can be set on an IIS web application. Remember that in MOSS you have many different web applications:

• Your portal is a web application
• So is Central Administration
• My Site, if you choose to make it a separate web application
• The Office Server Web Services run under a web application
• And, finally, your Shared Service Provider

The only web application which you must place under Keberos is the portal web application, since this is probably why you are configuring Kerberos in the first place. You must not place the Office Server Web Services under Kerberos, since this is not supported. If you choose to enable Kerberos in your environment I would avoid running anything associated with Shared Services using any account you have placed under Kerberos.

In MOSS 2007, the switch between Kerberos and NTLM is very simple and is undertaken via Central Administration.

If you are creating your farm from scratch, be sure to set Central Administration itself to use Kerberos which you can set as part of the 'SharePoint Products and Technologies Configuration Wizard', however if the farm is pre-created you can easily enable Kerberos by following these steps:

• Open Central Administration
• Navigation to Application Management > Authentication Providers
• Choose the web application you wish to configure from the drop-down in the top right corner (this includes the Central Administration web application)
• Click on 'Default'
• Set the authentication to Negotiate (Kerberos)
• IISRESET

How do you know it has worked?

The easiest way to check is look at your security log in the event log for a successful authentication for a user and open it up. If it has entries that look like this:

Logon Process: Kerberos

Authentication Package: Kerberos

It's working fine. If they look like this:

Some other things you can check:

• Do your web applications work from a client computer? If they do, then this is a good sign
• Make sure all the servers in the loop (MOSS, SQL and Domain Controllers) have the same time set. Inconsistent time settings are one of the primary causes of Kerberos related issues.

Hope this helps with your install of Kerberos.

Ben McMann
Tribridge

Great information Ben.  I couldn't agree with you more; Kerberose should be the default for every MOSS implementation.

Thanks Ben and Bob - We successfully switched to Kerberos configuration.  Thanks Ben for the tip on how to check the security log - it went so smoothly that I couldn't tell otherwise after I switched from NTLM.

Is there not an issue trying to poke the port numbers into the SPN?

Is that why you are prescribing IE7?

This is the first time I've seen anyone define a need to set an SPN for the MSSQLSvc. Is that really necessary? 

I've tried a number of times to outline the requirements and they always seem to end up as:

Set SPNs (the http kind) for all your hosts and the service accounts that support their app pools.  i.e.:

Hosts = {CA, SSP, MySites, SiteCollection01, SiteCollection02, .. SiteCollectionn}

Hosts are the URL defined for the web application's host header; for CA it's the machine name AND the machine fully-qualified name.  That's two SPN's.  For the others, it's the host header like "portal" AND the fully qualified host header like "portal.MyFirm.com"

App Pool ID's = {DBAppPool, SSPAppPool, MySitesAppPool, SiteCollection01AppPool, SiteCollection02AppPool, .. SiteCollectionnAppPool}

The DBAppPool ID is the one used to create the CA website in the Configuraiton Wizard.  The others are the app pools used when the associated web application is created in CA.

When we have a single site collection, that makes eight SPNs.

The second thing that needs to be done is to set the Trust for Delegation in Active Directory.  In this process, you find the delegation tab in the properties for each of the AppPool IDs AND the machines and check the "Trust for Delegation" option.

Is that really all there is to it?

-robot

For more information concerning Kerberos, you can read these two posts:

http://blogs.technet.com/tothesharepoint/archive/2008/08/21/3107508.aspx

http://technet.microsoft.com/en-us/library/cc263449.aspx

Thanks,

Ben

Thanks, Ben, for the links.

I am currently in the middle of a challenging install with Kerberos where nothing seems to work.

If I could just "see" CA, I would feel like I'm making progress.

How do we resolve the fact that Kerberos will not accept port numbers when CA is on a non-standard port?

-robot

If you end up in a BI project, you have to implement Kerberos or Single sign-on. My experience is that i do prefer Kerberos in these situations. Easier to get the kerberos ticket down to the actual db or cube you're connecting to.

Still if you have to publish via ISA server there are some major issues when working with MOSS and Reporting services when using Kerberos. Don't know if this is a bug or if it's just poorly documented how to do it.

So, go Kerberos go!

Hey folks just thought I`d add this

I was having trouble getting Kerberos authentication working for MOSS and WSS under IIS7 on Server 2008. One of the enhancements for IIS7 is moving kerberos authentication to kernel mode.

Apprently MOSS doesn`t like this and I had to disable kernel mode kerberos authentication for each web application I was using kerberos for.

Now I`d really like to see kernel mode authentication for kerberos work with MOSS because this is a big improvement! So if anyone knows what needs to be done to make MOSS and kernel mode kerberos authentication play nice together please post a reply!

Well I've found a couple notes about IIS7, kerberos and MOSS on the web.

It should be possible to enable kernel mode kerberos authentication in IIS7 for MOSS, you need to edit the ApplicationHost.config file which is in the %windir%\system32\inetsrv\config folder.

The property that needs to be set is useAppPoolCredentials="true", otherwise the AppPoolIdentity is not used for kerberos authentication, the authentication actually occurs under the credentials of the local system since the authentication is happening in kernel mode (makes sense!).

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

Here's some references...

http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx

http://www.objectsharp.com/cs/blogs/max/