Simple cheat sheet to enable kerberos on an existing SP2010 web application configured in Classic Mode and currently using NTLM.
Scenario: Web application host name is xyz.company.com and is hosted over http. Pool account is domain\poolacnt
Steps:
1. Check if there is a SPN existing in current forest as http\xyz.companyname.com. If the spn is not setup for account domain\poolacnt then we will run into a duplication issue. Hence either the existing SPN needs to be removed or a decision needs to be made on the host name.
For W2008 Server use command setspn -q http/xyz.companyname.com
2. Register SPN for pool account using setspn command
3. Configure SP Authentication Provider in central admin
4. In IIS 7 -> Web Site -> Authentication -> Windows Authentication make sure Negotiate is the first option selected. For testing purpose, remove everything from the listbox and add only Negotiate:Kerberos to the list. This will prevent NTLM fallback
5. Use Fiddler, KerbTray and Windows event logs to troubleshoot and make sure kerberos is the authentication mechanism being used.
Issues faced: Due to a duplicate SPN registered with another service account in AD the behavior I experienced was, the web site was repeatedly prompting for user credentials although the credentials were right and eventually returned HTTP 401. Once we removed the duplicate and waited for replication to complete, this issue was resolved.
References:
http://technet.microsoft.com/en-us/library/cc961976.aspx
http://technet.microsoft.com/en-us/magazine/ee914605.aspx
http://technet.microsoft.com/en-us/library/cc738207(v=ws.10).aspx
Scenario: Web application host name is xyz.company.com and is hosted over http. Pool account is domain\poolacnt
Steps:
1. Check if there is a SPN existing in current forest as http\xyz.companyname.com. If the spn is not setup for account domain\poolacnt then we will run into a duplication issue. Hence either the existing SPN needs to be removed or a decision needs to be made on the host name.
For W2008 Server use command setspn -q http/xyz.companyname.com
2. Register SPN for pool account using setspn command
3. Configure SP Authentication Provider in central admin
4. In IIS 7 -> Web Site -> Authentication -> Windows Authentication make sure Negotiate is the first option selected. For testing purpose, remove everything from the listbox and add only Negotiate:Kerberos to the list. This will prevent NTLM fallback
5. Use Fiddler, KerbTray and Windows event logs to troubleshoot and make sure kerberos is the authentication mechanism being used.
Issues faced: Due to a duplicate SPN registered with another service account in AD the behavior I experienced was, the web site was repeatedly prompting for user credentials although the credentials were right and eventually returned HTTP 401. Once we removed the duplicate and waited for replication to complete, this issue was resolved.
References:
http://technet.microsoft.com/en-us/library/cc961976.aspx
http://technet.microsoft.com/en-us/magazine/ee914605.aspx
http://technet.microsoft.com/en-us/library/cc738207(v=ws.10).aspx
No comments:
Post a Comment