can we configure kerberos after installing sharepoint 2010 on web
LemonWithMint
We installed SharePoint 2010 on a small web farm (2 servers) without
following the setup instructions. we are facing the double hop issue. the
setup guide says that we should configure kerberos before installing
sharepoint, but we can't go back right now. can we configure kerberos after
installing sharepoint 2010 on web farm?
Sunil [MSFT]
You can easily configure Kerberos after installing SharePoint as well.
Kerberos would basically require following:
- Web application in question should be running on application pool which
uses a Domain Account. So if you have used local accounts to install and
configure SharePoint then you would need to change the account through
Central Administration (not through IIS). Since there are two Servers in
the farm, I assume you might have used Domain Accounts.
- Service Prinicpal Name (SPN) has to be registered in Domain Controller
being used. This is mandatory for application account you are using for web
app.
- Kernel Mode Authentication has to be disabled in order to use App Pool
Account for getting the Ticket from KDC.
- Two Objects, Both SharePoint Server and Service Account should be
delegated in Domain Controller.
Be aware there are are some known issues with Crawl when the site is
running on non default ports (HTTP: 80 and HTTPS: 443) and configured for
Kerbeors authentication. My sincere suggestion would be to use HostHeader
for all your sites and keep them on default ports to avoid any issues in
getting tickets.
For Kerberos authentication to work correctly, you must create SPNs in AD
DS. If the services to which these SPNs correspond are listening on
non-default ports, the SPNs should include port numbers. This is to ensure
that the SPNs are meaningful. It is also required to prevent the creation
of duplicate SPNs.
When a client attempts to access a resource using Kerberos authentication,
the client must construct an SPN to be used as part of the Kerberos
authentication process. If the client does not construct an SPN that
matches the SPN that is configured in AD DS, Kerberos authentication will
fail, usually with an "Access denied" error.
There are versions of Internet Explorer that do not construct SPNs with
port numbers. If you are using SharePoint Server 2010 Web applications that
are bound to non-default port numbers in IIS, you might have to direct
Internet Explorer to include port numbers in the SPNs that it constructs.
In a farm running SharePoint Server 2010, the Central Administration Web
application is hosted, by default, in an IIS virtual server that is bound
to a non-default port. Therefore, this article addresses both IIS Web sites
that are port-bound and IIS Web sites that are bound to host-headers.
By default, in a farm running SharePoint Server 2010, the .NET Framework
does not construct SPNs that contain port numbers. This is the reason why
Search cannot crawl Web applications using Kerberos authentication if those
Web applications are hosted on IIS virtual servers that are bound to
non-default ports.
We can check in WFE if site is using Kerberos or NTLM authnetication in
Security Audit logs. Look for event ID 540 with client IP address and
package as Negotiate.
Configure Kerberos authentication (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ee806870.aspx
Let me know if you need more details.
Sunil [MSFT]
Navaneethan S
I followed the guide provided by microsoft "SP2010 Kerberos Guide", but when I tried to logIn to the site the User Credential Window Pop up appeared as I logged as local administrator, but when I enter the credentials correctly it did not accept and asked for 3 times and a blank page came. The scenario is same even I logged as the domain user who is also an administrator for the site. Pls let me know where I have gone wrong.
> On Monday, May 17, 2010 10:24 AM LemonWithMint wrote:
> Hi
>
> We installed SharePoint 2010 on a small web farm (2 servers) without
> following the setup instructions. we are facing the double hop issue. the
> setup guide says that we should configure kerberos before installing
> sharepoint, but we cannot go back right now. can we configure kerberos after
> installing sharepoint 2010 on web farm?
>> On Wednesday, May 19, 2010 4:53 AM sunil wrote:
>> ------=_NextPart_0001_A01EA0AB
>> Content-Type: text/plain
>> Content-Transfer-Encoding: 7bit
>> ------=_NextPart_0001_A01EA0AB
>> Content-Type: text/x-rtf
>> Content-Transfer-Encoding: 7bit
>>
>> {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
>> \viewkind4\uc1\pard\f0\fs20 Hello LemonwithMint,
>> \par
>> \par You can easily configure Kerberos after installing SharePoint as well.
>> \par
>> \par Kerberos would basically require following:
>> \par
>> \par - Web application in question should be running on application pool which uses a Domain Account. So if you have used local accounts to install and configure SharePoint then you would need to change the account through Central Administration (not through IIS). Since there are two Servers in the farm, I assume you might have used Domain Accounts.
>> \par
>> \par - Service Prinicpal Name (SPN) has to be registered in Domain Controller being used. This is mandatory for application account you are using for web app.
>> \par
>> \par - Kernel Mode Authentication has to be disabled in order to use App Pool Account for getting the Ticket from KDC.
>> \par
>> \par - Two Objects, Both SharePoint Server and Service Account should be delegated in Domain Controller.
>> \par
>> \par Be aware there are are some known issues with Crawl when the site is running on non default ports (HTTP: 80 and HTTPS: 443) and configured for Kerbeors authentication. My sincere suggestion would be to use HostHeader for all your sites and keep them on default ports to avoid any issues in getting tickets.
>> \par
>> \par For Kerberos authentication to work correctly, you must create SPNs in AD DS. If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers. This is to ensure that the SPNs are meaningful. It is also required to prevent the creation of duplicate SPNs.
>> \par
>> \par When a client attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is configured in AD DS, Kerberos authentication will fail, usually with an "Access denied" error.
>> \par
>> \par There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using SharePoint Server 2010 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running SharePoint Server 2010, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port. Therefore, this article addresses both IIS Web sites that are port-bound and IIS Web sites that are bound to host-headers.
>> \par
>> \par By default, in a farm running SharePoint Server 2010, the .NET Framework does not construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports.
>> \par
>> \par We can check in WFE if site is using Kerberos or NTLM authnetication in Security Audit logs. Look for event ID 540 with client IP address and package as Negotiate.
>> Submitted via EggHeadCafe
>> Microsoft LINQ Query Samples For Beginners
>> http://www.eggheadcafe.com/training-topic-area/LINQ-Standard-Query-Operators/33/LINQ-Standard-Query-Operators.aspx
Candice Blash
I had the same problem. I was able to log in from any domain except for the one my SharePoint server was on.
I had to log into my active directory, go to the Computers section, and right click on my SharePoint server name and go to properties. Go to the Delegate tab and select "Trust this user for delegation to any service (Kerberos only).