Sharepoint 2010 Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint 2010       RSS Feeds

can we configure kerberos after installing sharepoint 2010 on web

  Asked By: Karissa    Date: Mar 07    Category: Sharepoint 2010    Views: 3897

We installed SharePoint 2010 on a small web farm (2 servers) without
following the setup instructions. we are facing the double hop issue. the
setup guide says that we should configure kerberos before installing
sharepoint, but we can't go back right now. can we configure kerberos after
installing sharepoint 2010 on web farm?



1 Answer Found

Answer #1    Answered By: Sharonda Mcfarland     Answered On: Mar 07

You can easily configure  Kerberos after installing  SharePoint as well.

Kerberos would basically require following:

web  application in question should be running on application pool which
uses a Domain Account. So if you have used local accounts to install and
configure SharePoint then you would need to change the account through
Central Administration (not through IIS). Since there are two Servers in
the farm, I assume you might have used Domain Accounts.

- Service Prinicpal Name (SPN) has to be registered in Domain Controller
being used. This is mandatory for application account you are using for web

- Kernel Mode Authentication has to be disabled in order to use App Pool
Account for getting the Ticket from KDC.

- Two Objects, Both SharePoint Server and Service Account should be
delegated in Domain Controller.

Be aware there are are some known issues with Crawl when the site is
running on non default ports (HTTP: 80 and HTTPS: 443) and configured for
Kerbeors authentication. My sincere suggestion would be to use HostHeader
for all your sites and keep them on default ports to avoid any issues in
getting tickets.

For Kerberos authentication to work correctly, you must create SPNs in AD
DS. If the services to which these SPNs correspond are listening on
non-default ports, the SPNs should include port numbers. This is to ensure
that the SPNs are meaningful. It is also required to prevent the creation
of duplicate SPNs.

When a client attempts to access a resource using Kerberos authentication,
the client must construct an SPN to be used as part of the Kerberos
authentication process. If the client does not construct an SPN that
matches the SPN that is configured in AD DS, Kerberos authentication will
fail, usually with an "Access denied" error.

There are versions of Internet Explorer that do not construct SPNs with
port numbers. If you are using SharePoint Server 2010 Web applications that
are bound to non-default port numbers in IIS, you might have to direct
Internet Explorer to include port numbers in the SPNs that it constructs.
In a farm running SharePoint Server 2010, the Central Administration Web
application is hosted, by default, in an IIS virtual server that is bound
to a non-default port. Therefore, this article addresses both IIS Web sites
that are port-bound and IIS Web sites that are bound to host-headers.

By default, in a farm running SharePoint Server 2010, the .NET Framework
does not construct SPNs that contain port numbers. This is the reason why
Search cannot crawl Web applications using Kerberos authentication if those
Web applications are hosted on IIS virtual servers that are bound to
non-default ports.

We can check in WFE if site is using Kerberos or NTLM authnetication in
Security Audit logs. Look for event ID 540 with client IP address and
package as Negotiate.

Configure Kerberos authentication (SharePoint Server 2010)