Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Kerberos Configuration

  Asked By: Lucas    Date: Jul 17    Category: Sharepoint    Views: 1117

I have to deploy a server farm (2 WFEs, 1 Index, 1 SQL) using Kerberos. I've
done a lot of research but cannot come to a consensus of what is best practice.
Here are my questions:

1. Is it better to deploy the server farm using NTLM, make sure
everything works and then enable Kerberos afterwards?
2. Do you have to configure kerberos for communication with SQL? If you do, is
this account not the same as the Farm Service Account that you grant access as
dbcreator and securityadmin in SQL?
3. I plan on using only 4 accounts: Farm Service, App Pool Service (for all web
app), Search Service, and Content Access Service. Is this sufficient?
4. What does this statement mean: "Only register the SPN to a single account, or
you will get duplicate SPN registrations"?
5. Based on the accounts I will be using in #4 above, I will have to create 6
SPNs: Farm Service (NetBIOS, FQDN), App Pool Service for My Site (NetBIOS,
FQDN), and App Pool Service for SSP (NetBIOS, FQDN), is this correct?



3 Answers Found

Answer #1    Answered By: Hema Pasupuleti     Answered On: Jul 17

My personal opinion is to setup Kerberos from the get-go. Start with getting SQL
prepped. Install SQL Mangment Studio on a workstation, and connect to the
database. Run a simple SQL query to make sure you see KERBEROS in the return:
select auth_scheme from sys.dm_exec_connections where session_id=@@spid. Make
sure your computer accounts  are trusted for delegation, make sure your service
accounts do not have the same SPNs registered to multiple accounts. If you're
using Server 2008, you can use setspn -X to find duplicates in AD. There's other
ways to get it from 2003...

Download DelegConfig from
(blogs.iis.net/brian-murphy-booth/default.aspx). Put it into the _layouts
directory, and make it an application. Specify the AppPool you're using for your
web application, and this will also give you some good pointers / areas to
troubleshoot. Read through the documentation on this tool. It's short/sweet
...and will save you headaches!

Answer #2    Answered By: Candis Kinney     Answered On: Jul 17

1. Yes
2. Yes. app  Pool too, not just Farm.
3. You decide. Good enough for many. Excess for some.
4. Do not register  the same service-host-port to different principals at the
same time. Otherwise, Kerberos will be unable to resolve which identity to
use when verifying SPN. E.g. do not register HTTP/server:port for both the
machine and the app pool  account.
5. ...

Answer #3    Answered By: Cora Bradshaw     Answered On: Jul 17

You don't have to enalbe Kerberos for sql  server, but is recommended. The
account you need to set SPN is sql service  account, not farm  account. if you
have register  same SPN for more than one account  in whole domain, Kerberos will
fail for either one.

Didn't find what you were looking for? Find more on Kerberos Configuration Or get search suggestion and latest updates.