Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Kerberos Troubles

  Asked By: Mital    Date: Apr 02    Category: Sharepoint    Views: 1003

I was hoping to get some advice on what might be going in with our
environment and Kerberos.

2 WFE (located in DMZ)
1 App Server (not in DMZ) runs SSP and Excel Services
DB Cluster (not in DMZ)

We have ports punched for 88, 369.

We are having difficulty getting the authenticaion to work from the
client to the WFE. What is the typical method use for authentication
from the client to the WFE over the internet (i.e the user is not
connected to the network)? NTLM works but not Kerberos? Is it even
possible to use Kerberos when not connected to the domain? What are we

We need Kerberos for passing credentials to the app server, we are
missing something here. This is our first time setting up Kerberos in
this large of a environment, so I appologize if this is a simple
question. NTLM will authenticate us to the WFE, but then we can't pass
credentials over to the App server.



10 Answers Found

Answer #1    Answered By: Irene Moss     Answered On: Apr 02

Correct - the clients must be in a trusted domain to use Kerberos - see
technet.microsoft.com/en-us/library/cc263449.aspx . Specifically:

About Kerberos authentication

Kerberos is a secure protocol that supports ticketing authentication. A
Kerberos authentication server  grants a ticket in response to a client
computer authentication request, if the request contains valid user
credentials and a valid Service Principal Name (SPN). The client
computer then uses the ticket to access network resources. To enable
Kerberos authentication, the client and server computers must have a
trusted connection to the domain Key Distribution Center (KDC). The KDC
distributes shared secret keys to enable encryption. The client and
server computers must also be able to access Active Directory directory
services. For Active Directory, the forest root domain is the center of
Kerberos authentication referrals.

Answer #2    Answered By: John Scott     Answered On: Apr 02

Just to clarify, for Kerberos to work the clients must be connected
to the domain, either on the LAN or VPN? Proper domain credentials
through a browser are not enough?

If this is the case, and you needed access just via the browser with
a AD login, you would have to use NTLM or basic, and all services
must be hosted on the same server, since you would not have Kerberos
to pass credentials to other app  servers?

We want to have our intranet over SSL with a AD login that can be
accessed from any computer with a browser. This worked before just
fine when we only had one FE server  and everything ran on it. Now we
are trippling in size and need more hardware.

Answer #3    Answered By: Donald Torres     Answered On: Apr 02

Yes to your first paragraph. Could you clarify what you mean by "and
all services must be hosted on the same server, since you would not have
Kerberos to pass credentials to other app  servers"? If these are all
MOSS/WSS servers you're talking about, then no, you don't need to use
Kerberos. If you have non-SharePoint apps on other non-SharePoint
servers then yes, you'd need to use Kerberos (or one of the other
options) to do pass-through authentication. The other options would be
MOSS Single Sign-On, or using cached credentials (generally discouraged
for security reasons).

Answer #4    Answered By: Courtney Scott     Answered On: Apr 02

Sorry, by all services I mean all SharePoint Services. We want to
have Excel Services and the SSP hosted on the App server  which is a
member of the farm, but I am told that we need Kerberos in place for
this to work since we are passing from the WFE to the App server.
That is my concern.

Answer #5    Answered By: Jagdeep Hor     Answered On: Apr 02

You were probably misinformed - Kerberos is not needed for communication
within a SharePoint farm as that communication is done using system
accounts, not user accounts. However, Kerberos might be needed if you
are using Excel Services to do passthrough authentication to another
data source (e.g. you have a Data Source defined an Excel workbook being
consumed by Excel Services).

Answer #6    Answered By: Aja Howe     Answered On: Apr 02

We appear to have search working fine but Excel services
doesn't unless it is running on the WFE. Any thoughts?

Answer #7    Answered By: Cecil Mckenzie     Answered On: Apr 02

Can you be a bit more specific about what is failing in Excel Services?
The service itself, loading a workbook in a web part, accessing a data
source within a workbook, etc?

Answer #8    Answered By: Jaclyn Gordon     Answered On: Apr 02

We would like to run the SSP and Excel services on the application
server. I am told that we need Kerberos to achieve this to pass
credentials from the WFE.

Answer #9    Answered By: Bhupendra Bajpai     Answered On: Apr 02

I don't know the answer to if the client must be connected to the domain for
them to authenticate with Kerberos, but step #1 is that you must have the
app pool that is running your sharepoint site running under an account that
has a SPN created (using the fully qualified domain name to access the site)
and has the "Account is trusted for delegation" flag flipped on in AD.

There are quite a few blog entries out there related to SharePoint and
Kerberos, take a look at [1].

It's worth reading up on Kerberos and understanding how it works before you
starting altering your active directory config.

Answer #10    Answered By: Marianne Vance     Answered On: Apr 02

Try setting Trust this account for delegation setting in the AD

Didn't find what you were looking for? Find more on Kerberos Troubles Or get search suggestion and latest updates.