Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Any reason to not use Kerberos?

  Asked By: Salvador    Date: Nov 01    Category: Sharepoint    Views: 1503

I have SPS 2003 SP2 and WSSV2 SP2 installed on two seperate web
farms. I'm using NTLM Authentication now. However, someone in our
organization wants me to switch to Kerberos. He needs Kerberos to
crawl our sites with a Google search device and not have the users get
authentication prompts on the search results.

It doesn't make alot of sense to me. I'm just wondering if using
Kerberos will cause any problems.



3 Answers Found

Answer #1    Answered By: Elisabeth Walsh     Answered On: Nov 01

I haven't tried to set it up yet because my past experience with Kerberos
was frustrating. But in reading MS architecting docs and chatting with
people at a conference, I gather it's actually the preferred administrative
authentication. I'm interested in your comment about the Google search
appliance since we have one too. I've also read here that using kerberos
allows the RSS reader webpart to consume the sharepoint authenticated RSS
feeds. So there's a number of reasons now to seriously consider it.

I'd be interested in any other features made easier/possible when using
kerberos. Time to start a list!

Answer #2    Answered By: Bhavesh Doshi     Answered On: Nov 01

Kerberos basically is a means of authentication of giving you a token that
you can then hand to SharePoint each time that you're looking to access a
resource. SharePoint looks at the token and let's you pass, instead of in
the NTLM world requesting a password (whether it be in the background or
through a prompt). If you're using Kerberos it opens up doors such as the
one you mention with regard to the GSA (Google Search Appliance) as well as
the RSS feeds, in addition to any web part that may require a double hop --
think UNC based file share web parts, they'll only work if you have Kerberos

Kerberos can definitely be a *insert favorite expletive here* depending if
you know what you're doing and how much sleep you've gotten the past few
nights. Over all though, it's quicker, as it hits the Key Distribution
Center less frequently (Active Directory) since the token is good for a
specified period of time and more secure since your hashed password isn't
traversing your network as much.

Give it a try on a single web application if you're interested to see the
effects. Though I guess in a WSS v2 / SPS 03 world you don't have that
option quite as freely available to you. Definitely something that you'll
enjoy once you have it working properly though.

Answer #3    Answered By: Elisa Santos     Answered On: Nov 01

On caveat is that your Active Directory has to allow delegation and implement
Kerberos across the forest.

Didn't find what you were looking for? Find more on Any reason to not use Kerberos? Or get search suggestion and latest updates.