SharePoint Events

  9/03 - Webcast: SharePoint 2013 vs. SharePoint Online: Workflow
  9/04 - Webcast: Power Business Intelligence for SharePoint Online and Office 365
  9/05 - Webcast: SharePoint 2013 vs. SharePoint Online: Search
  9/30 - Webcast: Project Management Workflow in SharePoint
  10/01 - Webcast: SharePoint 2013 vs. SharePoint Online: Enterprise Content Management
  10/02 - Webcast: SharePoint 2013 vs. SharePoint Online: Business Intelligence

 SharePoint Videos

  Why SharePoint 2013
  Keys to Successful SharePoint Initiatives and User Adoption
  Out of the Box Business Intelligence and Reporting in SharePoint 2013
  Driving the Business Case and User Adoption for SharePoint
  Automate Business Processes with SharePoint 2013 and Business Connectivity Services
  SharePoint and Office 365 Migration Made Easy
  Full Lifecycle Content Management with SharePoint 2013
  Compliant Document Generation and Assembly in SharePoint
  Application of Content Security and Corporate Risk Protection in SharePoint
  How to Redline, Markup, Collaborate and Review Content in SharePoint
  Advanced Content Lifecycle and Records Management in SharePoint
  Advanced Workflow Made Easy with SharePoint 2013 and Nintex
  Full Lifecycle Content Management with SharePoint 2013
  SharePoint 2013 Solutions for the Financial Services Industry
  ProjectReady 2013: SharePoint Solutions built for the AEC
  SharePoint 2013 Solutions for the Legal Industry
  Driving the Business Case and User Adoption for SharePoint
  Investment Considerations for SharePoint 2010 and SharePoint 2013
  SharePoint 2013 and Enterprise Content Management
  SharePoint 2013 Launch
(More Links...)

 Archives

Opening SharePoint Links in a new windowUse SHIFT+ENTER to open the menu (new window).
Mail Enabled Lists vs. The Missing Windows 2008 POP3/IMAP Server Use SHIFT+ENTER to open the menu (new window).
7 Tools for SharePoint DevelopersUse SHIFT+ENTER to open the menu (new window).
Public Facing Masterpage TechniquesUse SHIFT+ENTER to open the menu (new window).
How to Quickly Deploy and Activate a Timer Service to Your Site CollectionUse SHIFT+ENTER to open the menu (new window).
Custom SharePoint Master Page Feature with WSP BuilderUse SHIFT+ENTER to open the menu (new window).
Date Math with InfoPathUse SHIFT+ENTER to open the menu (new window).
Enterprise Search Tricks and Tips Part 1Use SHIFT+ENTER to open the menu (new window).
Populating Word Documents With SharePoint Data. Try The DIP!Use SHIFT+ENTER to open the menu (new window).
Programmatic Deep Dive into Blank SharePoint Lookup ColumnsUse SHIFT+ENTER to open the menu (new window).
1 - 10 Next
Step by Step Kerberos Authentication for SharePoint 2010

By: Christian Holslin

Introduction

Kerberos authentication, created at MIT and named after Hades’ three-headed guard dog Cerberus (according to Wikipedia), has been around for decades.  The latest version 5, implemented currently by Active Directory, was released in 1993.  The protocol is designed to provide rapid, secure authentication to users on a multi-system network, or “farm” as we like to call them.

Advantages over Traditional Windows Authentication

The main advantage of Kerberos over NTLM or forms-based authentication is the ability for a user’s identity to securely traverse multiple servers without requiring a re-key of the user’s credentials.  This concept is referred to as single sign-on: login once to access everything.

A secondary advantage is speed.  Authenticating connections with Kerberos tokens is considerably faster than other methods.

Platform Uniformity

Another advantage is platform uniformity.  Any application, that you wrote, or Microsoft wrote, or anyone wrote, which uses Windows Authentication can automatically use Kerberos.  It’s built in to Windows and Active Directory.  It doesn’t require custom code like a forms-based or claims-aware provider.  Enabling it is as simple as telling the web.config to use it.

Necessity

Many farm scenarios do not warrant Kerberos authentication.  How can you tell if yours does?  There is a simple test: the double-hop.  Draw a quick diagram of your farm topology.  If you have any servers which are more than two degrees of separation away from your client, you will need Kerberos authentication only if you need to delegate access to those resources.  The figure below shows the double-hop scenario.

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 1: The Double-Hop

Each connection, or “hop,” must be authenticated.  Thus, the SharePoint server must establish a secure, authenticated connection to SQL in order to return data for the user.  If the data connections above need to impersonate the user, the connections must use delegation.  Kerberos authentication allows SharePoint and SQL Server to implement delegation.

Real-World Examples

The most common example of Kerberos in practice involves Reporting Services.  A user browses to a SharePoint document library to run a Report with data in a SQL Server database.  SharePoint and SQL Server both implement Kerberos authentication to allow the user to view the Report using the user’s own credentials.  No login prompts, no proxy accounts, no stored credentials.

Setup

Setting up Kerberos authentication for SharePoint and SQL Server takes only a few minutes.  Follow the steps below to get it running in your farm.  We will assume that SharePoint requires classic mode authentication for the Web Application.  (Obviously, you will need to change CONTOSO to your Domain name and use your actual service accounts.)

1. Configure SQL Server

Configuring SQL Server to use Kerberos is easy.  Create a Service Principal Name for your SQL Server by running the setspn.exe utility from the command-line.  NOTE: you will need to be a Domain Administrator to do this:

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 2: setspn.exe Syntax

Service Principal Names

You will need to become familiar with Service Principal Names to setup Kerberos.  They are composed of the following pieces:

Service

Principal

Service Class

Endpoint

Port

Domain

User

MSSQLSvc

DB-SRV-01

1433

CONTOSO

SqlServer

This is the unique class name of the service. It differs between different types of services.

This is the DNS address where the service is accessed. In this case, it’s the server name, but it can also be the fully-qualified domain name like:

db-srv-01.contoso.local

- or an alias like -

database.contoso.local

The port is needed if it is not a standard port for the Service Class.

This is the NetBIOS domain name of the Active Directory where the service account resides.

This is the login name for the service account itself.

 

As far as I know, the Service Class is case-sensitive.

For good measure, Microsoft recommends creating multiple Service Principal Names.  The reason why: the client application creates the Service Principal Name when it sends it to the server.  If the client application choses to include the port number, or not include the port number, you should be ready.  The solution: create all of the following SPNs for SQL Server:

·         MSSQLSvc/DB-SRV-01 CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01:1433 CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01.contoso.local CONTOSO\SqlServer

·         MSSQLSvc/DB-SRV-01.contoso.local:1433 CONTOSO\SqlServer

Note the variation in the Endpoint and Port.  We do this to ensure that we cover all the possible combinations that a client application could throw at SQL Server.  This is the best practice.

2. Create a Web Application

Create a new Web Application in SharePoint 2010 to use with Kerberos authentication.  Pick Classic Mode Authentication and make sure NTLM is used.  This Web Application will be created as the Default Zone.  We want to put this on a non-standard port and use NTLM authentication to ensure that we can always access it from the SharePoint server itself.

Note: you must use a Domain Account for the application pool identity.

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 3: New Web Application

 

3. Extend the Web Application to use Kerberos Authentication

Extend the Web Application you just created.  Set the Zone to Intranet and put the site on Port 80.  Use the host header intranet.contoso.local:

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 4: Web Application Extension

When you click OK you will get a warning about Kerberos.  Don’t worry: the Service Principal Name can be created before or after the Web Application Extension.

6. Create the DNS Record

Your server needs a static IP address and a DNS record to be accessed by users.  When Kerberos is involved, you must be sure that you create an A (for address) record and not a CNAME (canonical name, or alias) record for the SharePoint Web Application Extension:

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 5: New DNS Record

Enter the IP address of the SharePoint server and hostname of the Web Application Extension into the box and click Add Host to save the new DNS record.  The automatically generated FQDN should read intranet.contoso.local.

4. Create a Service Principal Name

Just like we did for SQL Server, create a Service Principal Name for the SharePoint Web Application Extension:

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 6: SharePoint SPN

The SharePoint Service Principal Name breakdown is as follows:

Service

Principal

Service Class

Endpoint

Port

Domain

User

HTTP

intranet.contoso.local

 

CONTOSO

SP_WebApp

HTTP works for http and https connections.

This is the DNS address where SharePoint is accessed. In this case, it’s the URL of the Web Application Extension

 

80 is a standard port, therefore we don’t need to include it.

This is the NetBIOS domain name of the Active Directory where the service account resides.

This is the login name for the SharePoint Application Pool account.

 

5. Enable Constrained Delegation

If this were SharePoint 2007, we’d be done.  But SharePoint 2010 requires Constrained Delegation.  In order to enable constrained delegation you have to connect to the Domain Controller and enable Delegation on the account used to host the SharePoint Web Application Pool.

Remote Desktop into the Domain Controller, open Active Directory Users and Computers, then locate the SharePoint Web Application Pool account.  Double-click on the account and locate the Delegation tab:

Step_by_Step_Kerberos_Authentication_for_SharePoint_2010

Figure 7: Delegation

Pick Trust this user for delegation to any service and click OK.  SharePoint will now authenticate clients using Kerberos authentication to http://intranet.contoso.local

Workarounds

A common work-around to the Real-World Scenario above, when Kerberos authentication is not involved, is a proxy account: hard-code the Report Server credentials into the Report itself.  When the user accesses the Report, SharePoint connects to SQL using the stored credentials.  This is also what the Secure Store service does.  This is also a form a delegation, but does not pass the user’s actual credentials to the data store: it uses a proxy account.  Thus, all users get the same rights on the data store and the password is saved in clear-text in the Report’s connection string.  If this doesn’t meet your requirements, you need to call in Kerberos to handle the connection.

Looking Ahead

Even though Kerberos is not always needed, or possible like with extranets, the introduction of External Content Types in SharePoint 2010 as a reporting tool will greatly increase the need for it.  The increased maturity and new features in PerformancePoint, PowerPivot, and Reporting Services in SharePoint mode, if your data is not on the SharePoint server itself you will need to use delegation.  The best choice which provides the lowest maintenance overhead, the highest level of security, and the lowest processor overhead, is Kerberos authentication.  Try it out in a VM farm on your local computer.  It’s a great tool to have in your SharePoint architect’s toolbox.

By: Christian Holslin, Solutions Architect, Gig Werks
        

Comments

jwill

Is extending web app required to make kerberos work?
at 6/3/2011 6:06 AM

Karthick

Will this help in avoiding credentials prompt with MAC clients?
at 8/9/2011 3:57 AM

Greg

Thanks for this very clear explanation!
at 8/30/2011 6:35 PM

Susan Hight

Hi, thanks for the clear instructions. 
I have followed these however I am having trouble registering my url - the extended web application host header.
The application pool account is a domain service account.
I am getting an error saying the url is not recognised.
The web site is working fine and so DNS A Host name has been created fine etc.
I have also given the application pool account full access to the web app in the user policy.
Any ideas?
Thank you
Susan
at 10/28/2011 12:44 PM

Sal

Is is really neccessary to setup SPN for SQL server? I thought you only needed to set it up for web applications. Please advise.
at 12/16/2011 9:50 AM

Ali Salih

Hey there, 2 things.

1- I believe you also need port 1434 while setting up the SQL Service Principal name.
2- Don't you have to also setup "<windowsAuthentication enabled="true" useAppPoolCredentials="true">" in the applicationhost.config file for IIS? If not, why ? I've seen couple resources saying this should be done.

Regards,

Ali
at 12/16/2011 4:58 PM

Randy o

port 1434 is used for SQL browser service not SQL db service, and the second is for server 2008 2008 r2 can be done thru the gui as well when you use classic mode you have to disable kernel mode auth
at 1/13/2012 12:35 AM

Theresa Luby

Thank you for this post.  I spoke well to me, as I am a beginner.  I did all of this, but cannot get to my site now that kerberos is set up.  I am getting the HTTP Error 401 error.  I can get to the HTTP site and can get to the HTTPS site using the ip, but not the address using the host name. Any suggestions?
at 9/12/2012 7:33 AM

Rune Mariboe

Actually, following this guide, you are not configuring constrained delegation - that would be "Trust this user for delegation to specified services only", which constrains delegation to only the specified services.

After this, you must select the services to which the service running in the account's security context may delegate.

Constrained delegation allows for protocol transitioning, which is required by the Claims to Windows Token service used by SharePoint.
at 11/14/2012 11:40 AM

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Your Name *


e-mail address *


Website (optional)


Comment *


Attachments

 Subscribe

  GigWerks RSS  Gig Werks Mailing List 

 Contact Us

 Connect

 Resources

  On Demand SharePoint Webcast Recordings
  Upcoming Webinars
  SharePoint Resources
  Business Intelligence Resources
  Gig Werks Website



©2009 Gig Werks. All rights reserved. Privacy Policy