Roland Serman’s Blog

Just another WordPress.com weblog

Configure Kerberos for SharePoint 2010

 

Below I’ve outlined at a minimum what is required to setup Kerberos authentication for SharePoint 2010.  Ensure you replace everything surrounded by <> with the appropriate variable. With any luck I didn’t miss anything.

CORE

  1. Configure DNS for each Load Balanced Web Application
  2. Configure each Web Application to run under a unique Application Pool Identity.
  3. Set the appropriate SPN’s on the service accounts as so:
    1. SetSPN -S HTTP/<NSN>:<Port> <Domain\FSA>
    2. SetSPN -S HTTP/<NSN>:<Port> <DOMAIN\FSA>
    3. SetSPN -S HTTP/<URL1NBN> <DOMAIN\AppPl1A>
    4. SetSPN -S HTTP/<URL1> <DOMAIN\AppPl1A>
    5. SetSPN -S HTTP/<URL1>:<Port> <DOMAIN\AppPl1A>
    6. SetSPN -S HTTP/<URL2NBN> <DOMAIN\AppPl2A>
    7. SetSPN -S HTTP/<URL2> <DOMAIN\AppPl2A>
    8. SetSPN -S HTTP/<URL2>:<Port> <DOMAIN\AppPl2A>

SQL Server (DB)

  1. SetSPN -S MSSQLSVC/<SQLSrvNBN>:<Port> <DOMAIN\SQLSvc>
  2. SetSPN -S MSSQLSVC/<SQLSrv>:<Port> <DOMAIN\SQLSvc>

SQL Analysis Services

  1. SetSPN -S MSOLAPSvc.3/<SQLSrvNBN> <DOMAIN\SQLASSvc>
  2. SetSPN -S MSOLAPSvc.3/<SQLSrv> <DOMAIN\SQLASSvc>

SQL Reporting Services

  1. SetSPN -S HTTP/<SQLRptSrvNBN> <DOMAIN\SQLRSSvc>
  2. SetSPN -S HTTP/<SQLRptSrv> <DOMAIN\SQLRSSvc>

Trust for Delegation

Configure Trust for Delegation for the service accounts and computer objects for all servers, and service accounts that you’ve set service principal names for.

IIS Config (Borrowed from Saurabh Sing)

In IIS 7/7.5 you have to also modify the applicationhost.config file (found at %systemroot%\system32\inetsrv\config\) to enable Kernel mode authentication, and to enable the application pool’s Identity, by adding the following: “useKernelMode="true" useAppPoolCredentials="true"” to the security portion of the applicationhost.config file as so:

<system.webServer>

   <security>

      <authentication>

         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

      </authentication>

   </security>

</system.webServer>

Configure SRS to answer via SSL

modify the rsreportserver.config with the following:

<Add Key="SecureConnectionLevel" Value="2"/>

<UrlRoot>https://<FQDNofReportServerCertificate>/ReportServer</UrlRoot&gt;

<ReportServerUrl>https://<FQDNofReportServer>/ReportServer</ReportServerUrl&gt;

http://blogs.msdn.com/b/mariae/archive/2007/12/12/ssl-configuration-and-reporting-services.aspx

Configure SRS to use Kerberos

Ensure the following exists in the rsreportserver.config file:

<Authentication>

<AuthenticationTypes>

<RSWindowsNegotiate />

<RSWindowsKerberos />

<RSWindowsNTLM />

</AuthenticationTypes>

<RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>

<RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>

<EnableAuthPersistence>true</EnableAuthPersistence>

</Authentication>

http://msdn.microsoft.com/en-us/library/cc281253.aspx

SharePoint: Trusting non Public Certificate Authority

I had to do the following to get SharePoint to connect to SQL Reporting Services via SSL when using an untrusted Certificate Authority.  Keep in mind, just because the server trusts the authority, SharePoint DOES NOT!

Add-PSSnapin Microsoft.SharePoint.PowerShell

$rootca = New-Object System.Security.Cryptography.x509Certificates.x509Certificate2(“d:\Admins\Certs\CACertClass3.cer”)

New-SPTrustedRootAuthority –Name “CACert Class 3 Root” –Certificate $rootca

http://blogs.technet.com/b/blairb/archive/2010/08/18/using-ssl-with-sharepoint-2010-send-to-connections.aspx

Key

<NSN> = Netbios Server Name

<Port> = TCP port used for the service

<URL1NBN> NetBios name for the first Web Application

<URL1> = FQDN for the first Web Application

<URL2NBN> NetBios name for the second Web Application (such as My Sites)

<URL2> = FQDN for the second Web Application (such as My Sites)

<FSA> = Farm Service Account

<AppPl1A> = Application Pool account for Web Application 1

<AppPl2A> = Application Pool account for Web Application 2

<SQLSvc> = SQL DB Engine Service Account

<SQLASSvc> = SQL Analysis Service Account

<SQLRSSvc> = SQL Reporting Service Account

<SQLSrv> = SQL Server FQDN

<SQLSrvNBN> = SQL Server Netbios Name

<SQLRptSrv> = SQL Reporting Server FQDN

<SQLRptSrvNBN> = SQL Reporting Server NetBIOS Name

Advertisements

2 responses to “Configure Kerberos for SharePoint 2010

  1. Søren Nielsen January 19, 2011 at 12:53 am

    Looks complete to me.

    How do you propose to test/verify Kerberos functionality on a site?

    I’ve been having a lot of problems with some users being unable to login after enabling it – as far as I can see everything should work, but for some selected users it just does not. The error is 400 bad request upon querying the login page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: