Kerberos Authentication Setup at Small SharePoint Farm
Kerberos setup is really easy. Once you will know what is happening in every
step you can easily Setup Kerberos authentication without any problem. Here I
am taking a small SharePoint environment having 1 APP server, 1 WEB Server, 1
SQL Server.
SharePoint Farm Topology:
1 APP Server: eg: app.domain.com
1 WEB Server: eg: web.domain.com
1 SQL Server: eg: sql.domain.com
SQL service is running with : domain\sqlservice
1 Central Admin:
http://app:8888.domain.com
1 Web application (host header):
http://testapp.domain.com
http://testapp.domain.com is running
with app pool with domain account: domain\apppool
*Here no service is running with computer account so we don’t need to computer
account delegation.
End Result:
Setup Kerberos Authentication only for web application (Not for central admin,
in some scenario its require but here I am not mentioning that)
Major Steps:
1. Create SPN for app pool account.
2. Create SPN for SQL server service account.
3. Trust for delegation of app pool account.
4. Central admin go to web properties and as per zone set Negotiate
authentication for web applciaiton.
Create SPN for app pool account.
Application (
http://testapp.domain.com)
is running with domain\apppool account. So we have to create SPN for
application pool account. Syntax as below:
App Pool Account: domain\apppool
Application:
http://testapp.domain.com
SPN:
You can use Power shell, adsi edit or Command Prompt to create these SPNs.
HTTP/testapp.domain.com domain\apppool
(*If you are using port no. Then you can use syntax:
HTTP/servername.domain.com:portno domain\apppool eg: HTTP/webapp1:4444
domain\weapppool1 and HTTP/webapp1.domain.com:4444 domain\webapppool1 . It is
best practice if you create both spn with server name and fully qualified
name.)
Create SPN for SQL server service account:
Check SQL service running with which account at my example it is running
with domain\sqlservice.
SPNs
Setspn –S MSSQLSvc/ sql.domain.com domain\sqlservice
Setspn –S MSSQLSvc/ sql.domain.com domain:1433 domain\sqlservice
(*Default port of SQL is 1433, if you have different port no. Then modified
accordingly)
Trust for delegation of app pool account:
Once you create SPN for any account Delegation Tab will activate at account
properties:
Trust delegation for app pool account domain\apppool
Go to active directory and make following changes for domain\apppool
account.
Under Delegation Tab:
Select Trust this user for delegation to any service (Kerberos only)
Central admin go to web properties and as per zone set Negotiate
authentication for web application:
Login to central admin.
Go to Web application properties and set Negotiate authentication for web
application (
http://testapp.domain.com)
Kerberos Setup has been done.
Testing:
You can use fiddler or other Kerberos Tester tool. But best way is login to
eventvwr of web server and under security you can see Kerberos authentication
will display for user login.