Tuesday, 23 July 2013

Kerberos Authentication Setup in SharePoint Environment

Kerberos Authentication Setup at Small SharePoint Farm
Kerberos setup is really easy. Once you will know what is happening in every step you can easily Setup Kerberos authentication without any problem. Here I am taking a small SharePoint environment having 1 APP server, 1 WEB Server, 1 SQL Server.

SharePoint Farm Topology:

1 APP Server: eg: app.domain.com
1 WEB Server: eg: web.domain.com
1 SQL Server: eg: sql.domain.com
SQL service is running with : domain\sqlservice
1 Central Admin: http://app:8888.domain.com
1 Web application (host header): http://testapp.domain.com
http://testapp.domain.com is running with app pool with domain account: domain\apppool
*Here no service is running with computer account so we don’t need to computer account delegation.

End Result:

Setup Kerberos Authentication only for web application (Not for central admin, in some scenario its require but here I am not mentioning that)

Major Steps:

1. Create SPN for app pool account.
2. Create SPN for SQL server service account.
3. Trust for delegation of app pool account.
4. Central admin go to web properties and as per zone set Negotiate authentication for web applciaiton.
Create SPN for app pool account.
Application (http://testapp.domain.com) is running with domain\apppool account. So we have to create SPN for application pool account. Syntax as below:
App Pool Account: domain\apppool
Application: http://testapp.domain.com
You can use Power shell, adsi edit or Command Prompt to create these SPNs.
HTTP/testapp.domain.com domain\apppool
(*If you are using port no. Then you can use syntax: HTTP/servername.domain.com:portno domain\apppool eg: HTTP/webapp1:4444 domain\weapppool1 and HTTP/webapp1.domain.com:4444 domain\webapppool1 . It is best practice if you create both spn with server name and fully qualified name.)
Create SPN for SQL server service account:
Check SQL service running with which account at my example it is running with domain\sqlservice.
Setspn –S MSSQLSvc/ sql.domain.com domain\sqlservice
Setspn –S MSSQLSvc/ sql.domain.com domain:1433 domain\sqlservice
(*Default port of SQL is 1433, if you have different port no. Then modified accordingly)

Trust for delegation of app pool account:
Once you create SPN for any account Delegation Tab will activate at account properties:
Trust delegation for app pool account domain\apppool
Go to active directory and make following changes for domain\apppool account.
Under Delegation Tab:
Select Trust this user for delegation to any service (Kerberos only)
Central admin go to web properties and as per zone set Negotiate authentication for web application:
Login to central admin.
Go to Web application properties and set Negotiate authentication for web application (http://testapp.domain.com)
Kerberos Setup has been done.

You can use fiddler or other Kerberos Tester tool. But best way is login to eventvwr of web server and under security you can see Kerberos authentication will display for user login.

No comments:

Post a comment