Professional Documents
Culture Documents
Configure Kerberos For SharePoint 2013
Configure Kerberos For SharePoint 2013
Configure Kerberos For SharePoint 2013
blog.blksthl.com
1 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
(almost).
I came upon a few ‘snags’ that took me a while to figure out, but
part from that, all is similar to how it is in SharePoint 2010. So,
good for me, I only have to update Everything, not re-learn the
whole thing!
As help in the task of writing this post, I had nothing…its still pretty
empty for SharePoint 2013 on the topic of Kerberos and
authentication (a few references added at the bottom section of this
post), no doubt that will change as we get closer to launch but
today, it was a void waiting to be filled. So, take it as is, this is built
solely upon the preview bits. Use the 2010: The Whitepaper (242
pages) as reference, most of it is still valid.
Ok, enough talk, lets get down to business:
This time, I will try and get back later and add a scenario involving
Windows Server 2012 and SQL Server 2012. Not that the SQL
2 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
server will make much or any difference here, but the server
environment will. Perhaps I’ll even have a brand new AD to work
with based on 2012.
Scenario 1 – Basic
Checklist:
Step Summary
3 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Step 1
4 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Name Resolution
There are two ways to do this, one excellent and one less excellent,
the lesser of the two is really only ‘allowed’ for developing or testing
purposes, but it exists and should be taken into consideration.
Testing is also something that you will want to do here, and the less
modifications you must do that requires a service down or a
(Service Management) change order at an early stage, the better.
Use Hosts for testing, then DNS in production.
DNS
Make sure that the URL of the Web Application has a A-Record in
DNS, if not, you need to create it.
5 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
1.3 Right click on the zone (domain name) and click on new host (A
or AAAA).
1.4 Type in the name of the record, this is the URL of the Web
Application (minus the domain part in a FQDN) and type in the IP
address of the SharePoint 2013 Web Server
6 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
1.8 Verify that the record has been created in the right pane.
7 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
1.10 You are now done with step 1, Name Resolution. Move on to
step 2. Service Principal Name(SPN).
Note: A known issue exists with some clients (IE7 and IE8
included) that causes kerberos authentication to fail with the use of
DNS alias instead of an A-Record.
Hosts (not recommended method)
1.x1 Locate the hosts file on your client or server if this is what you
are using as client. It is located in the following path: C:\Windows
\System32\Drivers\etc\hosts. Use Notepad to open it(open notepad
using right click and ‘Run as Administrator’ and you will be allowed
to save the changes)
1.x2 At the bottom of the file, add a row with the following:
IP-Address<tab>hostname/FQDN <enter>
– Example:
192.168.1.104 sharepoint2013
8 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
192.168.1.104 sharepoint2013.corp.balkestahl.se
Note: Always end the last line with a Linefeed/Enter, else you may
experience issues using the hosts file.
1.x3 Example of how the file could look above…Save the file using
the same filename(hosts only, no extension)
You are now done with step 1, Name Resolution. Move on to step
2. Service Principal Name(SPN).
Back to main menu
Step 2
9 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
2.2 Next, list all SPN already in Place for the Service Account, type:
10 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Most likely, you get back nothing. This is ok. If you do get some
registered SPN’s back, just make sure that they are not the same
as the ones you are about to add, if they aren’t they you can leave
them be.
2.3 Next, we create our own SPN’s for the service account paired
with the Web Application and SPN type, to create this SPN type:
2.5 Now we also have to add an SPN for the FQDN, type:
11 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
2.6 Listing the SPN’s now should list one additional SPN, type:
If Everything has gone well and you had no previous SPN’s created
from this service account, then the result from the command will be:
HTTP/mywebappurl
HTTP/mywebappurl.domain.com
The necessary SPN’s have now been created successfully and the
service will be able to request tickets in your name.
12 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Step 3
(added 2012-12-08)
Note: Step 3 can be skipped if you only want to authenticate your
users. Delegation is only needed if you are planning to access
external or ‘second hand’ datasources, such as an RSS feed,
Reporting Services or any other service external to the SharePoint
server, that would require the users authentication to be delegated.
Configuring delegation together with Kerberos will allow for ‘double
hop’ scenarios.
(Thanks Spencer Harbar for pointing this out)
Change this setting in Active Directory using the following:
13 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
3.4 On the Delegation tab, click ‘Trust this computer for delegation
to any service (Kerberos only)’.
14 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
You are now done with step 3. Trust for delegation. Move on to
step 4. Authentication Provider.
Back to main menu
Step 4
Authentication Provider
15 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
16 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
4.2 Select the Web Application you want to configure, and click on
Authentication providers in the top ribbon.
17 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
4.5 Scroll down the dialog to ‘Save’ / ‘Close’. Press Save and
wait…you will not see any progress…
4.6 Sit here until you feel that you have waited long enough and
that the save MUST be done.
18 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
4.9 Select the Web Application and in the middle pane under the
heading ‘IIS’, locate ‘Authentication’
4.10 Select the ‘Authentication’ Icon and in the right ‘Actions’ pane,
clikc on ‘Open Feature’.
19 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
4.13 Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and
that they are listed in that order, ‘Negotiate’ at the top.
4.14 Click Cancel and then again in the right ‘Actions’ pane click on
‘Advanced Settings’.
20 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
4.17 IIS will warn you that this is disabled, but SharePoint disables
this setting because of a ‘feature’ in IE8 that may prevent them from
connecting. Do not follow their advice this time…
21 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
22 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Step 5
Verification of functionality
Klist (Client)
23 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Klist
24 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
5.4 Now, we want to clean up this list so that we can see if a new
ticket is granted to our user when logging on to SharePoint.
Ticket(s) purged!
25 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
This time the list should be empty. (if not, then some service has
managed to connect again during the time from that you purged
until you ran Klist again)
5.7 When authenticated and logged into the site, all loaded ok
Now, with Kerberos working, you will see two tickets, the most
important one is the second ticket(#1) that contains:
26 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Client: username@domain.com
Server: HTTP/mywebappurl
If you see this ticket, things are working! Now, all we have to do is
verify that it looks good on the Web Server as well.
Close down the Command Prompt and move on to the next task in
this guide, the security log.
27 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Note: Before checking for events in the eventlog, you may want to
verify that your server is logging authentication success, else you
will not see the event ID 4624 in the Security Log of your Web
servers.
You will find the Group Policy at ‘Computer Configuration /
Windows Settings / Security Settings / Local Policies / Audit Policy
> [Audit logon events], make sure this is set to ‘Success’.
(Thanks to Alvar Kresh for sharing this important note)
Verify that the Web Server Authenticates the user using Kerberos
using the following:
5.10 Expand the ‘Windows Logs’ container and locate the ‘Security’
Log.
5.11 In the Security log, locate a recent event with the ID of 4624.
This event should be a successfull logon, and hold the security ID
and accountname of the user that accessed the SharePoint Web
Application using Internet Explorer on the client, and it should also
state:
28 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
If you can verify that you do have this event, then you are done,
Kerberos works!
29 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
This means that if you have successfully completed all steps in this
guide, you have managed to configure Kerberos for SharePoint
2013.
Related links:
Problems with Kerberos authentication when a user belongs to
many groups
http://support.microsoft.com/kb/327825
“HTTP 400 – Bad Request (Request Header too long)” error in
Internet Information Services (IIS)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2020943
Users who are members of more than 1,015 groups may fail
logon authentication
http://support.microsoft.com/kb/328889/
Group Policy may not be applied to users belonging to many
groups
http://support.microsoft.com/kb/263693/
CONGRATULATIONS!
Back to main menu
30 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Herakles – Unknown
References
31 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
Trust for delegation (Windows Server 2003 but this still goes)
http://technet.microsoft.com/en-us/library/cc739764(v=ws.10).aspx
Microsoft Kerberos
http://msdn.microsoft.com/en-us/library/aa378747(VS.85).aspx
_________________________________________________________
Enjoy!
Regards
32 de 33 08/09/2016 04:44 PM
The first Kerberos guide for SharePoint 2013 technicians about:reader?url=https://blog.blksthl.com/2012/09/26/the-first-kerbero...
33 de 33 08/09/2016 04:44 PM