Setting up Kerberos Authentication for Sharepoint

To understand the basics, read the articles at the end of this how to. In short you permit your web service account to connect from a specified URL, to a specific Server with a specific SQL account.



For the SQL Service account

A : Manual Process For SQL
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
setspn -A MSSQLSvc/servername.mydomain.tld:1443 mydomain\SQLserviceaccount
press enter

if successful enter the following
setspn -A MSSQLSvc/servername:1443 mydomain\SQLserviceaccount
press enter


B : Else, open ADSI edit
Browse to the SQL Server Service account used (mydomain\SQLserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
MSSQLSvc/servername:1443
MSSQLSvc/servername
MSSQLSvc/servername.mydomain.tld:1443
MSSQLSvc/servername.mydomain.tld


For the Web application Account

A : Manual Process
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
Setspn -A HTTP/myURL.mydomain.tld mydomain\webappserviceaccount


B : Else, open ADSI edit
Browse to the Web Application Service account used (mydomain\webappserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
HTTP/myURL
HTTP/myURL.mydomain.tld

Note : it's always HTTP even if you site is HTTPS





Enable Constrained Delegation for the Web Application account

Browse to the web application Active Directory service account (mydomain\webappserviceaccount)
Edit the Object > Select the Delegation Tab > Trust this user for Delegation to any service (Kerberos only)
Click Ok



Test the Kerberos Setup

1. Setup a new site in Central Admin
Central Admin > Manage Web Applications > New
Select Claims Based Auth
Create a new IIS Site
Port : 80
HostHeader : enter name of site users will browse to
Edit Path to D:\etc...
Allow Anonymous : Yes
Enable Windows Auth : checked
Intergrated Windows Auth : checked and Negotiate (Kerberos) set
Create new Applicaiton pool : enter pool name or leave as default.
Select the Web application Service account : (mydomain\webappserviceaccount)
Amend you DB name if required.
Select OK to create the new web application

2. Create a site collection
Any site will do, use the same name as the host header and enter a site collection admin.
Click ok

3. Open DNS Manager > Create an A record for the Site name pointing to the IP i.e. MyURL
FQDN should be myURL.mydomain.tld

4. Open the Servers' Event Viewer > Select the Security logs > Filter the log to event ID 4624


5. Access the site from your PC browser : http://myURL
Check the Servers' Event Viewer for 4624 events, Logon Process and Authentication package should read : Kerberos


This is a really good site for further info : http://technet.microsoft.com/en-us/magazine/ee914605.aspx

These websites contain good explanations
http://www.thesharepointblog.net/Lists/Posts/Post.aspx?List=815f255a%2Dd0ef%2D4258%2Dbe2a%2D28487dc9975c&ID=43
http://blogs.msdn.com/b/russmax/archive/2009/10/20/configuring-kerberos-authentication-in-sharepoint-2010-part-1.aspx

The first was pretty clear to me and was used to create this page.