Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts
Thursday, 15 March 2012
Setting up Kerberos Authentication for Sharepoint
To understand the basics, read the articles at the end of this how to. In short you permit your web service account to connect from a specified URL, to a specific Server with a specific SQL account.
For the SQL Service account
A : Manual Process For SQL
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
setspn -A MSSQLSvc/servername.mydomain.tld:1443 mydomain\SQLserviceaccount
press enter
if successful enter the following
setspn -A MSSQLSvc/servername:1443 mydomain\SQLserviceaccount
press enter
B : Else, open ADSI edit
Browse to the SQL Server Service account used (mydomain\SQLserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
MSSQLSvc/servername:1443
MSSQLSvc/servername
MSSQLSvc/servername.mydomain.tld:1443
MSSQLSvc/servername.mydomain.tld
For the Web application Account
A : Manual Process
Open a cmd prompt with Run as (run as the domain admin account) or add the following with ADSI Edit.
Enter the following in the cmd prompt
Setspn -A HTTP/myURL.mydomain.tld mydomain\webappserviceaccount
B : Else, open ADSI edit
Browse to the Web Application Service account used (mydomain\webappserviceaccount)
right click > properties.
In the Attribute section, select ServicePrincipleName > click Edit
Add the following :
HTTP/myURL
HTTP/myURL.mydomain.tld
Note : it's always HTTP even if you site is HTTPS
Enable Constrained Delegation for the Web Application account
Browse to the web application Active Directory service account (mydomain\webappserviceaccount)
Edit the Object > Select the Delegation Tab > Trust this user for Delegation to any service (Kerberos only)
Click Ok
Test the Kerberos Setup
1. Setup a new site in Central Admin
Central Admin > Manage Web Applications > New
Select Claims Based Auth
Create a new IIS Site
Port : 80
HostHeader : enter name of site users will browse to
Edit Path to D:\etc...
Allow Anonymous : Yes
Enable Windows Auth : checked
Intergrated Windows Auth : checked and Negotiate (Kerberos) set
Create new Applicaiton pool : enter pool name or leave as default.
Select the Web application Service account : (mydomain\webappserviceaccount)
Amend you DB name if required.
Select OK to create the new web application
2. Create a site collection
Any site will do, use the same name as the host header and enter a site collection admin.
Click ok
3. Open DNS Manager > Create an A record for the Site name pointing to the IP i.e. MyURL
FQDN should be myURL.mydomain.tld
4. Open the Servers' Event Viewer > Select the Security logs > Filter the log to event ID 4624
5. Access the site from your PC browser : http://myURL
Check the Servers' Event Viewer for 4624 events, Logon Process and Authentication package should read : Kerberos
This is a really good site for further info : http://technet.microsoft.com/en-us/magazine/ee914605.aspx
These websites contain good explanations
http://www.thesharepointblog.net/Lists/Posts/Post.aspx?List=815f255a%2Dd0ef%2D4258%2Dbe2a%2D28487dc9975c&ID=43
http://blogs.msdn.com/b/russmax/archive/2009/10/20/configuring-kerberos-authentication-in-sharepoint-2010-part-1.aspx
The first was pretty clear to me and was used to create this page.
Sunday, 11 March 2012
AD Permissions on SharePoint Administrative accounts.
A common mistake that produces the various errors below on install or when adding service accounts to SharePoint.
Solution :
"Authenticated Users" should have "read" permissions on all Service accounts you add to SharePoint.
From the AD consol > edit the AD service account object > Security tab > Select "Authenticated Users" > ensure "Read" permissions are enabled.
Error on SP installation :
Error on adding AD account as managed SharePoint account :
The given key was not present in the dictionary.
Solution :
"Authenticated Users" should have "read" permissions on all Service accounts you add to SharePoint.
From the AD consol > edit the AD service account object > Security tab > Select "Authenticated Users" > ensure "Read" permissions are enabled.
Error on SP installation :
Failed to create the configuration database.
An exception of type System.Collections.Generic.KeyNotFoundException was thrown. Additional exception information: The given key was not present in the dictionary.
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
An exception of type System.Collections.Generic.KeyNotFoundException was thrown. Additional exception information: The given key was not present in the dictionary.
System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.ThrowHelper.ThrowKeyNotFoundException()
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
Error on adding AD account as managed SharePoint account :
The given key was not present in the dictionary.
Subscribe to:
Posts (Atom)