Kerberos and SharePoint 2007



If you want to use Kerberos authentication and not NTLM with SharePoint then there are some extra tasks that you need to get someone with Domain Admin privileges to perform. For EVERY dns / port combination a SPN needs to be added to Active Directory to tell it that it  is allowed to use Kerberos to authenticate a specific account or server to that URL. In a production environment with a farm of multiple server you will need to use the account option.

The account option lets you create an Active Directory account called..say… svc_Sharepoint and add a bunch of SPN’s to it. This account then needs to be used to run the application you are trying to connect to. So if it is an IIS website then the AppPool needs to run under that account. if it is SQL Server then the services need to run under that account.

You need to add an SPN for each protocol URL and port combination:

setspn -a admin.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a admin.ep-dev.[domain].biz:8080 [domain]svc_sharepoint
setspn -a bi.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a nrcdashboard.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a ep-dev.[domain].biz     [domain]svc_sharepoint
setspn -a team.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a search.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a my.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a technet.ep-dev.[domain].biz [domain]svc_sharepoint
setspn -a tfs01.ep-dev.[domain].biz [domain]svc_tfsservices
setspn -a tfs01.ep-dev.[domain].biz:8080 [domain]svc_tfsservices
setspn -a TFS.ep-dev.[domain].biz [domain]svc_tfsservices

These SPN’s will allow authentication to work on these domains, but it does require Domain Admin to run them. And these are only my initial FQDN for this environment. We will be having a production environment soon and most likely a UAT environment before we start any development work on our Enterprise Portal.


Technorati Tags:      

Create a conversation around this article

Share on Facebook
Share on Twitter
Share on Linkdin

We dont have any dates for public classes right now. sign-up to be the first to know, or contact us for discounts or private training.

Read more
Martin Hinshelwood
As we progress deeper into the dynamic landscape of the 21st century, our long-established organisations, born of the Industrial Age and infused with a DNA of strict command and control, stand on shaky ground. These organisations strut with command-and-control bravado, erecting clear hierarchies in their stable inert markets where bureaucracy …
Martin Hinshelwood
In organizational development and team dynamics, Agile (as the Agile Manifesto delineates) and Scrum (as the Scrum Guide outlines) guide teams not by solving their problems but by illuminating the issues that demand attention. These frameworks aim to identify and spotlight the challenges within a team or organization’s processes, effectively …
Martin Hinshelwood
This week, I participated in a Webinar hosted by Sabrina Love ( Product Owner) as well as my colleagues, Joanna Płaskonka, Ph.D. and Alex Ballarin to discuss the state of learning and how immersive learning is the future of training. You can watch the video below to hear what …
Martin Hinshelwood
For a long time now I have been searching for that perfect domain that epitomised the vision, the why, of what I am trying to achieve with my customers and the industry at large. Now I have found it in