Thursday 28 June 2012

SharePoint 2010 Kerberos

SharePoint 2010 Kerberos


Business objective for us was to resolve the authentication prompt in Safari browser for MAC users. We have got more than 100 users on MAC it’s a challenge for them and kind of annoying to see the prompt for login credentials in MAC from a user experience perspective. And, also due to some security concerns we wanted to use Kerberos. Single Sign on was the call of the day for MAC users. It’s imperative to understand your business objective before thinking of implementing Kerberos.

Though there is keychain in MAC which stores the password but that doesn’t always work when accessing /editing MS Office documents from SharePoint in Safari. There are ways to configure config file in Mozilla on MAC but it’s daunting to manage this with new releases etc. And, again IT Policies may prohibit users from using Mozilla or something else as supported on MAC is Safari with limitations.

We don’t use PerformancePoint, Power Pivot, SSRS, Excel; services i.e. BI components in SharePoint. It was a straight forward process to implement Kerberos integration with SharePoint 2010.

Initially Idea was to test this and have a proof of concept to move this to the next stage.  Below are the steps to test this:

1)       Understand what service accounts are required.

Service Accounts:

Contoso\spkerberos for the web application
Contoso\sqladmin for the SQL Server
Contoso\spc2wts for Claims to windows service account

2)      In our case I wanted to test this by creating a test service application in test environment

Created a staging web application with claims based authentication: NTLM
http://staging.portal. contoso.com

3)      In DNS, created a host entry called staging.portal pointing to the WFE Server IP address

Note: Recommendation was don’t use CNAME that will cause serious issues as I learnt from the TechNet documentation, it’s a must read and helps a lot to plan for Kerberos.


Spencer Harbar has a fantastic article on SharePoint 2010 and Kerberos, must read would say


4)      Created the following script to create the SPNs for the service accounts from the SharePoint WFE server and SQL Server

Run this to create service principal names for the service account for web app, claims to windows, sql server

SETSPN -S HTTP/staging.portal Contoso\spkerberos
SETSPN -S HTTP/staging.portal.contoso.com Contoso\spkerberos
ECHO ---------------------------------------------------------------
ECHO Setting Service Principal Name on SQLDB Service Account
ECHO ---------------------------------------------------------------
SetSPN -S MSSQLSVC/databseserver01 Contoso\sqladmin
SetSPN -S MSSQLSVC/databaseserver01.contoso.com Contoso\sqladmin
ECHO ---------------------------------------------------------------
ECHO Setting Service Principal Name on C2W Token Service Account
ECHO ---------------------------------------------------------------
SetSPN -S  SP/C2WTS Contoso\spc2wts


5)      Check the SPNS in the attribute editor of the service Accounts in Active Directory
6)      Change web application authentication from ntlm to negotiate Kerberos
7)      Start claims to windows service
8)      Go to AD and look for delegation properties for all service accounts and delegate trust
9)      Look for event ids 4744 for Kerberos authentication
10)   Use fiddler to track whether it’s using negotiate (Kerberos) or ntlm

Once changes done initially will prompt the login credentials on three of four occasions

Voila now on MAC’S, when accessing SharePoint goes through with ease and without login prompts Nice!

There are other blogs which contains screenshot I just wanted to capture this for a high level understanding of what is required.

No comments:

Post a Comment