We have been using Kerboros
almost five years ago since SahrePoint 2007. However, every time we have a new
development SharePoint box set up and try to integrate with third party
application that requires Kerboros like QlikView webpart, developers will forget to configure the Kerboros correctly. Most developers are not able to provide the information to AD team or infrastructure team to request Kerboros configuration. In this blog, I would
like to summarize the way to verify Kerboros settings from developer view and
what need to be requested to AD and infrastructure team. It it not intent to
teach you how to set up Kerboros but rather to show you how to verify the
settings so you could debug the issue.
There are several ways to
whether Kerboros configured correctly for the webapp. The most direct way is to
verify from Fiddler 2. The login should display “Negotiate” Not “NILM” as in
the screen shot. You could alos get similar information from Wireshark.
The second way is from
SharePoint server event logs. Open the Security logs and filter for
“Event ID: 4624”. You will see the “Log on process” is Kerboros.
If you are not able to see
the site is Kerboros enabled from any of the two ways, you would need to debug
the SharePoint server. Here is the procedure you could follow to work with AD
and infrastructure team.
1. First thing to verify is to verify whether you have Kerboros enabled for the webapp.
You should verify whether webapp
has been configured as Kerboros. Click IIS manager -> Select the sites ->
Click Authentication -> Right click Window Authentication -> Click
providers.. You should see “Negotiate” in the setting.
Click IIS manager ->
Select the sites -> Click Authentication -> Right click Window Authentication
-> Click Advanced settings. You
should see “Enable Kernel-mode
authentication” is selected.
You could also verify the webapp "Authentication provider" setting from CA.
2. The second part is to verify whether the SPN is setup correct using command
setspn –l domain\installer account
You should see server spn should be configured for sandbox sbx18.
C:\Users\harrycx>setspn -l na\pdssbx
http/sbx18.na.qualcomm.com
http/sbx18
http/sbx18
3. The third part is to verify whether we have all webapp entries are configured in
C:\Windows\System32\inetsrv\config\applicationHost.config file. You should see the highlighted entries in RED if Kerborosconfigured for the webapp.
<location path="MySite -
300">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true"
useAppPoolCredentials="true">
<providers>
<clear />
<add value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication
enabled="false" />
<digestAuthentication
enabled="false" />
<basicAuthentication
enabled="false" />
</authentication>
</security>
<urlCompression doStaticCompression="true"
doDynamicCompression="true" />
<httpErrors existingResponse="PassThrough" />
<httpProtocol>
<customHeaders>
<clear />
<add
name="X-Powered-By" value="ASP.NET" />
<add name="MicrosoftSharePointTeamServices"
value="14.0.0.6117" />
</customHeaders>
</httpProtocol>
<handlers accessPolicy="Read, Execute, Script" />
</system.webServer>
</location>
Please note, each webapp must be configured and if you have load balancer in front multiple IIS servers, you can refer the blog for more details.
