How to veiryfy Kerboros configuration in SharePoint

We have been using Kerboros almost five years ago since SahrePoint 2007. However, every time we have a new development SharePoint box set up and try to integrate with third party application that requires Kerboros like QlikView webpart, developers will forget to configure the Kerboros correctly. Most developers are not able to provide the information to AD team or infrastructure team to request Kerboros configuration. In this blog, I would like to summarize the way to verify Kerboros settings from developer view and what need to be requested to AD and infrastructure team. It it not intent to teach you how to set up Kerboros but rather to show you how to verify the settings so you could debug the issue.

 

There are several ways to whether Kerboros configured correctly for the webapp. The most direct way is to verify from Fiddler 2. The login should display “Negotiate” Not “NILM” as in the screen shot. You could alos get similar information from Wireshark.

 

  

The second way is from SharePoint server event logs. Open the Security logs and filter for “Event ID: 4624”. You will see the “Log on process” is Kerboros.

If you are not able to see the site is Kerboros enabled from any of the two ways, you would need to debug the SharePoint server. Here is the procedure you could follow to work with AD and infrastructure team.

1. First thing to verify is to verify whether you have Kerboros enabled for the webapp.

You should verify whether webapp has been configured as Kerboros. Click IIS manager -> Select the sites -> Click Authentication -> Right click Window Authentication -> Click providers.. You should see “Negotiate” in the setting.

Click IIS manager -> Select the sites -> Click Authentication -> Right click Window Authentication -> Click Advanced settings.  You should see “Enable  Kernel-mode authentication” is selected.

You could also verify the webapp "Authentication provider" setting from CA.

 

2. The second part is to verify whether the SPN is setup correct using command

setspn –l domain\installer account

You should see server spn should be configured for sandbox sbx18.

 C:\Users\harrycx>setspn -l na\pdssbx

    http/sbx18.na.qualcomm.com
    http/sbx18

3. The third part is to verify whether we have all webapp entries are configured in

C:\Windows\System32\inetsrv\config\applicationHost.config file. You should see the highlighted entries in RED if Kerborosconfigured for the webapp.

<location path="MySite - 300">

        <system.webServer>

            <security>

                <authentication>

                    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

                        <providers>

                            <clear />

                            <add value="Negotiate" />

                            <add value="NTLM" />

                        </providers>

                    </windowsAuthentication>

                    <anonymousAuthentication enabled="false" />

                    <digestAuthentication enabled="false" />

                    <basicAuthentication enabled="false" />

                </authentication>

            </security>

            <urlCompression doStaticCompression="true" doDynamicCompression="true" />

            <httpErrors existingResponse="PassThrough" />

            <httpProtocol>

                <customHeaders>

                    <clear />

                    <add name="X-Powered-By" value="ASP.NET" />

                    <add name="MicrosoftSharePointTeamServices" value="14.0.0.6117" />

                </customHeaders>

            </httpProtocol>

            <handlers accessPolicy="Read, Execute, Script" />

        </system.webServer>

</location>

Please note, each webapp must be configured and if you have load balancer in front multiple IIS servers, you can refer the blog for more details.