harbar.net component based software & platform hygiene

London SUGUK meeting: Kerberos and what not

Print | posted on Friday, February 29, 2008 11:25 AM

Many thanks to all those who attended the SUGUK meeting in London on Wednesday evening. Another excellent SUGUK event thanks to the great work by Nick Swan and Steve Smith. It's fantastic to see a consistently high turn out and this is a great sign that SharePoint continues on it's rightful path to world domination.

Ben Robb's talk on managing deployment was superb and must see material for those working on medium and large scale development projects.

My talk wasn't as good - but it was on a boring infrastructure topic - so I have an excuse (kind of!). Apologies for overrunning which meant the demo section suffered and I didn't have time to cover some pieces. I will try and make up for that here with more details in the near future.

I do hope the talk provided a good 101 on Kerberos and SharePoint and welcome any feedback you may have. I am considering a "two part" thing for the future with a second session on large farm issues, more examples on things like Excel Services and Reporting Services and diving into more of the devil around Shared Services and Kerberos.

In the meantime, you can grab the slide deck here. The slide animations don't work in PDF but it should still make sense. I did make an XPS of the deck, but damn it's a bit big and my upload speed at present really sucks!

I did do a quick show and tell on the Kerberos/Delegation Configuration Reporting Tool which isn't referenced in the deck - you can find this over on IIS.NET. The dude who put it together, the very clever Brian Murphy Booth, has a blog entry on it here. Like I said in the talk, don't be slapping this bad boy on your SharePoint web apps in production :) and you'll need to tweak the CAS policy for it to work with SharePoint.

Ken Schaefer's blog is over here. You can see the trend right? If you want to find out about Kerberos, don't go looking at SharePoint people's blogs!! Go check out the IIS stuff, because that's where it's at (at present).

Before you ask, no I can't provide a timeline for the white paper or the SharePoint Kerberos Config Wizard. They'll be done when they're done and to the right level of quality - and I don't know when that will be. :)

One question that came up in the pub afterwards was on DCOM configuration required - this is sometimes not a requirement and it could also be argued this not a Kerberos issue. I will be following up with an article here on this topic in the next few weeks. In the meantime, the pesky 10016 issue is not a Kerberos thing, it's a least privilege thing. The delegation issue is an altogether separate conversation.

I briefly mentioned IIS7 and Kerberos AuthN improvements in the kernel - this came up in the pub also, and W2K8 does introduce some differences in configuration - these will be covered in the white paper as well.

If you would like to see more on this topic, please leave comments here.