harbar.net component based software & platform hygiene

Using Kerberos with SharePoint on Windows Server 2008

Print | posted on Sunday, May 18, 2008 12:02 PM

[UPDATE] Please note that SharePoint 2010 does not support Kernel Mode Authentication, and disables this by default when Web Applications are created. Please see this post for more details.

 

As I demonstrated during the Kerberos session at the Manchester SUGUK meeting last month, there is an extra step required to enable Kerberos Authentication for SharePoint when using Windows Server 2008.

One of the security changes in IIS 7.0 is that Windows Authentication is performed by default in the kernel. This is a good thing! It eases the configuration required for Kerberos and improves performance significantly.

Because HTTP.sys is handling the authentication, it is by default done under the LocalSystem account regardless of the application pool identity. This means that the creation of an SPN is unnecessary because default SPNs are created when the server is joined to the domain. You can of course change the app pool identity without having to register a SPN, and the app pool account doesn't need to be a domain account. All in all this is a *great* feature!

However, it trips up SharePoint as even on a single server SharePoint is currently considered a web farm (should use a domain account). Therefore you need to use the application pool identity for authentication.

There are two ways around this:

  • Configure the useAppPoolCredentials attribute in system.webServer/security/authentication/Windows-Authentication configuration section to true. For example:

    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

    I recommend doing this on a Web Application basis (obvioulsy!) There is no ability to edit this value using the IIS Manager. Don't ask me why, I cannae tell ya!
  • Disable Kernel Mode Authentication for the web site, under the Windows Authentication Advanced Settings option:

kerb2k8

Please note: the first option above is by far the best approach. This way you can continue to use Kernel mode authN, but of course it involves editing applicationHost.config and I know how some of you admins out there are allergic to XML. Think of disabling Kernel mode authN as a quick way around the problem! But not a real solution. :)

More in depth articles on Kerberos coming soon. First up will be the how to measure authentication performance paper.

Feedback

Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Thanks Spence... was having difficulties with this early on and never followed back on it.... thanks for pointing this out.

5/18/2008 2:54 PM | Bob Fox
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

If you want to make the change apply to all of your application pools and survive an iisreset, make the change above to:

C:\Windows\System32\inetsrv\config\applicationHost.config

instead of to

c:\inetpub\temp\appPools\<myAppPoolName>.config

5/22/2008 4:52 PM | Rob
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Rob,

I'm not suggesting editing the web.config - it's the applicationHost.config file I'm talking about within the system.Web section for a given application.

5/22/2008 5:53 PM | Spence
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Do you know specifically what within Sharepoint creates the farm-like scenario in single server environment, that requires disabling Kernel Mode auth setting UseAppPoolCredentials ?

6/25/2008 7:47 PM | richard
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Richard:

Yup, this is due to a key architectural concept of SharePoint and is related also to how it handles host name mapping. SharePoint effectively operates as a 'farm' even when there is just a single server as this enables it to easily scale out horizontally to many "web front ends". Doing this obvioulsy requires a domain account, hence the current requirement to disable this under IIS7. You can expect this to go away in the future.

7/18/2008 12:22 AM | Spence
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Thank you so much for this little explanation. Saved my day :)
I have MOSS2007 test setup where SQL 2008 and MOSS 2007 is on one Windows Server 2008 based server and Kerberos works. At least if portal name match server name.
I had a problem in production enviroment which is set up on 5 different servers and 2 WFE servers setup on NLB. Kerberos ticket request was on HTTP/portal.domain.net but reply was just either wfe1$ or wfe2$. And this was really giving me a headache as all articles about Windows Server 2003 NLB and a lot of articles on SharePoint setup with Kerberos didn't work for me. Until I found this explanation. Thanks again.

1/13/2009 8:03 AM | Darius
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Thannk you for the information.
But I tried this and it doesn't seem to be working. I still have the same issue with Kerberos authentication and its reverting back to NTLM.
I have setup SPNs for service account both with and without port number i.e. 80.

Please suggest if I am missing some thing.

2/4/2009 6:55 AM | Chandra Ojha
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

And of course do not forget to applied MS patch http://support.microsoft.com/kb/962943 to IIS 7 in case you use the first option to avoid BSOD 0x7e.

11/2/2009 4:31 PM | Mario
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

So no SPN registration is required now to setup kerberos for SharePoint? Just make this change and the kernel registers all the needed SPNs for you?

11/10/2009 3:30 AM | Jamin
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

Is this relevant for SP2010?

10/6/2010 10:41 AM | B@rney
Gravatar

# re: Using Kerberos with SharePoint on Windows Server 2008

B@rney:

Kernel Mode AuthN is not supported with SP2010, please see

www.harbar.net/.../...point-2010-and-kerberos.aspx

10/6/2010 12:56 PM | harbars

Post Comment

Title  
Name  
Email
Url
Comment   
Please add 3 and 8 and type the answer here: