harbar.net component based software & platform hygiene

More on the Infrastructure Updates: Kerberos and SSP Web Services

Print | posted on Wednesday, July 16, 2008 1:20 PM

What's the best thing about the recently released Infrastructure Updates for SharePoint 2007? The super cool new search functionality? Content Deployment fixes? Improvements in performance and security?

Nope, none of those me ole china, it's the new support for Kerberos Authentication for the SSP Web Services. This was only previously possible with a heinous hack that I promised I would never detail publicly due to it's nastiness.

The problem was that the SSP Web Services run under a IIS Virtual Web Site with a high port. It's client (the .NET Framework) along with SharePoint was unable to construct the correct request to match the SPNs configured (if you configured them correctly, and not many did). So setting the setsharedwebserviceauthn to negotiate using STSADM would make your SSP Web Services nice and secure, but break your farm. Try doing this and then click Manage Search Service within Application Management and you'll see! (Everything is OK on a single server, but erm, who runs them in production!!).

The Infrastructure Updates address this, and it's now possible to configure the SSP Web Services to use Kerberos. This is a pretty big deal for enterprises who are serious about their farm build and configuration. It's not all great news, as there is an extra step (a reg key). This is something that I will be adding to the SharePoint Kerberos Configuration utility, which as it happens I've been delaying until these updates were shipped.

In addition to the updates, the IT Pro UA folk have done a great job of updating the Kerberos Configuration Guide on Tech Net. The section relevant specifically to this change is at: