harbar.net component based software & platform hygiene

SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions

Print | posted on Thursday, January 08, 2009 1:17 PM

As previously detailed we have been busy working on a public (version 2) release of the SharePoint Kerberos Configuration Utility which has been used successfully on a number of customer engagements. We are aiming for a release the first week in February at the SharePoint Best Practices Conference.

Configuring a SharePoint Farm for Kerberos is very easy however there are a large number of variables which depend upon the farm characteristics and more importantly the business requirements. In addition there is a staggering amount of misinformation (such as needing delegation for simple authentication scenarios!!!) out there on blogs and so forth. Kerberos remains a topic for which there are many myths and customers have found it difficult to implement.

The idea of the utility is to automate the vast majority of Kerberos related configuration for a MOSS deployment.

This article walks through the User Interface of the utility in order to get feedback and suggestions for the version 2 release. Please note that the UI is very rough and ready, the focus has been on the functionality and robust exception handling, we will tart up the UI once we have everything else baked. Essentially the UI is just a shim for all the scripts and powershell which make up version 1.

Please leave comments here if you have feedback and/or suggestions.


The utility must be run on a member of the SharePoint Farm (we use the SharePoint APIs) and as a AD domain administrator (we create SPNs and configure delegation).


1. SQL Server (trusted subsystem authentication)


This tab allows you to create SPNs for the SQL Server Instances used in your farm to host Config and Content Databases. This simply allows you to use Kerberos for the intra farm trusted subsystem. It does not relate to Reporting Services or Analysis Services. All instances which host SharePoint related databases are listed, you select them and click Create SPNs. A dialog will pop up providing a preview of the SPNs to be created from which you can back out if there are errors, or proceed and create them.


2. Web Application Authentication


This tab lists all the Web Apps in the farm and their URLs. There will be multiple entries for Applications which have more than one URL (AAMs). The current authentication scheme is also displayed.

By selecting Web Apps and clicking Create SPNs a dialog will show the SPNs to be created allowing you to back out or go ahead and create them.

The Use NTLM and Use Kerberos buttons allow you to toggle the Authentication Scheme used for a given URL.


3. Shared Services


This section lists the SSPs in the farm and the Servers in the Farm. When you select an SSP you can create the SPNs for the Office Web Server application (the correct VDir is picked up). Again there is a dialog offering the chance to back out.

We require the farm be running the Infrastructure Updates or later if you aren’t a warning will be displayed and the functionality is disabled. We have been “persuaded” by a vendor to not ship the hacks for making Shared Web Services Kerberos to work without the new SPN type. That’s a good thing, it didn’t take much persuading!

The Use Negotiate for Shared Web Services button simply turns on Negotiate for the selected SSP.


4. Excel Calculation Services


This one simply turns on negotiate for ECS. We are toying with the idea of adding ECS specific settings here, but there’s really only one of relevance and it’s probably not a good idea.


5. Delegation


This is the tricky one as we have no idea what you want to delegate to. We use Constrained Delegation only at present. We are interested in feedback on that. Things like the RSS Viewer are easy, but some remote service like Reporting Services, OLAP or even (shudder) a UNIX app server are impossible to determine for you!

So we have the SharePoint related App pools and Servers listed. When you select one you can pick some common services and also free type others. Then you click Create SPNs to again see the dialog with a chance to back out or apply the changes.


There is separate verification utility also which lists out and tests current configuration. We are considering adding that functionality if there is enough feedback on that.