harbar.net component based software & platform hygiene

TechNet Misinformation: How NOT to use Kerberos for SharePoint Authentication

Print | posted on Tuesday, January 12, 2010 10:29 AM

I’m somewhat aggrieved this morning, as I found a new article from TechNet entitled “Using Kerberos for SharePoint Authentication”. Now while this article is not supposed to be the be all and end all it is very depressing that still now, in 2010, such inaccurate and in some cases 100% wrong information is being put out there by the vendor. This is especially true given the work I have done in this space over the last 18 months.

So what’s wrong with it?

Well one of the reasons people find this area difficult is nobody seems willing to really understand it in order to explain in a nutshell and in addition will skim over fundamentally important aspects. Moreover these bogus articles usually never describe a topology – mainly because the test rig is usually a single MOSS server! This article is no exception, with no clear scenario or requirements. Whilst it does a decent job of covering the core concepts, it then however goes on to detail incorrect configuration steps and completely misses some!

  • Kerberos AuthN for SQL is not required unless you wish back end SQL connections to be Kerberos or make use of additional delegation scenarios.
  • There is zero requirement for a SPN for a computer host name unless you are running a SharePoint Web Application using one (which you shouldn’t be).
  • There is no information about how to configure Kerberos for the Shared Service Provider(s) other than a link to more info elsewhere on TechNet
  • There is never a requirement to set computer account delegation unless you are implementing “advanced delegation” scenarios such as Analysis Services
  • There is no requirement to set user account delegation unless you require delegation. It is not required for Authentication only.
  • You never have to touch Component Services Impersonation Level unless you are implementing delegation for Analysis Services.
  • DCOM activation has absolutely nothing whatsoever to do with Kerberos for SharePoint AuthN.
  • IIS7 configuration should be applied on a per Web Application basis.
  • KMA will not work in single MOSS server scenarios.
  • SharePoint 2007 in Integrated Mode? Are you kidding me?!!!
  • Network Service is not the same as a Computer Account!!!
  • It even recommends “trust this user for delegation to any service”!!!!
  • Kerberos doesn’t actually make SharePoint faster. Performance can be a reason to deploy, but is heavily scenario specific.

So there you have it. Not good. It appears this article cobbles together misinfo already out there. Regular readers will notice some of the myths above are those I spend a great deal of time explaining. A great shame, seeing as the real deal has been delivered for so long. This article just proves how ridiculous it is to attempt to distil Kerberos for SharePoint into 3,000 words. Let’s hope that TechNet do the right thing in the future.

[UDPATE: Following discussions with TechNet Magazine, the article will be updated in the near future. Sweet :)]