Hi

We installed SharePoint 2010 on a small web farm (2 servers) without 
following the setup instructions. we are facing the double hop issue. the 
setup guide says that we should configure kerberos before installing 
sharepoint, but we can't go back right now. can we configure kerberos after 
installing sharepoint 2010 on web farm?

------=_NextPart_0001_A01EA0AB
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello LemonwithMint,

You can easily configure Kerberos after installing SharePoint as well.

Kerberos would basically require following:

- Web application in question should be running on application pool which 
uses a Domain Account. So if you have used local accounts to install and 
configure SharePoint then you would need to change the account through 
Central Administration (not through IIS). Since there are two Servers in 
the farm, I assume you might have used Domain Accounts.

- Service Prinicpal Name (SPN) has to be registered in Domain Controller 
being used. This is mandatory for application account you are using for web 
app.

- Kernel Mode Authentication has to be disabled in order to use App Pool 
Account for getting the Ticket from KDC.

- Two Objects, Both SharePoint Server and Service Account should be 
delegated in Domain Controller.

Be aware there are are some known issues with Crawl when the site is 
running on non default ports (HTTP: 80 and HTTPS: 443) and configured for 
Kerbeors authentication. My sincere suggestion would be to use HostHeader 
for all your sites and keep them on default ports to avoid any issues in 
getting tickets.

For Kerberos authentication to work correctly, you must create SPNs in AD 
DS. If the services to which these SPNs correspond are listening on 
non-default ports, the SPNs should include port numbers. This is to ensure 
that the SPNs are meaningful. It is also required to prevent the creation 
of duplicate SPNs.

When a client attempts to access a resource using Kerberos authentication, 
the client must construct an SPN to be used as part of the Kerberos 
authentication process. If the client does not construct an SPN that 
matches the SPN that is configured in AD DS, Kerberos authentication will 
fail, usually with an "Access denied" error.

There are versions of Internet Explorer that do not construct SPNs with 
port numbers. If you are using SharePoint Server 2010 Web applications that 
are bound to non-default port numbers in IIS, you might have to direct 
Internet Explorer to include port numbers in the SPNs that it constructs. 
In a farm running SharePoint Server 2010, the Central Administration Web 
application is hosted, by default, in an IIS virtual server that is bound 
to a non-default port. Therefore, this article addresses both IIS Web sites 
that are port-bound and IIS Web sites that are bound to host-headers.

By default, in a farm running SharePoint Server 2010, the .NET Framework 
does not construct SPNs that contain port numbers. This is the reason why 
Search cannot crawl Web applications using Kerberos authentication if those 
Web applications are hosted on IIS virtual servers that are bound to 
non-default ports.

We can check in WFE if site is using Kerberos or NTLM authnetication in 
Security Audit logs. Look for event ID 540 with client IP address and 
package as Negotiate.


Configure Kerberos authentication (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ee806870.aspx

Let me know if you need more details.

Sunil [MSFT]
------=_NextPart_0001_A01EA0AB
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Hello LemonwithMint,
\par 
\par You can easily configure Kerberos after installing SharePoint as well.
\par 
\par Kerberos would basically require following:
\par 
\par - Web application in question should be running on application pool which uses a Domain Account. So if you have used local accounts to install and configure SharePoint then you would need to change the account through Central Administration (not through IIS). Since there are two Servers in the farm, I assume you might have used Domain Accounts.
\par 
\par - Service Prinicpal Name (SPN) has to be registered in Domain Controller being used. This is mandatory for application account you are using for web app.
\par 
\par - Kernel Mode Authentication has to be disabled in order to use App Pool Account for getting the Ticket from KDC.
\par 
\par - Two Objects, Both SharePoint Server and Service Account should be delegated in Domain Controller.
\par 
\par Be aware there are are some known issues with Crawl when the site is running on non default ports (HTTP: 80 and HTTPS: 443) and configured for Kerbeors authentication. My sincere suggestion would be to use HostHeader for all your sites and keep them on default ports to avoid any issues in getting tickets.
\par 
\par For Kerberos authentication to work correctly, you must create SPNs in AD DS. If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers. This is to ensure that the SPNs are meaningful. It is also required to prevent the creation of duplicate SPNs.
\par 
\par When a client attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is configured in AD DS, Kerberos authentication will fail, usually with an "Access denied" error.
\par 
\par There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using SharePoint Server 2010 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running SharePoint Server 2010, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port. Therefore, this article addresses both IIS Web sites that are port-bound and IIS Web sites that are bound to host-headers.
\par 
\par By default, in a farm running SharePoint Server 2010, the .NET Framework does not construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports.
\par 
\par We can check in WFE if site is using Kerberos or NTLM authnetication in Security Audit logs. Look for event ID 540 with client IP address and package as Negotiate.
\par 
\par 
\par Configure Kerberos authentication (SharePoint Server 2010)
\par http://technet.microsoft.com/en-us/library/ee806870.aspx
\par 
\par Let me know if you need more details.
\par 
\par Sunil [MSFT]
\par }
------=_NextPart_0001_A01EA0AB--