can we configure kerberos after installing sharepoint 2010 on web

Hi

We installed SharePoint 2010 on a small web farm (2 servers) without 
following the setup instructions. we are facing the double hop issue. the 
setup guide says that we should configure kerberos before installing 
sharepoint, but we can't go back right now. can we configure kerberos after 
installing sharepoint 2010 on web farm?
0
Utf
5/17/2010 2:24:02 PM
sharepoint.setup-administratio 225 articles. 0 followers. Follow

1 Replies
2118 Views

Similar Articles

[PageSpeed] 51

------=_NextPart_0001_A01EA0AB
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello LemonwithMint,

You can easily configure Kerberos after installing SharePoint as well.

Kerberos would basically require following:

- Web application in question should be running on application pool which 
uses a Domain Account. So if you have used local accounts to install and 
configure SharePoint then you would need to change the account through 
Central Administration (not through IIS). Since there are two Servers in 
the farm, I assume you might have used Domain Accounts.

- Service Prinicpal Name (SPN) has to be registered in Domain Controller 
being used. This is mandatory for application account you are using for web 
app.

- Kernel Mode Authentication has to be disabled in order to use App Pool 
Account for getting the Ticket from KDC.

- Two Objects, Both SharePoint Server and Service Account should be 
delegated in Domain Controller.

Be aware there are are some known issues with Crawl when the site is 
running on non default ports (HTTP: 80 and HTTPS: 443) and configured for 
Kerbeors authentication. My sincere suggestion would be to use HostHeader 
for all your sites and keep them on default ports to avoid any issues in 
getting tickets.

For Kerberos authentication to work correctly, you must create SPNs in AD 
DS. If the services to which these SPNs correspond are listening on 
non-default ports, the SPNs should include port numbers. This is to ensure 
that the SPNs are meaningful. It is also required to prevent the creation 
of duplicate SPNs.

When a client attempts to access a resource using Kerberos authentication, 
the client must construct an SPN to be used as part of the Kerberos 
authentication process. If the client does not construct an SPN that 
matches the SPN that is configured in AD DS, Kerberos authentication will 
fail, usually with an "Access denied" error.

There are versions of Internet Explorer that do not construct SPNs with 
port numbers. If you are using SharePoint Server 2010 Web applications that 
are bound to non-default port numbers in IIS, you might have to direct 
Internet Explorer to include port numbers in the SPNs that it constructs. 
In a farm running SharePoint Server 2010, the Central Administration Web 
application is hosted, by default, in an IIS virtual server that is bound 
to a non-default port. Therefore, this article addresses both IIS Web sites 
that are port-bound and IIS Web sites that are bound to host-headers.

By default, in a farm running SharePoint Server 2010, the .NET Framework 
does not construct SPNs that contain port numbers. This is the reason why 
Search cannot crawl Web applications using Kerberos authentication if those 
Web applications are hosted on IIS virtual servers that are bound to 
non-default ports.

We can check in WFE if site is using Kerberos or NTLM authnetication in 
Security Audit logs. Look for event ID 540 with client IP address and 
package as Negotiate.


Configure Kerberos authentication (SharePoint Server 2010)
http://technet.microsoft.com/en-us/library/ee806870.aspx

Let me know if you need more details.

Sunil [MSFT]
------=_NextPart_0001_A01EA0AB
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 Hello LemonwithMint,
\par 
\par You can easily configure Kerberos after installing SharePoint as well.
\par 
\par Kerberos would basically require following:
\par 
\par - Web application in question should be running on application pool which uses a Domain Account. So if you have used local accounts to install and configure SharePoint then you would need to change the account through Central Administration (not through IIS). Since there are two Servers in the farm, I assume you might have used Domain Accounts.
\par 
\par - Service Prinicpal Name (SPN) has to be registered in Domain Controller being used. This is mandatory for application account you are using for web app.
\par 
\par - Kernel Mode Authentication has to be disabled in order to use App Pool Account for getting the Ticket from KDC.
\par 
\par - Two Objects, Both SharePoint Server and Service Account should be delegated in Domain Controller.
\par 
\par Be aware there are are some known issues with Crawl when the site is running on non default ports (HTTP: 80 and HTTPS: 443) and configured for Kerbeors authentication. My sincere suggestion would be to use HostHeader for all your sites and keep them on default ports to avoid any issues in getting tickets.
\par 
\par For Kerberos authentication to work correctly, you must create SPNs in AD DS. If the services to which these SPNs correspond are listening on non-default ports, the SPNs should include port numbers. This is to ensure that the SPNs are meaningful. It is also required to prevent the creation of duplicate SPNs.
\par 
\par When a client attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is configured in AD DS, Kerberos authentication will fail, usually with an "Access denied" error.
\par 
\par There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using SharePoint Server 2010 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running SharePoint Server 2010, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port. Therefore, this article addresses both IIS Web sites that are port-bound and IIS Web sites that are bound to host-headers.
\par 
\par By default, in a farm running SharePoint Server 2010, the .NET Framework does not construct SPNs that contain port numbers. This is the reason why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports.
\par 
\par We can check in WFE if site is using Kerberos or NTLM authnetication in Security Audit logs. Look for event ID 540 with client IP address and package as Negotiate.
\par 
\par 
\par Configure Kerberos authentication (SharePoint Server 2010)
\par http://technet.microsoft.com/en-us/library/ee806870.aspx
\par 
\par Let me know if you need more details.
\par 
\par Sunil [MSFT]
\par }
------=_NextPart_0001_A01EA0AB--

0
sunily
5/19/2010 4:53:49 AM
Reply:

Similar Artilces:

How can I know which SP has been put on the exchange2K
Where can I see this msg? Thanks Open exchange manager, organization, right pane. "Geoffrey" <yile1978@hotmail.com> wrote in message news:uvLLBUYwFHA.3312@TK2MSFTNGP09.phx.gbl... > Where can I see this msg? > Thanks > check www.petri.co.il or check for the answer on the 10th(9th from ur posting)thread on this site,that is named"finding on version of sp installed" ...

How can I print just the flip side of a booklet?
How can I print just the flip side of a booklet? I printed the first side just fine and then my computer went funny and I had to shut down and start back up again. I have 25 copies of the first side that need to be printed on the back side. Pub 2000 user here: There may be a better way but I think you will have to print a page at a time i.e., File, Print Page 2 of 2; then 3 of 3 and so on. -- Don Vancouver, USA "pqc18" <pqc18@discussions.microsoft.com> wrote in message news:92653E8D-9772-4AE0-A9C3-514B363E72B2@microsoft.com... > How can I print just the flip side ...

SharePoint (WSS) 2007 / Outlook 2007 - Alert
This is a multi-part message in MIME format. ------=_NextPart_000_00AD_01C70E47.83B45950 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable We have setup a SharePoint Server (WSS) 2007 and are using the alerting = functionality. After we changes stuff on WSS, an alert message is generated and sent to = an email account. This e-mail account is hosted on an Exchange 2003 server. When using Outlook 2007 to open the e-mail, we get: Cannot open this item. Wenn using OWA the e-mail can be opene fine. Does somehow have an explanation for th...

outlook can't receive exe files
A guy here at work can't get exe files through his outlook. Is there a check to uncheck somewhere to allow it to do this? He can receive normal attachments. ...

XP Install
I'm going to do a major upgrade (Processor, Vid Card, RAM) along with an initial install of XP where a Linux distro now resides. Could someone provide a link giving me the process I should follow to successfully complete the upgrade ?? --------------= Posted using GrabIt =---------------- ------= Binary Usenet downloading made easy =--------- -= Get GrabIt for free from http://www.shemes.com/ =- On 06/20/2010 04:52 AM, Dilly Dally wrote: > I'm going to do a major upgrade (Processor, Vid Card, RAM) along with an initial install of XP where a Linux distro now resid...

How Can I Control When Messages are Downloaded from Server
I have the box "Check for messages every ___ minutes" unchecked (tools/options/general). Yet seemingly randomly, messages get downloaded a couple of times a day without my clicking "Sync." This is problematic due to the way I share the computer. Is there another setting I need to keep this spontaneous downloading from occurring? "Gripper" <Gripper@discussions.microsoft.com> wrote in message news:F22A9D3A-AFB5-4C85-B94B-79B109E4829E@microsoft.com... > I have the box "Check for messages every ___ minutes" unchecked > (too...

How can I sort duplicate text data in excel?
I have a large list of noames that I need to make sure that none of them are duplicated. Is there a way to have excel check it quisker than me reading every name until I find a duplicate? After selecting your data go to filter Advanced filter and check "Unique records only" You can even copy it to another area all uniques entries if you want to ... "TinaScheu" <TinaScheu@discussions.microsoft.com> wrote in message news:0399D580-7E69-4DF0-A969-E7FC5F777C70@microsoft.com... >I have a large list of noames that I need to make sure that none of them >are >...

"x" button enables deletion.... can we put a focus trigger there?
Hi, on three forms, I put focus triggers on the "delete" button because I need to validate some additional data before allowing the user to delete. However, if the user clicks on the corner "x" button to close the form and gets the dialogue box saying they have changes, do they want to "Save", "Delete" or "Cancel", they can delete the record anyways. Is there any way to put a focus trigger on the button of the dialogue box, or on the "x" button? Thanks in advance. I assume you are working with Dexterity. To work with an add...

web slices
This seems like a good idea, but I have yet to find a web site, product or anything else that provides access to a web slice. Much to do about nothing. Great ad gimmick for IE8, but I have found it elusive. Hi Herb, "Herb Mann" <HerbMann@discussions.microsoft.com> schreef in bericht news:D2F639B0-08A5-4101-9383-A70F6971FBE4@microsoft.com... > This seems like a good idea, but I have yet to find a web site, product or > anything else that provides access to a web slice. Much to do about > nothing. > Great ad gimmick for IE8, but I have found it elusive...

Filling Web Form
Dear freinds Hello, I have written code in vc++ using MFC to fill the Webform using HTTP post method and I'm able to fill the form but I'm facing a problem that I'm unable to fill login name and password. So any one amongst you have any Idea or help then please help me With Regards Sachin ...

Can't upgrade companies to SP4
R [Microsoft][ODBC SQL Server Driver][SQL Server]Insert Error: Column name or number of supplied values does not match table definition.I had a base installation of GP 9.0, no patches. Decided to download SP4 and install. Install of the MSI went fine and upgrading the master databases worked, but going company by company, I get the following error: The following SQL statement produced an error: CREATE Procedure SVC_POP_Make_PO( @PromisedDate datetime, @OrderedBy char(15), @BatchNum char(15), @ItemNumber char(30), @VendorItemNumber char(30), @LocationCode char(10), @Uo...

Can't receive EMail #5
Keep getting this pop up along with 'server did not connect within 60 seconfs, do I want to wait A time-out occurred while communicating with the server. Account: 'Richard', Server: 'pop.east.cox.net', Protocol: POP3, Port: 110, Secure(SSL): No, Error Number: 0x800CCC19 Please reply using lmmurray@cox.net Thanks! Hi RASZ, please read this information from Microsoft http://support.microsoft.com/default.aspx?scid=kb;EN-US;813518 -- Ich habe nichts gemacht, gestern gings noch! Bitte in den Newsgroup antworten damit jeder etwas davon hat. Bravestar@Datenschutzminis...

Can you create custom activities? MSCRM 3.0
Hi, Is there a way to create a new custom activity instead of customising an existing one? I have created a custom entity called 'Chat' utilising an IFRAME. All works well but this entity really should be an activity considering it's properties. In fact I've just been introduced to MS-CRM 3.0 and don't really understand what the difference is between an entity and activity. Would anyone shed the light for me? BTW, I think 3.0 looks great. Gotta admit it's improved. Cheers. Ty In my experience, you cannot create custom activities. In fact, I have been dire...

Office 2004 issue with documents NOT BEING ABLE TO OPEN APPLICATION, but application can open documents.
BACKGROUND: Just migrated all my files and apps from a G4-400 to a new Mac Mini 1.87ghz Intel running pre-installed OSX10.4.10. Used CD to install 'normal' version of Office 2004 Mac on the new Mac Mini. In fact its the same disk that I used originally to install Office on the G4-400. PROBLEM: Neither old .xls and .doc documents (made on old Mac, nor new .xls and ..doc documents (made on new Mac)will not open their respective applications, when clicked upon. ADDITIONAL INFO: However, when I use either of the the application's "Open" feature, theres is no pr...

error on install to pocket pc
"window\mny2day.dll" is in use or is in ROM. IFthe file is not in ROM, please close the application using the file. I do not understand what file could be using the same application or how to check the ROM. ...

Business contact manager install failure
Office 2007 BCM gives me this error when I try and install it: Setup cant finish because it can't delete: c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\temp_MS_AgentSigningCertificate_database_log.LDF Any ideas? ...

Trying to open the current db in Access 2010 through Access Basic
I haven't programmed in Access Basic in quite a long time. Through Access Basic coding, I use to be able to open the current database and then open a table and walk through each record. Now I can't even open the database. Does anybody have an example of how to do the following: 1) Open Workspace 2) Open Current Database (assume name is unknown during run time 3) Open specific table 4) Step through each record and access the fields George C. Derkacs <George C. Derkacs@discussions.microsoft.com> wrote: >I haven't programmed in Access Basic in quite a lon...

How many pages can a booklet have?
Hi how many pages can a booklet have? Is there a limit to the pages in a publisher booklet. Each page has three photos. There is no limit, your RAM may decide for you. What version Publisher? -- Mary Sauer MSFT MVP http://office.microsoft.com/ http://msauer.mvps.org/ news://msnews.microsoft.com "Verystumped" <Verystumped@discussions.microsoft.com> wrote in message news:8F2778CF-7B14-4BDD-93C5-EF9B39E2C1A7@microsoft.com... > Hi how many pages can a booklet have? Is there a limit to the pages in a > publisher booklet. Each page has three photos. ...

Can I do this query in one step?
Suppose I have a talble like this, each record has a unique ID. All"A"s or "B", "C"s should have only x or y or z property attached. Iwant to find A, B or C which has more than one properties.1 A x ...2 A x ...3 A x ...4 A y ...5 B x6 B y7 C z....resutls would look like:A xA y....I think I can do this in two steps or with a subquery. Then I thoughtof self-join but didn't figure out how to use it in this case.Thanks a lot! SELECT DISTINCT and do not include the record ID perhaps? Or is the record ID vital?"muster" <muster@gmail.com> wrote in me...

Install 2003 after 2007?
I had Office 2003 and upgraded to 2007, other than Outlook I didn't like it. I wanted to reinstall 2003 Excel & Word. Per instructions here I uninstalled 2007 except Outlook and upon attempting to reinstall 2003 I get the error message, "Business Contact Manager requires Outlook 2003, please install Outlook 2003 before running setup". Help please. Thanks in advance... Bob Answered in the other group post "Bob Newman" <bobnewman@cox.net> wrote in message news:jH5Xl.21061$IP7.4196@newsfe23.iad... >I had Office 2003 and upgraded to 2007, other tha...

Where can I get a good holiday booking form for my golf business?
I need a quality Booking Form for my Golf Holiday business on the Costa Del Sol. One which includes sections for accommodation, dates, numbers, flight enquiries and car hire enquiries. Any help would be much appreciated on a tight budget. Thanks Dave Wrong forum. Try templates or doing it yourself. :-) -- Russell Dawson Excel Student Please hit "Yes" if this post was helpful. "Dave" wrote: > I need a quality Booking Form for my Golf Holiday business on the Costa Del > Sol. > One which includes sections for accommodation, dates, numbe...

DPM and VMM on same server using side-by-side SQL installation
Windows 2008 Std R2 Server, 64bit VMM 2007 is currently installed (with the built-in default database) SQL 2005 Express Edition, SP3, 32bit. I was advised by Microsoft that both VMM and DPM could be installed on the same server (small DR environment) The VMs are hosted on a Windows 2008 Enterprise Server w/ VS2005R2 - because the hardware didn't support HyperV. VMM works great to manage the Windows 2008 VS2005R2 Host running Win2K3 server instances ... after lots of trial and error. Now, I need to install DPM 2007 onto the same server... DPM wants to install the 64bit vers...

Newbie needs help with new Exchange 2003 installation
I am TOTALLY new to Exchange. We just installed Exchange Server 2003 on a Windows 2003 domain. I have one (test) account set up and it appears to work OK but I keep getting an error message that says "Task "Microsoft Exchange Server" reported error (0x8004010F): 'The operation failed. An object could not be found.' I know, I know...How could I possibly not understand THIS message? I appear to be getting mail but I' can't be sure. How can I check to see what's causing this (and more important...what object it's looking for?) Thanks for any help! -Fran- ...

Can DrawFrameControl() draw XP style controls?
My application supports XP style controls. But I found the DrawFrameControl() can not draw XP style controls in my application. Can I draw XP style controls? ...

Link to Page when saving to web
Hi, I have some drawings that have several shapes with "Go to page on double-click" behavior. How can I keep this functionality when saving as a web page? Thanks ...