sharepoint kerberos authentication

Hello all,

I got little knowledge in Kerberos authentication could Please answer below 
questions would be very helpful for me...

1. WHAT ARE THE SPN'S REQUIRED ON THE DOMAIN FOR THE FOLLOWING SHAREPOINT 
SERVICES: 
EXCEL SERVICES
REPORTING SERVICES
PERFORMANCE POINT
 
2. BRIEFLY DESCRIBE THE PROCESS OF ENABLING KERBEROS AND APPLYING THESE SPN'S
 
3. HOW WOULD YOU TEST TO ENSURE ALL THE ABOVE SERVICES ARE WORKING
0
Utf
1/4/2010 5:35:02 PM
sharepoint.setup-administratio 225 articles. 0 followers. Follow

1 Replies
1271 Views

Similar Articles

[PageSpeed] 58

------=_NextPart_0001_F5DBA93C
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello Yakub,

Please find answers to your questions inline.

1. WHAT ARE THE SPN'S REQUIRED ON THE DOMAIN FOR THE FOLLOWING SHAREPOINT 
SERVICES: 
EXCEL SERVICES: 
How to configure SharePoint Server 2007 and Excel Services for Kerberos 
authentication
http://support.microsoft.com/kb/953130

Plan Excel Services security
http://technet.microsoft.com/en-us/library/cc263086.aspx  

Concept of Kerberos remains same for any Service based on HTTP Service Type:

Configure Kerberos authentication (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263449.aspx

 
2. BRIEFLY DESCRIBE THE PROCESS OF ENABLING KERBEROS AND APPLYING THESE 
SPN'S
	A. First of all make a list all SPN's you need (URL's or Services that you 
browse)
	For SharePoint related sites you can use a good tool to collect that 
information: http://spsfarmreport.codeplex.com
	B. Make a list of all Service Accounts you are using and also all the 
Servers involved in the Farm
	C. In Domain Controller, log on with Domain Admin rights:
	Service Accounts > Properties > Delegation > Trust this computer for 
delegation for any service (Kerberos only)
	D. Download Support Tools for Windows Server: 
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-
939B-9A772EA2DF90&displaylang=en 
	E. Register all SPNs for all your URL's and Services such as:
		C:\Program Files\Support Tools> Setspn -A HTTP/testsite.com               
                  yourdomain\AppPoolAccount                    (for 
SharePoint site)
		C:\Program Files\Support Tools> Setspn -A MSSQL/SQLServername:1433        
     yourdomain\SQLServiceAccount                (for SharePoint site)
		
	F. One SPN's are registered you will see a new TAB for that account in 
dsa.msc > User Account > Properties > Delegation >  Trust this computer for 
delegation for any service (Kerberos only)
 G. Central Administration > Application Management > Authentication 
Providers > (Select your Web app) Edit Authentication > Negotiate (Kerberos)

3. HOW WOULD YOU TEST TO ENSURE ALL THE ABOVE SERVICES ARE WORKING

	Check Security Event Logs on the Server which is hosting the Site/Service 
and find Event ID 540 with client IP address as follows
	Logon Type: 3 means the request was initiated from network.
	Logon Process: Kerberos
	Authentication Package: Kerberos
	Denoted that authentication type was Kerberos
	
Event Type Success Audit
Event Source Security
Event Category Logon/Logoff
Event ID 540
Date 11/1/2007
Time 2:22:20 PM
User MYDOMAIN\pscexec
Computer MOSSADMIN
Description
	An example of a successful network logon is depicted in the following 
table.
User Name
pscexec
Domain MYDOMAIN
Logon ID (0x0,0x1D339D3)
Logon Type 3
Logon Process Kerberos
Authentication Package Kerberos
Workstation Name

Logon GUID
{fad7cb69-21f8-171b-851b-3e0dbf1bdc79}
Caller User Name

Caller Domain

Caller Logon ID

Caller Process ID

Transited Services

Source Network Address 192.168.100.100
Source Port 2505

For detailed understanding go though:
Configure Kerberos authentication (Office SharePoint Server)
http://technet.microsoft.com/en-us/library/cc263449.aspx

Cheers!

Sunil [MSFT]
------=_NextPart_0001_F5DBA93C
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
{\colortbl ;\red0\green0\blue255;}
\viewkind4\uc1\pard\f0\fs20 Hello Yakub,
\par 
\par Please find answers to your questions inline.
\par 
\par 1. WHAT ARE THE SPN'S REQUIRED ON THE DOMAIN FOR THE FOLLOWING SHAREPOINT SERVICES: 
\par EXCEL SERVICES: 
\par How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication
\par http://support.microsoft.com/kb/953130
\par 
\par Plan Excel Services security
\par http://technet.microsoft.com/en-us/library/cc263086.aspx  
\par 
\par Concept of Kerberos remains same for any Service based on HTTP Service Type:
\par 
\par Configure Kerberos authentication (Office SharePoint Server)
\par http://technet.microsoft.com/en-us/library/cc263449.aspx
\par 
\par  
\par 2. BRIEFLY DESCRIBE THE PROCESS OF ENABLING KERBEROS AND APPLYING THESE SPN'S
\par \tab A. First of all make a list all SPN's you need (URL's or Services that you browse)
\par \tab For SharePoint related sites you can use a good tool to collect that information: http://spsfarmreport.codeplex.com
\par \tab B. Make a list of all Service Accounts you are using and also all the Servers involved in the Farm
\par \tab C. In Domain Controller, log on with Domain Admin rights:
\par \tab Service Accounts > Properties > Delegation > Trust this computer for delegation for any service (Kerberos only)
\par \tab D. Download Support Tools for Windows Server: http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en 
\par \tab E. Register all SPNs for all your URL's and Services such as:
\par \tab\tab C:\\Program Files\\Support Tools> Setspn -A HTTP/testsite.com                                 yourdomain\\AppPoolAccount                    (for SharePoint site)
\par \tab\tab C:\\Program Files\\Support Tools> Setspn -A MSSQL/SQLServername:1433             yourdomain\\SQLServiceAccount                (for SharePoint site)
\par \tab\tab 
\par \tab F. One SPN's are registered you will see a new TAB for that account in dsa.msc > User Account > Properties > Delegation >  Trust this computer for delegation for any service (Kerberos only)
\par  G. Central Administration > Application Management > Authentication Providers > (Select your Web app) Edit Authentication > Negotiate (Kerberos)
\par 
\par 3. HOW WOULD YOU TEST TO ENSURE ALL THE ABOVE SERVICES ARE WORKING
\par 
\par \tab Check Security Event Logs on the Server which is hosting the Site/Service and find Event ID 540 with client IP address as follows
\par \tab Logon Type: 3 means the request was initiated from network.
\par \tab Logon Process: Kerberos
\par \tab Authentication Package: Kerberos
\par \tab Denoted that authentication type was Kerberos
\par \tab 
\par Event Type Success Audit
\par Event Source Security
\par Event Category Logon/Logoff
\par Event ID 540
\par Date 11/1/2007
\par Time 2:22:20 PM
\par \cf1\b User MYDOMAIN\\pscexec\cf0\b0 
\par Computer MOSSADMIN
\par Description
\par \tab An example of a successful network logon is depicted in the following table.
\par User Name
\par pscexec
\par Domain MYDOMAIN
\par Logon ID (0x0,0x1D339D3)
\par Logon Type 3
\par \cf1\b Logon Process Kerberos
\par Authentication Package Kerberos\cf0\b0 
\par Workstation Name
\par 
\par Logon GUID
\par \{fad7cb69-21f8-171b-851b-3e0dbf1bdc79\}
\par Caller User Name
\par 
\par Caller Domain
\par 
\par Caller Logon ID
\par 
\par Caller Process ID
\par 
\par Transited Services
\par 
\par \cf1\b Source Network Address 192.168.100.100
\par \cf0\b0 Source Port 2505
\par 
\par For detailed understanding go though:
\par \b Configure Kerberos authentication (Office SharePoint Server)
\par \cf1 http://technet.microsoft.com/en-us/library/cc263449.aspx\cf0\b0 
\par 
\par Cheers!
\par 
\par Sunil [MSFT]
\par 
\par }
------=_NextPart_0001_F5DBA93C--

0
sunily
1/6/2010 5:18:31 PM
Reply:

Similar Artilces:

Outbound SMTP Authentication by email account ?
I have an SBS 2003 Exchange setup, it uses the POP3 connector to pick up mail, and I need it to SMTP authenticate with a smart host to send the outgoing mail. Set it up and it works well - with one big problem. The SMTP authentication is tied to a a specific email address, so for instance if I set the authentication up with the credentials joe@abc.com; PW: ABC and joe sends and an email, the email goes as expected. If bob sends an email, it gets booted by the smart host because the e-mail is coming from bob@abc.com, even though the credentials match, the credentials are tied to one email a...

Newbie Sharepoint Role Dilemma
OK - studying Sharepoing/MOSS, they distinguish roles between Admin/Developer and 'Power Users', which are found and assigned to lay off some of the load for some of the many tasks. However, to me (maybe I'm not visualizing a big enough business), but it would seem that a lot of the Power User tasks, as they are called are pretty much admin/developer type taks, and job security would dictate that as much as possible was kept to a small amount of employees. I really don't know - just thinking out loud. What is it like in the real world? ***********************Sor...

sharepoint
How do I get Excel Charts into sharepoint? You can only place pivot tables or graphs with an office web part. For a simple excel graph you need to convert it to .jpg file and publish it as web content. "chaskiv" <chaskiv@discussions.microsoft.com> wrote in message news:66BC4DEB-FCC9-4791-9F5E-023E0021C87A@microsoft.com... > How do I get Excel Charts into sharepoint? This was a simple processs in Excel 2003: 1. Create chart and do "Save as Web Page." 2. Click on the "Selection: Chart" radio button. 3. Set your file name and location, then click &...

Add field to Access view of Sharepoint database
My company has a project database in Sharepoint 2007. There is one record per project. I have no control over the Sharepoint database. I set up a personal Access 2007 database (on my C:Drive) to view and update the Sharepoint data. I want to add a comments field associated with the project record in my own Access database for my personal use. However, the table design is frozen since it's Sharepoint. How can I add the personal comments field and keep it linked to the project record? sure that's a simple 1:1 table relationship make a local table; include a field that i...

crm 3.0 : authentication error
Hi, I get the authentication error prompt for each user having the same login username in the internal domain than in the CRM domain. Passwords are not the same in each domain, and there seems to be some kind of automatic authentication while loading the page in IE. Is there any setting, which could help me prevent this ? thanks, @ntonio By default, the IIS web site allowed anonymous connections. I disabled them, allowing only integrated authentication. It now works fine! @ntonio ...

SharePoint Workflow
If anyone can help with this. I have a number of records that are entered in a SharePoint List daily. In addition, I have a few workflows that are created whenever a record is added/changed. However, sometimes when a person is in the record the workflow errors out and I receive the "Error Occured" statement. Is there anyway of clearing these errors out without having to go into each record and terminating the workflow? ...

OWA FE/FE Authentication problem
Hello, We have a FE/BE setup with Exchange EE 2K3 SP1 on both machines (Opsys is Win2K3 EE). The FE has SP1 for Windows 2003 server, the backend is just Win2K3 server. We have OWA working fairly well using forms authentication, however periodically, about once every 6-10 logins, the login page will just sit after clicking login. It will timeout in about 5 minutes. However, if during that pausing period, the user hits F5 or refreshes the page, they instantly go to their inbox! Put a sniffer on, everything looks like it's communicating normally. The pause happens with the owaauth.d...

Sharepoint data missing on all article pages
Hello All: I have been putting together our firm Sharepoint site and nearly completed it when all of the sudden my site data disapears. On any article page that was created, the text and images are simply gone. If I go in and edit the page, all of my applets are gone and I cannot add or edit anything for that page. Any page where a web part is seems to be fine. All links in the dropdown and sidebar are still there. Before this all happened, I added a data view web part using SP Designer that connected to our database and pulled down user information. I also may have edited...

OWA 2003 form-based authentication
Hi all, Can we undo the OWA 2003 form-based authentication? Even I unchecked the OWA 2003 form-based authentication in http vitual protocol, but is's still in effect. Thanks. Did you restart IIS (iisreset)? Nue "Jane" <Jane@discussions.microsoft.com> wrote in message news:BCFBE035-FFE4-4A02-B827-B33DE5954D51@microsoft.com... > Hi all, > > Can we undo the OWA 2003 form-based authentication? Even I unchecked the > OWA 2003 form-based authentication in http vitual protocol, but is's still > in effect. > > Thanks. > You probably have to...

Unable to Update Sharepoint list from MS Access
I have linked some WSS 2.0 lists to an Access 2003 mdb. I can open the linked tables and manually update the data without any problem. However, I want to update the WSS list from an Access query but I keep getting an Operation Must Use an Updatable Query error message. I have tried updaing just one field and still get the same error. Any ideas on how I can troubleshoot. TIA Dean I would reccomend not using SharePoint linked tables seriously-- it's too buggy for real world usage "Dean" <deanl144@hotmail.com.nospam> wrote in message news:uYjAGi%23lHHA.2060@TK2M...

companyweb and sharepoint central adminis. do not respond #50070 e
First of all in Application logs I have error: Event Type: Error Event Source: Windows SharePoint Services 2.0 Event Category: None Event ID: 1000 Date: 22/12/2009 Time: 9:25:20 PM User: N/A Computer: VISION Description: #50070: Unable to connect to the database STS_VISION_1 on VISION\SharePoint. Check the database connection information and make sure that the database server is running. It's seems to be a common problem. I searched a lot and any solution did not helped me. I have Sharepoint 2.0 with SP3 installed + all updates. In this same time companyweb do not re...

since i'm using LDAP i dont have "edit in ..." option anymore in sharepoint
hello, i have two collection site on WSS. one uses regular authentication, and the other one uses openLDAP. the one using regular auth is working perfectly, i can upload, open, check-out, edit files etc. on the second one however, although i can log in, manage users, upload documents, etc. I can only have the documents in "read only" and i don't have the option "edit in..." (microsoft word for instance) anymore... this is killing me as I've spent quite a long time trying to get this LDAP connection working and it looks like i(ve done it for nothing. has anyone h...

Where to put authentication info for smart host in Exchange 5.5?
I need to switch the smarthost in IMC, but the new smarthost requires authentication. Anyone can let me know where to put the authentication info? Thanks. On Sat, 18 Nov 2006 16:01:02 -0800, William Lo <WilliamLo@discussions.microsoft.com> wrote: >I need to switch the smarthost in IMC, but the new smarthost requires >authentication. Anyone can let me know where to put the authentication info? >Thanks. Is there a security tab in the IMS properties? I got it Andy, thanks. I was adding another email domain in the security tab, so it didn't work. I now changed the d...

Question about authentication for 5.5
We have just rebuilt our exchange 5.5 server. Before the crash, it was a domain controller. Now it is just a member server. Workgroup users are prompted for credentials when opening outlook. I am sure this is becuase the information that is being passed from the workgroup computer to the exchange server is not trusted. Domain computers dont have any problems. Is there any way around this? Thanks, Noel Haydon MCSE MCDBA Expected behavior, unfortunately. "Noel Haydon" <asdf@asdf.com> wrote in message news:Xns944776776B2E1nhaydon@207.46.248.16... > We have just rebuilt ...

Sharepoint on Outlook Client
Hi All, Is it possible to view Sharepoint web pats on the Outlook Client. At the moment we using an IFrame to integrate the Sharepoint services and it works fine, is it possible that there would be problems to view the Sharepoint web parts on the Outlook Client? Thank you Lebo yes, for that you have to create webpart for VSTO enable, let me know if you want this. -- Regards, MS CRM Certified Professional http://microsoftcrm3.blogspot.com Chat with me on MSN / Gmail / Skype : ID Is :.. mscrmexpert@gmail.com "Lebo" wrote: > Hi All, > > Is it possible to view ...

RWW Authentication with SBS
I have installed SBS on a machine that does not have AD installed. AD is handled by two other servers. Is it possible for RWW to use AD authentication if AD is not installed on the SBS server? Thanks Jeremi wrote: > I have installed SBS on a machine that does not have AD installed. AD > is handled by two other servers. > > Is it possible for RWW to use AD authentication if AD is not installed > on the SBS server? > > Thanks If AD is not installed on the "SBS" server, then SBS is not installed. You have only partially installed SBS at best....

Server Error in '/' Application. CurrentPrincipal is not authenticated.
Hello, Currently we have installed Business Portal but it is on an Exchange 2003 server and we are getting the following when connecting to the url http://server/sites/BusinessPortal/default.aspx Everything is set to default so if anyone has any suggestions as to how to solve this it would be greatly appreciated! Thanks, Caroline Server Error in '/' Application. -------------------------------------------------------------------------------- CurrentPrincipal is not authenticated. Description: An unhandled exception occurred during the execution of the current web request. Please rev...

Sharepoint Dataview and 64 bit platfom
My environment - MOSS 2007 Enterprise CAL , SQL Server 2008, Windows server 2008 (all 1 box). I have created a set of tables / views in SQL Server. I can see this data using Management Studio, and from Excel. I cannot get SPD to "show data" in manage connections (I am trying to create a dataview). My SPD is 32 bit on the client. (I understand there is not a 64 bit SPD to deploy to the server). Is there a problem connecting MOSS to the datasource? Is there a problem with an OLE DB driver for 64 bit office applications (as I read in an SQL Server post?) ANy thoughts at all? ...

CRM list web part authentication question
We have SharePoint 2007 and CRM 3.0 and would like to install the CRM list web part (http://www.microsoft.com/downloads/details.aspx?FamilyId=BC9B3526-DECF-4057-A530-91840C0D5401&displaylang=en). The problem is that we have NTLM authentication setup and need to keep it that way and the CRM list web part needs to use Kerberos authentication. From what I have read is that you can only have one authentication method per zone. With this in mind I was wondering if it would be possible for me to create a new zone within SP and have it use Kerberos authentication. I’d setup the CRM list...

Authenticated Digital Certificate
I would like to purchase an Authenticated Digital Certificate to digitally sign workbooks and macros. The least expensive one that I have found is $199.00 per year from Thawte. Does it really cost that much for an individual to get an Authenticated Digital Certificate? Mark ...

WSS 3.0
Hi All, Good day! I have a WSS 3.0 installed together with our Project Server 2007. We are planning to change our authentication of our Project Server installation from Windows Authentication to Forms-Based Authentication. In our WSS 3.0 sites, the user account shows Windows-authentication account. Is there a way to change those user accounts to the new Forms- Based Authentication accounts? Thanks in advance, Noynoy Hi Noynoy, I haven't specifically tried what you are proposing, but I would have thought that the authentication type would be reflected in the WSS s...

Open Excel file from SharePoint; opens as ReadOnly
I an using the code here: http://www.eggheadcafe.com/software/aspnet/33017666/vba-code-to-open-an-excel.aspx My Excel files keep opening as Read-Only. The files should NOT be opening as Read-Only and I’m not sure what’s causing this. Did anyone here experience this before? Does anyone know how to disable this Read-Only limitation? I read some info online about changing a setting in the registry. I’m pretty sure that’s not it. Also, I can’t expect many people who will login into this SharePoint portal to change settings in the registry of their PCs. Thanks! Ryan-- ...

DPM 2007 Sharepoint recovery fails
I am trying to restore a single Document Library from a WSS 3.0 site. I have done this before with success. On this particular recovery I get this message: "The recovery jobs for ... that started at ... with the destination ... have completed. Most or all jobs failed...DPM was unable to import the item ....<library name> to the protected farm. (ID 32005 Details: Unknown error (0x80131600)(0x80131600)" There is adequate disk space on the protected server and on the recovery server. Any suggestions? Can you please make sure that you have latest...

Sharepoint Branching with More then One Survey
Hello, I am trying to create a survey. I have several different surveys that have some similar questions. My first question would require the user to select their department. That would then allow them to choose from a list of surveys that I would like them to complete. So, I have the list of surveys with some similar questions. Say Survey1 and Survey2 have Question1 the same. I can branch to that. However, if Question2 is different on Survey1 and Survey2, when I am selecting the branching on Question1, how do I distinguish which Survey to branch to since the answer does not distinguish the S...

Why Sharepoint?
Just curious why use Sharepoint instead of Visual Studio? Our department's new thrust is to shove everything into Sharepoint. So far, all the Sharepoint pages on our internal web site are, well, underwelming. So I'm curious what Sharepoint gives you that Visual Studio does not? Mark Sharepoint pages on an inernal "intranet" web site are usually "underwhelming" and I sigh when I see people spending lots of time and money moving perfectly good intranet sites onto SharePoint. Waste of money, IMHO. but people do it. Sigh. SharePoint is about co...