Kerberos setup for SharePoint 2013

-
If using Kerberos then the following needs configuring (this is similar to how it is done for SP2010).

Note: The authentication method for Web Applications must be Claims (the default) if you want to support all SharePoint App scenarios. Classic Windows authentication is not supported (in SharePoint 2013 the only way to create this type of Web Application is using PowerShell).

  1. Create SPNs

    In a PowerShell window create the SPN’s for each web application for both the short name and FQDN, e.g.
    setSPN –S HTTP/PORTAL DOMAIN\PortalAppPool
    setSPN –S HTTP/PORTAL.DOMAIN.COM DOMAIN\PortalAppPool


  2. Allow ‘Trust for delegation’

    1. Open Active Directory Users and Computers applet

    2. View the Properties for your SharePoint server

    3. On the Delegation tab select Trust this computer for delegation to any service

    4. Click Ok

    5. Repeat steps a-d for any other servers that will need to delegate authentication, e.g. all WFE’s, CA, App server, etc.

  3. Configure SharePoint Web Application to use Kerberos authentication

    1. Creating a new Web Application

      1. In Central Administration navigate to Manage Web Applications

      2. From the ribbon, click New

      3. In the Claims Authentication Types section ensure Integrated Windows authentication is selected with Kerberos selected from the drop down


    2. Configuring an existing Web Application

      1. In Central Administration navigate to Manage Web Applications

      2. Select the Web Application to configure

      3. From the ribbon click Authentication Providers

      4. Click Default

      5. In the Claims Authentication Types section ensure Integrated Windows authentication is selected with Kerberos selected from the drop down

  4. Ensure IIS settings are correct

    1. Open IIS Manager

    2. Select the Web Site that relates to the Web Application in SharePoint

    3. In the Features View double-click Authentication

    4. Ensure Forms Authentication and Windows Authentication are both enabled (ignore the warning that they cannot be used simultaneously)

    5. Select Windows Authentication and click Providers in the right-hand Actions pane

    6. Ensure Negotiate and NTLM are enabled, with Negotiate being at the top

  5. KRB_AP_ERR_MODIFIED error

    We also need to enable IIS to participate in Kerberos exchanges using the app pool identity (a domain account) rather than the local system account otherwise Kerberos authentication will fail with a KRB_AP_ERR_MODIFIED error. There are 2 ways of doing this:

    1. Machine wide for all IIS Web Sites. (Ideal for a dev machine)

      1. Edit c:\windows\system32\inetsrv\config\applicationHost.config

      2. Find the system.webserver/security/authentication/windowsAuthentication element

      3. Ensure the attribute useAppPoolCredentials=”true” is present

      4. Save the file and restart IIS

    2. Individually per web site in IIS. This option is better for targeting implementation at specific web sites. Also SP2010 required this approach as it did not support this value switched on, however SP2013 does seems to support this now.

      1. In IIS Manager

      2. Select the Web Site that relates to the Web Application in SharePoint

      3. In the Features View double-click Authentication

      4. Select Windows Authentication and click Advanced Settings in the right-hand Actions pane

      5. Ensure Enable Kernel-mode authentication is unchecked

Credit to David Gent who gathered most of the information above and by trial and error

Comments

  1. kosmetyki kolagenowe13 February 2013 at 16:40

    Its like you read my mind! You appear to know
    so much about this, like you wrote the book in it or something.
    I think that you can do with a few pics to
    drive the message home a bit, but instead of that, this
    is fantastic blog. A great read. I will definitely be back.

    ReplyDelete
  2. Manoj2 December 2013 at 18:51

    hi,

    don't we need to configure SPNs for sql server?

    Say, if I have a SQL Server named instance on a static port. clustered or non-clustered?

    ReplyDelete
  3. KTS28 March 2014 at 06:28

    Hi. If i use kerberos. what should i selecte APP account?
    (NetworkService or LocalSystem or Localserver or myDomainaccount)
    please teach me

    ReplyDelete
  4. Someshwar Janjirala3 July 2014 at 14:19

    Step 5 really helped me to resolve the issue as I am struggling from 20 days. Microsoft should release SharePoint 2013 Kerberos Guide asap.

    ReplyDelete
  5. Claudio27 January 2015 at 17:53

    Trusting the computer for delegation for ANY Kerberos service creates a HUGE Security risk. The delegation should be allowed only for the Application Pool service account that is used for the web application.

    ReplyDelete
  6. Chintan16 July 2015 at 10:19

    Great article! Do we need kerberos for SQL Server 2012 also?

    ReplyDelete
  7. Uwe22 February 2016 at 14:49

    Additionally, this is not correct, because this Trust setting will have no effect. This setting has to be applied to the service accounts, where you added the SPNs

    ReplyDelete
  8. Ahmed10 February 2017 at 14:12

    thanks a lot for your work, worked with me

    ReplyDelete

Post a Comment

Popular posts from this blog

Claims with NTLM and authentication prompts

-
Investigating an ongoing problem where a Web Application configured with Claims Authentication (with NTLM) occasionally causes users to re-enter credentials through a pop up dialog. We have been looking into this issue for a long time with no clear-cut answer as to why it is happening, and more confusingly it only happened in our Live environment and not on our development or test servers. So we decided to set up a new environment (1 APP + 1 WFE) and configure it to run the same site collection, but this time configured to use Claims with Kerberos as the authentication method. After carefully configuring everything (including SPNs), everything seemed to be running smoothly until it was unleashed on our tester. Within the first hour he was presented with a login prompt, so I had a close look at the ULS logs and found a few unexpected error entries corresponding to Claims Authentication: 09/20/2011 15:11:25.20 w3wp.exe (0x03E0) 0x1ABC SharePoint Foundation Claims Authentication bz7l Medi...
Read more