Kerberos Configuration Troubleshooting

I wanted to post about one of the best tools I’ve found for getting Kerberos properly configured and in the process getting some great HOWTO information on Kerberos, how it works, etc.

When working with SharePoint, and the plan is to have your site run under Kerberos, I recommend using this tool before actually provisioning the Web App.  You can do it later, but you’d have to “stop” the WSS provisioned Web App before using this tool.  Why?  Because the IIS site you use for testing must use the DNS name of the Web App – that ultimately is the key to Kerberos – getting all the SPN (servicePrincipalName) set for the right AD Principals.

Basically, before actually creating or extending your web app in SharePoint, which would provision the Web App in IIS, you setup an standard IIS ASP.NET Virtual Host in IIS using the same DNS name as the eventual SharePoint Web App, set the App Pool to the Principal that going to be the App Pool for the Web App, then, put the DeleConfig files in the IIS site and hit the default page; gives fantastic diagnostic information on if Kerberos is setup correctly.  I'd suggest this as a first step... 

http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

Technorati Tags:

Print | posted on Thursday, February 26, 2009 8:17 AM

Comments on this post

# re: Kerberos Configuration Troubleshooting

Requesting Gravatar...
Good Article. As I was preparing for a client meeting this afternoon, I was refreshing my information on Kerberos and came across this site.

Since most SharePoint admins are not your normal Directory Services people (past experiences support this statement), and Kerberos is really a Directory Services configuration, there ends up being a big disconnect on how (and even who) fixes the problem.

I also found this articles (http://blogs.technet.com/askds/archive/2008/05/14/troubleshooting-kerberos-authentication-problems-name-resolution-issues.aspx) that went through step by step to help trouble shoot Kerberos auth issue.

That tool is great and I use it all the time, but it should not be used blindly and you need to have your Directory Services group involved. So my first step (if Kerberos auth is needed) is to sit down with the AD group. It is amazing how many SharePoint installations are put in without including all the players.

Just my two cents worth.
Thanks,
Eric VanRoy
Left by Eric VanRoy on May 20, 2009 11:47 AM
Comments have been closed on this topic.