Kerberos Authentication for SharePoint 2010 on Windows Server 2008 R2 with IIS7

SharePoint 2010 by default allows Kerberos authentication when you select NTLM/Negotiate in the authentication scheme. However, there are some additional steps that you can use to force Kerberos authentication to be used. This has advantages in performance as well as increasing security, and is particularly useful in Intranet scenarios.

The requirements for enabling this are:

– Kerberos is enabled in your domain (Windows Server 2003 and up general support this automatically)

– You have application pools that use Domain accounts, insted of Local accounts

In this configuration, Kerberos uses the application pool identity to decrypt Kerberos tickets.

Viewing Logon Sessions in Event Viewer

You can check what authentication is being used by viewing the logon sessions in the Security event log. You should see entries logged with Event ID 4624 and a Task category of Logon. If NTML is being used, in the details you will see an entry like:

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V1
	Key Length:		0

Whereas if Kerberos is being used, the entry will be similar to:

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

Viewing Kerberos Tickets

When a session is created to a Kerberos-enabled application, the client receives a Kerberos ticket that is used to authenticate the user’s account. In Windows 7 and Windows Server 2008, you can use the KLIST application to view Kerberos tickets from the command line. A typical output would be something like:

Current LogonId is 0:0x2510zzz

Cached Tickets: (2)

#0>     Client: gavin.mckay @ YOUR.DOMAIN.LOCAL
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 11/4/2011 8:02:36 (local)
        End Time:   11/4/2011 18:02:36 (local)
        Renew Time: 11/11/2011 8:02:36 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1>     Client: gavin.mckay @ YOUR.DOMAIN.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a40000 -> forwardable renewable pre_authent ok_as_deleg
        Start Time: 11/4/2011 8:02:36 (local)
        End Time:   11/4/2011 18:02:36 (local)
        Renew Time: 11/11/2011 8:02:36 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96

As Kerberos tickets are cached, you may need to use the command:

KLIST purge

to remove any current tickets and force new ones to be generated.

Create Service Principal Names (SPNs)

NOTE: In the commands below, the HTTP refers to the service type, NOT the protocol type. So if you have https://your.intranet.local, the entry below would be HTTP/your.intranet.local:443. The HTTPS is not included in the service name, but the port number is.

1. Use the command:

(Windows Server 2008)
setspn -S HTTP/your.intranet.local DOMAINNAME/AccountName

(Windows Server 2003)

setspn -A HTTP/your.intranet.local DOMAINNAME/AccountName

Enable Kernel Mode Authentication in IIS 7

From the IIS Manager description:

By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity. As a best practice, do not disable this setting if Kerberos authentication is used in your environment and the application pool is configured to use a custom identity.

1. Open IIS Manager
2. Select the website you want to enable Kernel Mode authentication for
3. In the IIS group, select Authentication
4. Select Windows Authentication
5. In the Actions area, select Advanced Settings
6. Ensure “Enable Kernel-mode authentication” is ticked
7. Click OK

Update the Authentication in applicationHost.config

1. Using Notepad, open the applicationHost.config (by default this is in C:\Windows\System32\inetsrv\config)

2. Find your website entry, generally this should be similar to:

<location path="your.sharepoint.url">

i.e. if you access your site via http://your.sharepoint.url, look for the location path as above

3. Update the tag <windowsAuthentication…> to:

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

4. Save the file

Additional Troubleshooting

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Kerberos Delegation Configuration Reporting Tool (ASP.NET web app)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: