Monday, February 4, 2013

How to veiryfy Kerboros configuration in SharePoint

We have been using Kerboros almost five years ago since SahrePoint 2007. However, every time we have a new development SharePoint box set up and try to integrate with third party application that requires Kerboros like QlikView webpart, developers will forget to configure the Kerboros correctly. Most developers are not able to provide the information to AD team or infrastructure team to request Kerboros configuration. In this blog, I would like to summarize the way to verify Kerboros settings from developer view and what need to be requested to AD and infrastructure team. It it not intent to teach you how to set up Kerboros but rather to show you how to verify the settings so you could debug the issue.
 
There are several ways to whether Kerboros configured correctly for the webapp. The most direct way is to verify from Fiddler 2. The login should display “Negotiate” Not “NILM” as in the screen shot. You could alos get similar information from Wireshark.

  
The second way is from SharePoint server event logs. Open the Security logs and filter for “Event ID: 4624”. You will see the “Log on process” is Kerboros.



If you are not able to see the site is Kerboros enabled from any of the two ways, you would need to debug the SharePoint server. Here is the procedure you could follow to work with AD and infrastructure team.

1. First thing to verify is to verify whether you have Kerboros enabled for the webapp.

You should verify whether webapp has been configured as Kerboros. Click IIS manager -> Select the sites -> Click Authentication -> Right click Window Authentication -> Click providers.. You should see “Negotiate” in the setting.

Click IIS manager -> Select the sites -> Click Authentication -> Right click Window Authentication -> Click Advanced settings.  You should see “Enable  Kernel-mode authentication” is selected.


You could also verify the webapp "Authentication provider" setting from CA.


2. The second part is to verify whether the SPN is setup correct using command

setspn –l domain\installer account

You should see server spn should be configured for sandbox sbx18.

 C:\Users\harrycx>setspn -l na\pdssbx
    http/sbx18.na.qualcomm.com
    http/sbx18

3. The third part is to verify whether we have all webapp entries are configured in

C:\Windows\System32\inetsrv\config\applicationHost.config file. You should see the highlighted entries in RED if Kerborosconfigured for the webapp.


<location path="MySite - 300">

        <system.webServer>

            <security>

                <authentication>

                    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

                        <providers>

                            <clear />

                            <add value="Negotiate" />

                            <add value="NTLM" />

                        </providers>

                    </windowsAuthentication>

                    <anonymousAuthentication enabled="false" />

                    <digestAuthentication enabled="false" />

                    <basicAuthentication enabled="false" />

                </authentication>

            </security>

            <urlCompression doStaticCompression="true" doDynamicCompression="true" />

            <httpErrors existingResponse="PassThrough" />

            <httpProtocol>

                <customHeaders>

                    <clear />

                    <add name="X-Powered-By" value="ASP.NET" />

                    <add name="MicrosoftSharePointTeamServices" value="14.0.0.6117" />

                </customHeaders>

            </httpProtocol>

            <handlers accessPolicy="Read, Execute, Script" />

        </system.webServer>

</location>


Please note, each webapp must be configured and if you have load balancer in front multiple IIS servers, you can refer the blog for more details.  


3 comments:

  1. Thanks for sharing, nice post! Post really provice useful information!

    FadoExpress là một trong những top công ty chuyển phát nhanh quốc tế hàng đầu chuyên vận chuyển, chuyển phát nhanh siêu tốc đi khắp thế giới, nổi bật là dịch vụ gửi hàng đi mỹ, gửi hàng đi nhật và dịch vụ chuyển phát nhanh đi hàn quốc uy tín, giá rẻ

    ReplyDelete
  2. Your writing is so eloquent and thought-provoking. I find myself thinking about your blog posts long after I've finished reading them. Also please visit this profile color vision test. As someone with color blindness, these tests help me navigate the world better and understand how others might perceive the colors around us.

    ReplyDelete