Configuring Kerberos

In this session, we will now configure Kerberos on our farms so that we can build closer to the completion of the series. If you are unsure where to start in the process, please refer back to one of the previous posts:

• SharePoint 2010 Machine Configurations
• Laptop Configurations
• Configuring Windows Server 2008 for Virtualization
• Configuring RRAS for Windows Server 2008 R2
• Building Your SharePoint 2010 Infrastructure
• Creating Your Web Application

In order to follow the following directions, you will need to create a web application and extend it. Please refer back to ‘Creating Your Web Application‘ for more details. Navigate over to your MCM-SPS1 image and launch the Internet Information Services (IIS) Manager. Click on the ‘Sites’ in the left pane so that is displays a list of the sites in IIS. Make note of the site id for ‘SharePoint – http://www.mcm.lab.internal443’. The one in this diagram is ‘1062790893’.

  You will need to download a copy of SelfSSL and execute it on MCM-SPS1.

     
 

Notice the syntax: SelfSSL.exe /S: 1062790893.  IIS ID for the web site!!!!

     
 

You will see a question asking, “Do you want to replace the SSL setting for site 1062790893 (Y/N)?”. Type “Y”. You should see a success message. We will now open Internet Information Services (IIS) Manager and highlight ‘MCM-SPS1’ in the left node, and then select ‘Server Certificates’ in the center pane.

     
 

  We now need to export the certificate. We will have a few certificates along the way, so I like to create a centralized location to keep them in one place. I will create a ‘Certificates’ folder on the C drive of MCM-SPS. The next couple of articles will use this same location.

     
 

     
 

Click “Start” and in the search box, type “MMC” and hit enter. From here, click on ‘File’ and select ‘Add/Remove Snap-in…’. This will launch the wizard to select the certification snap-in. We will be referring back to this several times throughout the process. Follow the images below to complete this task.

     
 

To import the certificate, make sure you click on the ‘Trusted Root Certification Authority’ folder. You will then be able to right click, select ‘All Tasks’ and then ‘Import…’.

Now that we have completed the certificates for this section, we will bounce back to the Internet Information Services (IIS) Manager. Click on ‘Application Pools’. This will help us identify the application pool we are using for your application. It should be similar to the one I have here: SharePoint – int.mcm.lab.internal80.

Launch a command prompt. Here we will set the spn. Note that even though our site is using HTTPS, we will still use http. You syntax should look something like Setspn –A http {site} {app pool account}:

    Setspn –A http/www.mcm.lab.internal mcm\spAppPool

At this point, Kerberos is officially set up. All we really need is the SPN set up. We will now set up delegation which will enable us to pass our credentials forward. This may be needed for advanced configurations.

  After we set the spn, we now need to bring up our domain controller. For the sake of this demo, we will refer to it as MCM-DC. We will now modify the user account that we use for our SharePoint application pool: spAppPool. Click on properties, find the ‘Delegation’ tab, and select ‘Trust this user for delegation to any service (Kerberos only).

 
 

 

  You can now test Kerberos. Type in your HTTPS address. If you get a certificate error similar to the one below, you have made a mistake in the process. Here I typed HTTPS instead of HTTP when I set my SPN.

  When done correctly, everything should appear normal.

  We have one final test we need to verify. Open up the event properties and verify that the Authentication Package is set to Kerberos instead of NTML. If not, you will need to review the previous steps and look for typos.