We’re currently building a client some integration components and one of the pieces of functionality we need to work with is Kerberos, my favourite 3-headed dog.
Windows 2008 Server runs IIS 7, which has a great feature that (by default) means you don’t have to set up SPN’s for Kerberos-based sites – it uses Kernel-mode authentication (which means “things just work”).
Bad news bears for SharePoint 2007 though – because it runs as a “farm” – even in single-server configurations – you have to run the site and authentication under the app pool account… AND still set up your SPN’s. Bugger, eh! So… how do you make it work?
Go to the server on the site and change the following setting in the C:\Windows\System32\inetsrv\config\applicationHost.config file (which will affect all sites on the server) –
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” >
<add value=”Negotiate” />
<add value=”NTLM” />
OR do it on the site under the Authentication icon – in Windows Authentication Advanced settings, deselect the “Enable Kernel-mode Authentication” Option…
Cheers! Note that this is not an issue with SharePoint 2010 – in fact, you cannot use Kernel Mode Auth with it, because it does not support SPNEGOv2, the Authentication mechanism in SP2010