SharePoint 2007 + Kerberos on Windows 2008 Server (IIS 7)

We’re currently building a client some integration components and one of the pieces of functionality we need to work with is Kerberos, my favourite 3-headed dog.

Windows 2008 Server runs IIS 7, which has a great feature that (by default) means you don’t have to set up SPN’s for Kerberos-based sites – it uses Kernel-mode authentication (which means “things just work”).

Bad news bears for SharePoint 2007 though – because it runs as a “farm” – even in single-server configurations – you have to run the site and authentication under the app pool account… AND still set up your SPN’s. Bugger, eh! So… how do you make it work?

Go to the server on the site and change the following setting in the C:\Windows\System32\inetsrv\config\applicationHost.config file (which will affect all sites on the server) –


<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” >
<providers>
<add value=”Negotiate” />
<add value=”NTLM” />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>


OR do it on the site under the Authentication icon – in Windows Authentication Advanced settings, deselect the “Enable Kernel-mode Authentication” Option…


image

image

Cheers! Note that this is not an issue with SharePoint 2010 – in fact, you cannot use Kernel Mode Auth with it, because it does not support SPNEGOv2, the Authentication mechanism in SP2010

Advertisements

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s