harbar.net component based software & platform hygiene

Using Kerberos with SharePoint on Windows Server 2008

Print | posted on Sunday, May 18, 2008 12:02 PM

[UPDATE] Please note that SharePoint 2010 does not support Kernel Mode Authentication, and disables this by default when Web Applications are created. Please see this post for more details.

 

As I demonstrated during the Kerberos session at the Manchester SUGUK meeting last month, there is an extra step required to enable Kerberos Authentication for SharePoint when using Windows Server 2008.

One of the security changes in IIS 7.0 is that Windows Authentication is performed by default in the kernel. This is a good thing! It eases the configuration required for Kerberos and improves performance significantly.

Because HTTP.sys is handling the authentication, it is by default done under the LocalSystem account regardless of the application pool identity. This means that the creation of an SPN is unnecessary because default SPNs are created when the server is joined to the domain. You can of course change the app pool identity without having to register a SPN, and the app pool account doesn't need to be a domain account. All in all this is a *great* feature!

However, it trips up SharePoint as even on a single server SharePoint is currently considered a web farm (should use a domain account). Therefore you need to use the application pool identity for authentication.

There are two ways around this:

  • Configure the useAppPoolCredentials attribute in system.webServer/security/authentication/Windows-Authentication configuration section to true. For example:

    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

    I recommend doing this on a Web Application basis (obvioulsy!) There is no ability to edit this value using the IIS Manager. Don't ask me why, I cannae tell ya!
  • Disable Kernel Mode Authentication for the web site, under the Windows Authentication Advanced Settings option:

kerb2k8

Please note: the first option above is by far the best approach. This way you can continue to use Kernel mode authN, but of course it involves editing applicationHost.config and I know how some of you admins out there are allergic to XML. Think of disabling Kernel mode authN as a quick way around the problem! But not a real solution. :)

More in depth articles on Kerberos coming soon. First up will be the how to measure authentication performance paper.