Kerberos for SharePoint 2010

There are some requirements to Kerberos, most notably that your Active Directory domain must be Kerberized.  Also check out this location for the full documentation on setting it up and other requirements like Operating system, etc:

For this demonstration I am assuming the web application(s) you want to use Kerberos on are currently using Classic authentication with NTLM. For claims based authentication you will need to read up on constrained and unconstrained delegation in Kerberos.

1.  Set the web application to use Kerberos.  Do this is Central Administration by clicking on the web application, selecting authentication in the ribbon, choosing the zone you wish to configure (usually Default), and then changing NTLM to Kerberos.

2. SetSPN.  You must register the Service Principal names for each web application pool.  Login to a computer on the domain with a domain administrator account (doesn't have to be the server hosting the web application).  Open a command prompt and run the commands, or open up Powershell and run this script:

#Change these variables to suit the web application you are enabling for Kerberos:
$AppPoolAccount    = "domain\app.pool.account"
$Hostname               = "hostname"
$Domain                   = ""
$Port                        = "443"
$WebURL               = ""
$WebURLShort       = "my"

# Do Not Change These:
$HN = "HTTP/"+"$Hostname"
$HNFQDN = "HTTP/"+"$Hostname"+"."+"$Domain"
$WShort = "HTTP/"+"$WebURLShort"
$W = "HTTP/"+"$WebURL"
$WPShort = "HTTP/"+"$WebURLShort"+":"+"$Port"
$WP = "HTTP/"+"$WebURL"+":"+"$Port"

setspn -S $HN $AppPoolAccount
setspn -S $HNFQDN $AppPoolAccount
setspn -S $WShort $AppPoolAccount
setspn -S $W $AppPoolAccount
setspn -S $WPShort $AppPoolAccount
setspn -S $WP $AppPoolAccount


Popular posts from this blog

SharePoint Designer 2013 Approval Workflow with Comments

Change SharePoint server hostname and Web Application Names

SharePoint Search - Content Processing Pipeline Failed to Process the Item