How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication (832769)

MORE INFORMATION

Starting with Microsoft Windows SharePoint Services Service Pack 2 (SP2), you can create the SharePoint Central Administration virtual server or extend a content virtual server to use with either Kerberos authentication or NTLM authentication. You no longer have to directly modify the IIS metabase.

Microsoft Windows Integrated Authentication supports the following two protocols that provide challenge/response authentication:

• NTLM
  
  The NTLM protocol is a secure protocol that is based on encrypting user names and passwords before sending the user names and passwords over the network. NTLM authentication is required in networks where the server receives requests from clients that do not support Kerberos authentication.
• Kerberos
  
  The Kerberos protocol is based on ticketing. In this scheme, a user must first provide a valid user name and password to an authentication server. Then, the authentication server grants the user a ticket. The ticket can be used on the network to request other network resources. To use this scheme, both the client and server must have a trusted connection to the domain Key Distribution Center (KDC). Additionally, both the client and server must be compatible with the Active Directory directory service.

Note Most of the time, you should choose NTLM authentication. If you do not have a specific need for Kerberos authentication or if you cannot configure the service principal name (SPN), choose NTLM authentication. If you choose Kerberos authentication and cannot configure the SPN, only server administrators will be able to authenticate to the SharePoint site.

back to the top

Configure Windows SharePoint Services to use Kerberos authentication or NTLM authentication

Starting with Windows SharePoint Services Service Pack 2 (SP2), you can use the SharePoint user interface or commands at a command prompt to configure the SharePoint Central Administration virtual server and content virtual servers. You configure the SharePoint Central Administration virtual server when you create the SharePoint Central Administration, and you configure the content virtual servers when you extend the content virtual server. When you create the SharePoint Central Administration virtual server or extend a new virtual server, there is a new Security Configuration section where you can specify whether you want to use NTLM authentication or Kerberos authentication. To review all the administrative settings for configuring the authentication settings, see the Windows SharePoint Services Administrator's Guide. To see the Windows SharePoint Services Administrator's Guide, visit the following Microsoft Web site:

If you are running SharePoint virtual servers that were extended or created in versions of Windows SharePoint Services that are earlier than Windows SharePoint Services SP2, and if you have to configure the virtual servers for Kerberos authentication, you must manually configure Kerberos authentication for the virtual server if it is required.

To use a script to enable Kerberos authentication on the virtual server, follow these steps:

1. On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.
2. Change to the Inetpub\Adminscripts folder.
3. Type the following command, and then press ENTER:

   cd Drive:\inetpub\adminscripts

   Note In this command, Drive is the drive where Microsoft Windows is installed.
4. Type the following command, and then press ENTER:

   cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders

   Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.
5. To enable Kerberos authentication on the virtual server, type the following command, and then press ENTER:

   cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders "Negotiate,NTLM"

   Note In this command, ## is the virtual server ID number.
6. Restart IIS. To do this, follow these steps:
   1. Click Start, click Run, type cmd in the Open box, and then click OK.
   2. At the command prompt, type iisreset, and then press ENTER
   3. Type exit, and then press ENTER to close the Command Prompt window.

If you chose Kerberos authentication when you created the SharePoint Central Administration or content virtual servers, but you have to switch back to NTLM authentication, you can use a script to enable NTLM authentication on the virtual server.

To use a script to enable NTLM authentication on the virtual server, follow these steps:

1. On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.
2. Change to the Inetpub\Adminscripts folder.
3. Type the following command, and then press ENTER:

   cd Drive:\inetpub\adminscripts

   Note In this command, Drive is the drive where Windows is installed.
4. Type the following command, and then press ENTER:

   cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders

   Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.
5. To enable NTLM authentication on the virtual server, type the following command, and then press ENTER:

   cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders "NTLM"

   Note In this command, ## is the virtual server ID number.
6. Restart IIS. To do this, follow these steps:
   1. Click Start, click Run, type cmd in the Open box, and then click OK.
   2. At the command prompt, type iisreset, and then press ENTER.
   3. Type exit, and then press ENTER to close the Command Prompt window.

back to the top

Configure a service principal name for the domain user account

If the application pool identity for the Windows SharePoint Services site is configured to use a built-in security principal (such as NT Authority\Network Service or NT Authority\Local System), you do not have to perform this step. The built-in accounts are automatically configured to work with Kerberos authentication.

If you use a remote Microsoft SQL Server 2000 server and you want to use NT Authority\Network Service as the domain account, you have to add the Domain\ComputerName$ entry and configure it with Database Creators and Security Administrators permissions. By doing so, Windows SharePoint Services can connect to the remote SQL Server computer to create the configuration and content databases.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure an SPN for the domain user account, follow these steps:

1. Download and install the Setspn.exe command-line tool. To do this, visit the following Microsoft Web site:

   http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

2. Use the Setspn.exe tool to add an SPN for the domain account. To do this, type the following line at the command prompt, and then press ENTER, where ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account:

   setspn -A HTTP/ServerName Domain\UserName

Configure trust for delegation for Web parts to access remote resources

If you are developing Web parts for SharePoint that have to access remote resources, you must follow the steps that are listed in the "Configure a service principal name for the domain user account" section and configure both the computer and the application pool account to be trusted for delegation by using the following steps.

Note You do not have to follow these extra steps if you do not have Web parts that are accessing remote resources.

To configure the IIS server to be trusted for delegation, follow these steps:

1. Start Active Directory Users and Computers.
2. In the left pane, click Computers.
3. In the right pane, right-click the name of the IIS server, and then click Properties.
4. Click the General tab, click to select the Trust computer for delegation check box, and then click OK.
5. Quit Active Directory Users and Computers.

If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation before you can use Kerberos authentication. To configure the domain account to be trusted for delegation, follow these steps:

1. On the domain controller, start Active Directory Users and Computers.
2. In the left pane, click Users.
3. In the right pane, right-click the name of the user account, and then click Properties.
4. Click the Account tab, under Account Options, click to select the Account is trusted for delegation check box, and then click OK.
5. Quit Active Directory Users and Computers.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure a SPN for the domain user account, follow these steps:

1. Download and install the Setspn.exe command-line tool. To do so, visit the following Microsoft Web site:

   http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

2. Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER, where ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account:

   Setspn -A HTTP/ServerName Domain\UserName

back to the top