Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

KBAlertz.com: How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]

Search KbAlertz

Advanced Search

Webmasters
Put kbAlertz on your website.
[ Click Here for more! ]





ASP.NET 3.5 Web Hosting with Windows 2008 and SQL 2008: Click Here!
Discount ASP.NET Hosting
ASP.NET 2.0 and 3.5
Windows2008 and SQL2008
US and UK Hosting
KBAlertz referrals get
** SIX MONTHS FREE **

Community Site


We Send hundreds of thousands of emails using ASP.NET Email

ASP.NET 3.5 Web Hosting with Windows 2008 and SQL 2008: Click Here!
Discount ASP.NET Hosting
ASP.NET 2.0 and 3.5
Windows2008 and SQL2008
US and UK Hosting
KBAlertz referrals get
** SIX MONTHS FREE **



Mentioned In







Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks



Article ID: 953130 - Last Review: January 26, 2010 - Revision: 6.0

How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication

View products that this article applies to.

On This Page

INTRODUCTION

This article describes how to configure a server that is running Windows Server 2003, Microsoft Office SharePoint Server 2007, and Excel Services for Kerberos authentication.
Back to the top

MORE INFORMATION

Follow these steps in the order in which they are presented to configure the Kerberos protocol on SharePoint Server 2007 and on Excel Services.
Back to the top

Configure SharePoint Server 2007 for Kerberos authentication

Step 1: Set up the SPN for the user accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. For more information about how to obtain the latest version of the setspn.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:
970536  (http://kbalertz.com/Feedback.aspx?kbNumber=970536/ ) Setspn.exe support tool update for Windows Server 2003
After you download and install the Windows Support Tools, follow these steps:
  1. Set the SPN for the server farm account. At a command prompt, type the following to set the SPN for the server farm account, and then press ENTER:
    setspn.exe -S HTTP/SharePoint_server.domain.com domain\SharePoint_Server_farm_acct
    For example, type the following command at the command prompt, and then press ENTER:
    setspn.exe -S HTTP/mossserver.contoso.com contoso\SharePoint_Server_farm_acct
  2. Set the SPN for the SharePoint WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:
    setspn.exe -S HTTP/SharePoint_WebApplication:port domain\application_pool_account

    setspn.exe -S HTTP/FQDN_of_the_WebApplication:port domain\application_pool_account
    For example, type the following commands, and press ENTER after each one:
    setspn.exe -S HTTP/mossserver:80 contoso\application_pool_account

    setspn.exe -S HTTP/mossserver.contoso.com:80 contoso\application_pool_account
  3. Set the SPN for the SharePoint Shared Services WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:
    setspn.exe -S HTTP/SharedServices_WebApplication:port domain\SharedServices_application_pool_account

    setspn.exe -S HTTP/FQDN_of_the_SharedServices_WebApplication:port domain\SharedServices_application_pool_account
    For example, assume that My Shared Services Web Application is hosted on port 8001. In this case, type the following commands, and press ENTER after each one:
    setspn.exe -S HTTP/mossserver:8001 contoso\application_pool_account

    setspn.exe -S HTTP/mossserver.contoso.com:8001 contoso\application_pool_account
  4. After you set the SPN, verify that the SPN is set correctly on the server. To do this, type the following commands at a command prompt, and press ENTER after each one:
    setspn –L Domain\User_account_UsedtosetSPN
    For example, type one of the following commands, and then press ENTER:
    setspn -L contoso\SharePoint_Server_farm_acct

    setspn -L contoso\application_pool_account

    setspn -L contoso\SharedServices_application_pool_account
    If the SPN is configured correctly, the account URL address and the port number will be displayed. At the command prompt, you would see the SPN set for the user account:
    HTTP/mossserver.contoso.com
    HTTP/mossserver:80
    HTTP/mossserver.contoso.com:80
    HTTP/mossserver:8001
    HTTP/mossserver.contoso.com:8001
Note Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.

For more information, see the "Configure Kerberos authentication (Office SharePoint Server)" topic on the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc263449.aspx (http://technet.microsoft.com/en-us/library/cc263449.aspx)

Step 2: Trust for delegation on the user accounts and on the computer accounts

Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:
  • Microsoft Office SharePoint Server 2007 Servers, computer account
  • Microsoft SQL Server/Analysis server, computer account
  • Microsoft Office SharePoint Server 2007 farm, user account
  • Web Application Pool, user account
To configure a computer account so that it is trusted for delegation, follow these steps:
  1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  2. In the navigation pane, click Computers.
  3. Right-click the computer that you want to configure, and then click Properties.
  4. Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.
To configure a user account so that it is trusted for delegation, follow these steps:
  1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  2. In the navigation pane, click Users.
  3. Right-click the user who you want to configure, and then click Properties.
  4. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.

Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication. To do this, follow these steps:
  1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click SharePoint Central Administration.
  2. Click the Application Management tab, and then click Authentication Providers.
  3. In the Web Application list, select the Web application that you have to update.
  4. Click the zone that you want.
  5. On the Edit Authentication page for IIS Authentication Settings, click Negotiate (Kerberos). When you are prompted for confirmation, click OK.
  6. Click Integrated Windows authentication, click Negotiate (Kerberos), and then click OK.
  7. To apply the change, click Save.
For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:
832769  (http://kbalertz.com/Feedback.aspx?kbNumber=832769/ ) How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication
Additionally, if you run Internet Information Services 7.0 on a server that is running SharePoint Server 2007, you must also set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. This file is located in the following folder:
C:\Windows\System32\Inetsrv\Config
After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following: 
<system.webServer>

<security>

         <authentication>

                     <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

         </authentication>

</security>

</system.webServer>

Step 4: Configure Component Services on Windows Server 2003 or Windows Server 2008

  1. On the server that is running SharePoint Server 2007, click Start, click Run, type dcomcnfg in the Open box, and then click OK.
  2. Expand Component Services, expand Computers, right-click My Computer, and then click Properties.
  3. Do one of the following:
    • For Windows Server 2003, click the Default Properties tab, click Delegate in the Default Impersonation Level box, and then click OK.
    • For Windows Server 2008, click the Default Properties tab, click Identify in the Default Impersonation Level box, and then click OK.
    For more information about how to set an impersonation level, visit the following Microsoft Web site:
    http://msdn2.microsoft.com/en-us/library/ms681722.aspx (http://msdn2.microsoft.com/en-us/library/ms681722.aspx)
  4. Expand Component Services, expand Computers, and then double-click My Computer.
  5. Double-click the DCOM Config folder, and then right-click IIS WAMREG admin Service.
  6. Click Properties, click the Security tab, and then under Launch and Activate Permissions, click Edit.
  7. In the Launch Permission dialog box, click Add.
  8. In the Select Users, Computers, or Groups dialog box, type the user account that you specified as the SharePoint Server 2007 application pool account, click Check Names, and then click OK.
  9. In the Permissions for UserName list, click to select the Allow check box that is next to Local Activation, and then click OK.
  10. If you have more than one application pool account, repeat steps 7 to 9 for each one.
  11. Click OK.

Step 5: Enable the Kerberos protocol on the SSP

You must enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, follow the steps in the "Configure your SSP infrastructure for Kerberos authentication" topic.on the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc263449.aspx#section14 (http://technet.microsoft.com/en-us/library/cc263449.aspx#section14)
Then, use the STSADM command to enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, at a command prompt, type the following, and then press ENTER:
STSADM -o SetSharedWebServiceAuthn -negotiate
Back to the top

Configure Excel Services for Kerberos authentication

After you have configured SharePoint Server 2007 for Kerberos authentication, you can now configure Excel Services for Kerberos authentication. Follow these steps in the order in which they are presented to configure Excel Services for Kerberos authentication.

Step 1: Configure user permissions in SQL Server 2005 Analysis Services

  1. Start SQL Server Management Studio, and then connect to the instance of SQL Server 2005 Analysis Services.
  2. Right-click the Analysis Services folder, and then click Properties.
  3. Click Security in the navigation pane.
  4. Under NT Users and Groups, click Add, and then add each user who you want to grant access to Excel services. If you want to grant access to all users, add Authenticated users.
  5. Close Analysis Services Properties.

Step 2: Configure SQL Server 2005 Analysis Services to use Kerberos authentication

For more information about how to configure SQL Server 2005 Analysis Services to use Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:
917409  (http://kbalertz.com/Feedback.aspx?kbNumber=917409/ ) How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

Step 3: Configure Excel Services for delegation

To configure Excel Services for delegation, follow these steps:
  1. At a command prompt, type the following, and then press ENTER:
    STSADM -o set-ecssecurity -ssp Shared Services Provider Name -accessmodel delegation
  2. Type the following, and then press ENTER:
    STSADM -o execadmsvcjobs
Back to the top
APPLIES TO
  • Microsoft Office SharePoint Server 2007
Back to the top
Keywords: 
kbkerberos kbexpertiseadvanced kbhowto kbinfo KB953130
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Be the first to leave feedback, to help others about this knowledge base article.

(Optional) Name
(Optional) Public URL Or Email
Comments
No HTML -- Text Only Please

 



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting