var kba = new KBAlertz { "Launch Date" = "October 30th, 2013" }

Article ID: 832769 - View products that this article applies to.

On This Page

INTRODUCTION

This article contains information about how to configure a Microsoft Windows SharePoint Services virtual server to use Kerberos authentication. Additionally, this article contains information about how to switch from Kerberos authentication back to NTLM authentication.

Note Version 3 of Microsoft Windows SharePoint Services for Microsoft Office 2007 uses NTLM authentication by default. Kerberos is still supported.

More information

In Microsoft Windows SharePoint Services 2.0 Service Pack 2 (SP2) and later versions, you can configure a SharePoint Central Administration virtual server or content virtual server to use Kerberos authentication or NTLM authentication. To do this, you can use SharePoint Central Administration or the Stsadm.exe command line tool.

Note You no longer have to directly change the IIS metabase.

Microsoft Windows Integrated Authentication

Microsoft Windows Integrated Authentication supports the following protocols:

Note These protocols provide challenge/response authentication:  
  • NTLM

    The NTLM protocol is a secure protocol that encrypts user names and passwords before the user names and passwords are sent over the network.

    Note NTLM authentication is required if client computers do not support Kerberos authentication.
  • Kerberos

    The Kerberos protocol is based on ticketing. In this scheme, a user provides a valid user name and password to an authentication server. Then, the authentication server grants the user a ticket. The ticket can be used on the network to request network resources.

    Note To Kerberos authentication, the client and server must have a trusted connection to the domain Key Distribution Center (KDC). Additionally, both the client and server must be compatible with the Active Directory directory service.
Typically, you should use NTLM authentication if you do not have a specific need for Kerberos authentication. You should also use NTLM authentication if you cannot configure the service principal name (SPN). If you use Kerberos authentication and cannot configure the SPN, only server administrators will be able to access the SharePoint site.

Both Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 contain a built-in functionality to switch back to NTLM. To configure NTLM authentication on the Web application, use one of the following methods: 

Method 1: Configure NTLM authentication on the Web application from SharePoint 3.0 Central Administration

To configure NTLM authentication on the Web application from SharePoint 3.0 Central Administration, follow these steps:
  1. Click Start, Administrative Tools, and then double-click SharePoint Central Administration.
  2. Click the Application Management tab, and then click Authentication Providers.
  3. In the Web Application list, select the Web application that you have to update.
  4. Click the Zone that you want.
  5. On the Edit Authentication page for the IIS Authentication Settings, Integrated Windows authentication, click NTLM.
  6. To apply the change, click OK.
Method 2: Configure NTLM authentication on the Web application from the Stsadm.exe command line utility

To configure NTLM authentication on the Web application from the Stsadm.exe command line utility, follow these steps:
  1. At a command prompt, change the directory to the following:

    <system drive>:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN
  2. At a command prompt, type the following command and then press Enter:

    stsadm -oauthentication -url http://url_of_the_web_application -type windows -exclusivelyusentlm

    Note To see other options for the operation, run the following command:

    stsadm -help authentication

Configure Windows SharePoint Services 2.0 to use Kerberos authentication or NTLM authentication

In Windows SharePoint Services 2.0 Service Pack 2 (SP2) and later versions, you can use the SharePoint user interface or commands at a command prompt to configure the SharePoint Central Administration virtual server and content virtual servers.

When you create the SharePoint Central Administration virtual server or extend a new virtual server, there is a new Security Configuration section. In the Security Configuration section, you can specify whether you want to use NTLM authentication or Kerberos authentication.

Note If you are running SharePoint virtual servers that were extended or created in versions of Windows SharePoint Services 2.0 or Windows SharePoint Services 2.0 Service Pack 1 (SP1), you must manually configure Kerberos authentication for the virtual server if it is required.

To use a script to enable Kerberos authentication on the virtual server, follow these steps:
  1. On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.
  2. Change to the Inetpub\Adminscripts folder.
  3. Type the following command, and then press ENTER:
    cd Drive:\inetpub\adminscripts
    Note In this command, Drive is the drive where Microsoft Windows is installed.
  4. Type the following command, and then press ENTER:
    cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders
    Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.
  5. To enable Kerberos authentication on the virtual server, type the following command, and then press ENTER:
    cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders "Negotiate,NTLM"
    Note In this command, ## is the virtual server ID number.
  6. Restart IIS. To do this, follow these steps:
    1. Click Start, click Run, type cmd in the Open box, and then click OK.
    2. At the command prompt, type iisreset, and then press ENTER
    3. Type exit, and then press ENTER to close the Command Prompt window.
If you chose Kerberos authentication when you created the SharePoint Central Administration or content virtual servers, but you have to switch back to NTLM authentication, you can use a script to enable NTLM authentication on the virtual server.

To use a script to enable NTLM authentication on the virtual server, follow these steps:
  1. On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.
  2. Change to the Inetpub\Adminscripts folder.
  3. Type the following command, and then press ENTER:
    cd Drive:\inetpub\adminscripts
    Note In this command, Drive is the drive where Windows is installed.
  4. Type the following command, and then press ENTER:
    cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders
    Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.
  5. To enable NTLM authentication on the virtual server, type the following command, and then press ENTER:
    cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders "NTLM"
    Note In this command, ## is the virtual server ID number.
  6. Restart IIS. To do this, follow these steps:
    1. Click Start, click Run, type cmd in the Open box, and then click OK.
    2. At the command prompt, type iisreset, and then press ENTER.
    3. Type exit, and then press ENTER to close the Command Prompt window.

Configure a service principal name for the domain user account

Note You do not have to perform these steps if the application pool identity for the Windows SharePoint Services 2.0 site uses a built-in security principal. For example, you do not have to perform these steps if the application pool identity uses NT Authority\Network Service or NT Authority\Local System. The built-in accounts are automatically configured to work with Kerberos authentication.

Note If you use a remote server that is running Microsoft SQL Server 2000 and you want to use the NT Authority\Network Server account as the domain account, you must add the Domain\Computer_Name . You must also configure the account with Database Creators and Security Administrators permissions. This lets Windows SharePoint Services 2.0 connect to the server that is running SQL Server 2000 to create the configuration and content databases.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure an SPN for the domain user account, follow these steps:
  1. Download and install the Setspn.exe command-line tool. To do this, visit one of the following Microsoft Web sites.

    For Microsoft Windows 2000 Server:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&amp;DisplayLang=en
    For Microsoft Windows Server 2003:
    970536 Setspn.exe support tool update for Windows Server 2003
    Note Setspn.exe is included in Windows Server 2008. Setspn.exe is available when you add the "Active Directory Domain Services" role by using Server Manager.

    Note You must run Setspn.exe from a elevated command prompt. To elevate the command prompt, right-click the Command Prompt icon, and then click "Run as administrator".
  2. Use the Setspn.exe tool to add an SPN for the domain account. To do this, follow these steps:
    1. Type the following line at the command prompt, and then press ENTER:
      Setspn -A HTTP/FQDNServerNameDomain\UserName
      Note In this command, ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account.
    2. Type the following line at the command prompt, and then press ENTER:
      Setspn -A HTTP/NETBIOSServerNameDomain\UserName
      Note In this command, ServerName is the NETBIOS name of the server, Domain is the name of the domain, and UserName is the name of the domain user account.

Configure trust for delegation for Web parts

To configure the IIS server to be trusted for delegation, follow these steps:
  1. Start Active Directory Users and Computers.
  2. In the left pane, click Computers.
  3. In the right pane, right-click the name of the IIS server, and then click Properties.
  4. Click the General tab, click to select the Trust computer for delegation check box, and then click OK.
  5. Quit Active Directory Users and Computers.
If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation before you can use Kerberos authentication. To configure the domain account to be trusted for delegation, follow these steps:
  1. On the domain controller, start Active Directory Users and Computers.
  2. In the left pane, click Users.
  3. In the right pane, right-click the name of the user account, and then click Properties.
  4. Click the Account tab, under Account Options, click to select the Account is trusted for delegation check box, and then click OK.
  5. Quit Active Directory Users and Computers.
If the application pool identity is a domain user account, you must configure an SPN for that account. To configure a SPN for the domain user account, follow these steps:
  1. Download and install the Setspn.exe command-line tool. To do so, visit the following Microsoft Web site:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&amp;DisplayLang=en
  2. Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER, where ServerName is the fully qualified domain name (FQDN) of the server, Domain is the name of the domain, and UserName is the name of the domain user account:
    Setspn -A HTTP/ServerName Domain\UserName

References

For more information about Windows SharePoint Services, visit the following Microsoft Web site:

http://technet.microsoft.com/windowsserver/sharepoint/default.aspx

For more information about how to configure Windows SharePoint Services 2.0 authentication settings, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=a637eff6-8224-4b19-a6a4-3e33fa13d230&DisplayLang=en


Properties

Article ID: 832769 - Last Review: July 12, 2013 - Revision: 13.1
Applies to
  • Microsoft Windows SharePoint Services 3.0
  • Microsoft Windows SharePoint Services 2.0
Keywords: 
kbaccounts kbwebservices kbauthentication kbconfig kbhowto KB832769