This article describes how to configure a server that is running Windows Server 2003, Microsoft Office SharePoint Server 2007, and Excel Services for Kerberos authentication.

Back to the top

Follow these steps in the order in which they are presented to configure the Kerberos protocol on SharePoint Server 2007 and on Excel Services.

Back to the top

Configure SharePoint Server 2007 for Kerberos authentication

Step 1: Set up the SPN for the user accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site: After you download and install the Windows Support Tools, follow these steps:

1.	Set the SPN for the server farm account. At a command prompt, type the following to set the SPN for the server farm account, and then press ENTER: setspn.exe -A HTTP/SharePoint_server .domain.com domain\SharePoint_Server_farm_acct For example, type the following at the command prompt: setspn.exe -A HTTP/mossserver.contoso.com contoso\SharePoint_Server_farm_acct
2.	Set the SPN for the SharePoint Server 2007 application pool accounts. To do this, type the following, and then press ENTER after each one: • setspn.exe -A HTTP/SharePoint_server domain\application_pool_account For example, type the following, and then press ENTER: setspn.exe -A HTTP/mossserver:80 contoso\application_pool_account • setspn.exe -A HTTP/SharePoint_server.domain.com domain\app_pool_acct For example, type the following, and then press ENTER: setspn.exe -A HTTP/mossserver:80 contoso\application_pool_account
3.	After you set the SPN, verify that the SPN is set correctly on the server. To do this, follow these steps: a. At a command prompt, type the following, and then press ENTER: Setspn –L Domain\SharePoint_Server_farm_acct For example, type the following, and then press ENTER: setspn -L contoso\SharePoint_Server_farm_acct b. If the SPN for the SharePoint Server farm account is configured correctly, the SharePoint Server URL address will be displayed. For example, type the following, and then press ENTER: setspn -L contoso\SharePoint_Server_farm_acct At the command prompt, the following is displayed: HTTP/mossserver.domain.com c. At a command prompt, type the following, and then press ENTER: Setspn –L DomainName\application_Pool_Account For example, type the following, and then press ENTER: setspn -L contoso\application_pool_account d. If the SPN for the SharePoint Server 2007 application pool accounts is configured correctly, the pool account URL address and the port number will be displayed. For example, type the following, and then press ENTER: setspn -L contoso\application_pool_account At the command prompt, the following is displayed: HTTP/mossserver.domain.com:80 HTTP/mossserver:80

Step 2: Trust for delegation on the user accounts and on the computer accounts

Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:

•	Microsoft Office SharePoint Server 2007 Servers, computer account
•	Microsoft SQL Server/Analysis server, computer account
•	Microsoft Office SharePoint Server 2007 farm, user account
•	Web Application Pool, user account

To configure a computer account so that it is trusted for delegation, follow these steps:

1.	Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2.	In the navigation pane, click Computers.
3.	Right-click the computer that you want to configure, and then click Properties.
4.	Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.

To configure a user account so that it is trusted for delegation, follow these steps:

1.	Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2.	In the navigation pane, click Users.
3.	Right-click the user who you want to configure, and then click Properties.
4.	Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.

Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication. To do this, follow these steps:

1.	Click Start, click Control Panel, double-click Administrative Tools, and then double-click SharePoint Central Administration.
2.	Click the Application Management tab, and then click Authentication Providers.
3.	In the Web Application list, select the Web application that you have to update.
4.	Click the zone that you want.
5.	On the Edit Authentication page for IIS Authentication Settings, click Negotiate (Kerberos). When you are prompted for confirmation, click OK.
6.	Click Integrated Windows authentication, click Negotiate (Kerberos), and then click OK.
7.	To apply the change, click Save.

For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:

Step 4: Configure Component Services on Windows Server 2003

1.	On the server that is running SharePoint Server 2007, click Start, click Run, type dcomcnfg in the Open box, and then click OK.
2.	Expand Component Services, expand Computers, right-click My Computer, and then click Properties.
3.	Click the Default Properties tab, click Delegate in the Default Impersonation Level box, and then click OK. For more information about how to set an impersonation level, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/library/ms681722.aspx (http://msdn2.microsoft.com/en-us/library/ms681722.aspx)
4.	Expand Component Services, expand Computers, and then double-click My Computer.
5.	Double-click the DCOM Config folder, and then right-click IIS WAMREG admin Service.
6.	Click Properties, click the Security tab, and then under Launch and Activate Permissions, click Edit.
7.	In the Launch Permission dialog box, click Add.
8.	In the Select Users, Computers, or Groups dialog box, type the user account that you specified as the SharePoint Server 2007 application pool account, click Check Names, and then click OK.
9.	In the Permissions for UserName list, click to select the Allow check box that is next to Local Activation, and then click OK.
10.	If you have more than one application pool account, repeat steps 7 to 9 for each one.
11.	Click OK.

Step 5: Enable the Kerberos protocol on the SSP

You must enable the Kerberos protocol on the Shared Services Provider (SSP). At a command prompt, type the following, and then press ENTER:

Back to the top

Configure Excel Services for Kerberos authentication

After you have configured SharePoint Server 2007 for Kerberos authentication, you can now configure Excel Services for Kerberos authentication. Follow these steps in the order in which they are presented to configure Excel Services for Kerberos authentication.

Step 1: Configure user permissions in SQL Server 2005 Analysis Services

1.	Start SQL Server Management Studio, and then connect to the instance of SQL Server 2005 Analysis Services.
2.	Right-click the Analysis Services folder, and then click Properties.
3.	Click Security in the navigation pane.
4.	Under NT Users and Groups, click Add, and then add each user who you want to grant access to Excel services. If you want to grant access to all users, add Authenticated users.
5.	Close Analysis Services Properties.

Step 2: Configure SQL Server 2005 Analysis Services to use Kerberos authentication

For more information about how to configure SQL Server 2005 Analysis Services to use Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:

Step 3: Configure Excel Services for delegation

To configure Excel Services for delegation, follow these steps:

1.	At a command prompt, type the following, and then press ENTER: STSADM -o set-ecssecurity -ssp Shared Services Provider Name -accessmodel delegation
2.	Type the following, and then press ENTER: STSADM -o execadmsvcjobs

Back to the top