Kerberos Authentication in SharePoint

09 Jun

We’re currently using Kerberos in our environment but I have to say it was a little more difficult to get working than I had originally hoped. There is a lot of documentation out there explaining Kerberos authentication and the process in which it should be done but what I had trouble finding were specifics on the account changes that need to be made. Here are the notes I took down from this process. These are specific to our setup but will hopefully be of some help.

Before you even use SharePoint with the intention of authenticating with Kerberos you need to apply the Infrastructure updates to your MOSS installation. There are separate updates for WSS and MOSS so be sure to install both. WSS first then the MOSS update. Kerberos authentication cannot be configured to work with the Shared Services Provider infrastructure otherwise.

You also need to have your server and service accounts set to “Trust this computer for delegation to any service (Kerberos only)” in their Active Directory properties. If you have to have the services trusted for delegation specified like in our case then here are the services you want to trust:









Once you have the Infrastructure updates applied and your server(s) trusted, you need to have your SharePoint accounts created. Whether you’re using one or multiple accounts they need to be in place beforehand. You must register your Service Principal Names (SPN) before authentication can work. Here are the specific SPN’s  you need registered along with the command line to use. This command will have to be run on the MOSS server itself using adsutil.exe (Administration Script Utility). This is also assuming you already have a domain controller to authenticate to.

This will vary depending on your account set up but I’ll try to generalize them:

(You do not need the “” in this commandline, they are simply to separate items)

For your SQL Service account:

setspn -A mssqlsvc/”servername“:1433 (default SQL service port)

setspn -A mssqlsvc/”servername“.”domainname“:1433 (ex. myserver.mydomain:1433)

For your Application Pool account:

setspn -A http/”mysite URL” “application pool account name

setspn -A http/”site collection URL” “application pool account name

setspn -A http/”servername

setspn -A http/”servername“.”domainname

For your SharePoint admin account:

setspn -A http/”servername

setspn -A http/”servername“.”domainname

For your Shared Services Provider (SSP) account:

setspn -A mssp/”servername“:56737/”SSP name

setspn -A mssp/”servername“:56738/”SSP name” (56737 and 56738 being the standard IIS ports for SSP)

For your SharePoint Search account:

setspn -A http/”servername

setspn -A http/”servername“.”domainname

Anything in bold you will obviously have to put in your own info and if you’re using less accounts then some of these will be combined. You can see the ones that are redundant and go from there. If you’re setting up Kerberos for

Here is a really good article on this if you want to know the specifics of how Kerberos and SharePoint work together.

If you have any questions feel free to ask.

Leave a comment

Posted by on June 9, 2009 in SharePoint Tips


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: