SharePoint 2013 and Kerberos

-
Kerberos protocol supports an authentication method that uses tickets that a trusted source provides. 
 The Kerberos protocol defines how users interact with a network service to gain access to network resources, it provides a fast and a secure method for users and service accounts on a multi-server farm.

It saves users time when moving from one hop to another and removing the need to re authenticate with each hop.

In this article I have collected some information about Kerberos from several resources and based on my personal experience


The reasons why you should consider Kerberos authentication are as follows:

  • The Kerberos protocol is the strongest Integrated Windows authentication protocol, and supports advanced security features including Advanced Encryption Standard (AES) encryption and mutual authentication of clients and servers.
  • The Kerberos protocol allows for delegation of client credentials.
  • Of the available secure authentication methods, Kerberos requires the least amount of network traffic to AD DS domain controllers. Kerberos can reduce page latency in certain scenarios, or increase the number of pages that a front-end web server can serve in certain scenarios. Kerberos can also reduce the load on domain controllers.
  • The Kerberos protocol is an open protocol that is supported by many platforms and vendors.

The reasons why Kerberos authentication might not be appropriate are as follows:

  • In contrast to other authentication methods, Kerberos authentication requires additional infrastructure and environment configuration to function correctly. In many cases, domain administrator permission is required to configure Kerberos authentication which can be difficult to set up and manage. Misconfiguring Kerberos can prevent successful authentication to your sites.
  • Kerberos authentication requires client computer connectivity to a KDC and to an AD DS domain controller. In a Windows and SharePoint deployment, the KDC is an AD DS domain controller. While this is a common network configuration on an organization intranet, Internet-facing deployments are typically not configured in this manner.


What is the Service Principal Name?
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. 


Configurations for Kerberos for specific site/web application will be done on 4 parts:

DNS: to add A record to the site.

-Open DNS and navigate to the forward lookup zone and right click on the zone and Click on new host (A or AAA).

-Type the Name of the web application without putting the domain and enter the IP to the server address (if you have load balancer so that will be  the VIP), click add host then click done.


Active Directory (Trust for Delegation): you need to be member of Domain admins or the Enterprise Admins in Active directory.

-Open Active Directory Users and Computers.

-Navigate in the tree where your SharePoint servers exists.

-Right click on the server name and click on properties, on the delegation tab
Click ‘Trust this computer for delegation to any service (Kerberos only)'  then click Ok.
(repeat this step for all SharePoint servers)

Set SPN from Commands using command window: you need to be member of Domain admins or the Enterprise Admins in Active directory.

-Open command prompt as admin.

-Create SPN for the service account which is the application pool account for the Web Application where the site is hosted using this command:
setspn -S HTTP/siteURL domain\serviceaccount
Other helpful command:
setSPN -L domain\serviceaccount  (to list all SPNs for this account).


SharePoint:

 -In the Central Administration, go to Application Management then press Manage Web Applications.

-Select the Web Application you want to configure, and click on Authentication providers in the top ribbon.

-In the Authentication Providers pop up window, click on the authentication provider you want to change.

-Make sure to select Integrated windows authentication and Negotiate (Kerberos).

-Press Ok and then Save.

By this Kerberos is configured to test that it works:

  • From the client machine command prompt you can flush DNS (ipconfig /flushdns).
  • Clean tickets lists use this command (klist purge). 
  • Navigate to the SharePoint site.
  • Then from the command prompt type klist and press enter you now be able to see the ticket information.

References:

Comments

Post a Comment

Popular posts from this blog

Adjust the Search SharePoint Performance level

-
-Set-SPEnterpriseSearchService -PerformanceLevel PartlyReduced On all search app servers -Open NodeRunner process configuration file below in Notepad C:\Program Files\Microsoft Office Servers\15.0\Search\Runtime\1.0\noderunner.exe.config. Update  <nodeRunnerSettings memoryLimitMegabytes=”0 ″ /> . This is the configuration to limit NodeRunner process memory usage, replace  0  to 500 or 1000 -Restart  SharePoint Search Host Controller  service
Read more

SharePoint 2013 User Profile synchronization versus import

-
Reference is : 2013 advanced Training User Profile Service administrators in SharePoint 2013 can use profile synchronization to manage and synchronize the user and group profile data stored in the SharePoint 2013 profile store with profile data stored in directory services and BDC systems. There are two distinct forms of profile import and synchronization available in SharePoint 2013: ·          One-way profile import. This is a new implementation of a simple import process that was first provided in SharePoint Server 2007. It uses the SharePoint Active Directory Import option to import user profile data from Active Directory Domain Services (AD DS). Note: One-way profile import only works with Active Directory and does not support other directory services. ·          Two-way profile synchronization. This uses the SharePoint Server 2013 profile synchronization method that was first introduced in SharePoint Server 2010. It uses Microsoft Forefront Identity Manager (FIM)
Read more

Usage and Popularity Trends Report not showing correct numbers

-
Recently came into issue that popularity trends showing zero while users are accessing documents so I have that there is a parameter called TailTrimming as mentioned in this reference blog   https://blogs.technet.microsoft.com/tothesharepoint/2014/01/23/view-and-configure-usage-analytics-reports-in-sharepoint-server-2013/ For example, for the Views usage event the TailTrimming parameter is by default set to 3. This means that the usage analytics reports will be updated for an item when the item has been viewed a minimum three times within the last 24 hours. For example, if the item Fabrikam Laptop16 M6000 has been viewed twice within the last 24 hours, these two views won’t show up in the usage analytics reports. If within the next 24 hours the Fabrikam Laptop16 M6000 item is viewed 4 times, the usage analytics report will be updated with 4 views. to adjust it needs to run the following commands $SSP = Get-SPEnterpriseSearchServiceApplicationProxy $tenantConfig = $SSP.GetAn
Read more