Configuring Kerberos Authentication On Share Point 2013 - 2016 Web Application

Introduction

My team recently configured Kerberos Authentication in SharePoint 2013 web application. We have captured step by step process of how to configure Kerberos Authentication in SharePoint 2013. This article will help the SharePoint administrators who want to configure the Kerberos Authentication in their SharePoint web applications.

Creating new web application with Kerberos Authentication

  1. Open your Central Administrator site.
  2. Click on "Manage web application" in "Application Management" section.

    Kerberos

  3. Click on "New" in the top menu.

    Kerberos

  4. Create new web application in the dialog box.
  5. Specify the name for web application, such as “webapplication name” in IIS web site section.
  6. Specify the type of Authentication to "Negotiate (Kerberos)" in Claims Authentication Type section.

    Kerberos

  7. Change the public URL to a specified URL.

    Note  - You can use the default name with port number given by SharePoint. However, you need to use the port number too during the execution of Service Principal Name commands (Section 3).

  8. Click OK button to create new web application with Kerberos Authentication type.

Name Resolution

DNS

NoteThis section is to be executed by Windows Server Administrator for reliable configuration.

This section to be execute ONLY on DNS Server.

  1. Open DNS Management in Administrative Tools on a DNS Server.

    Kerberos

  2. Expand "Forward Lookup Zones" container.

    Kerberos

  3. Right click on your domain and click on "New Host (A or AAAA)".

    Kerberos

  4. You will see the below screen for entering the new Host details.

    Kerberos

  5. Enter your Host Name - this is the URL of the web application (minus the domain part in a FQDN) and type in the IP address of WFE Server-. Check the above screen.

    Note

    If you have 2 WFE Servers within the same farm, you need to make 2 entries - one for each WFE Server with the same Host Name and with respective WFE’s IP address.

  6. Click on "Add Host".
  7. Click on "Done".
  8. You will see the confirmation dialog box. Click OK to close the dialog box.

    Kerberos

  9. Verify that the A Record is created in the right pane with correct Host name and IP address.
  10. (optional) Flush the DNS cache. Enter Ipconfig -flushdns

    Kerberos

  11. (optional) In Command Prompt, ping the web application URL and check if it’s working fine. If not, then follow the below steps to update in the host file.

Service Principal Name (SPN)

Note

Run setspn command with your web application’s Application Pool Service Account – e.g. DomainName/App pool service account. To do so, the Application Pool Service account must have membership in Domain Administrator or Enterprise Administrator.

Follow these steps on DNS Server only.

  1. Open command prompt “Run as” Administrator.
  2. (Optional step) Check if any SPN is registered for Application Pool Service Account.

    setspn -L App pool service account

  3. (Important command) Register SPN for Host Name on Application Pool Service Account.

    setspn -S HTTP/spn host name <space>App pool service account

    NoteThe HTTP service above is case insensitive. Do not configure service principal names with “https” even if the web application uses SSL. If your web application has port number (e.g. port number - 1234), then it should be after Host name; else SPN will get registered but service ticket won’t get generated.

  4. (Important command) Now, register SPN for the Full Qualified Domain Name (FQDN) also.

    setspn -S HTTP/Full qualified domain name <space>App pool service account

    Note
    If your web application has port number, then it should be after FQDN name; else SPN will get registered but service ticket won’t be generated.

  5. (Optional step) You can check numbers of service(s) registered for Application Pool Service Account.

    “-L” option will list all the service(s).

    setspn -L<space>App pool service account

    If the command ran successfully, you can see the list of services associated with the Service Account - App Pool Service Account.

  6. (Important command) For DB Server, instead of HTTP service, register MSSQLSvc service to register the SPN.

Allow Trust for delegation

Note
Logged user must have membership in Domain Administrator or Enterprise Administrator to execute the below steps.

  1. Go to Start -> Administrative Tools.

  2. Open Active Directory Users and Computers.

  3. Expand your Fully Qualified Domain Name on left panel. Click on Computers folder. If in case you do not find your Server listed, then right click on your Fully Qualified Domain Name and click on Find and search Computer Name.

  4. Right click on the Server where you need to trust your Server for delegating the services.

  5. Click on Properties.

  6. On the Delegation tab, select "Trust this computer for delegation to any service ( Kerberos only) option.

    Kerberos

  7. Click OK

Authentication Provider

Note - 
To perform these steps, you must be a member of the SharePoint Farm Administrators group.

  1. In the Central Administration, go to Application Management –> Manage Web Applications.

  2. Select the Web Application - you want to configure, and click on Authentication Providers in the WEB APPLICATIONS tab on top ribbon.

    Kerberos

  3. In the Authentication Providers dialog, click on the zone you want to alter. Usually, it's Default zone.

    Kerberos

  4. In the Edit Authentication section, verify that the Claims Authentication Type check box for "Enable Windows Authentication and Integrated Windows Authentication" is selected and dropdown is selected as Negotiate (Kerberos).

    Kerberos

  5. Click OK to save & close the screen.

Configure Kerberos in IIS

To verify the IIS Web Site Authentication settings, follow the below steps in IIS.

  1. Click Start -> Administrative Tools -> Internet Information Services (IIS) Manager.

    Kerberos

  2. Click on Server Name- on left panel.

  3. Expand Sites folder and locate the web application.

  4. Select the web application - and in the middle pane, double click on Authentication under IIS section.

    Kerberos

  5. In the Authentication dialog, select Windows Authentication.

    Kerberos

  6. Click on Providers in the right actions pane.

    Kerberos

  7. Verify that Negotiate and NTLM are listed. Note that Negotiate option should be on the top.

    Kerberos

  8. Click Cancel and then again in the right actions pane, click on Advanced Settings.

    Kerberos

  9. Verify in the Advanced Settings dialog that Extended Protection is Off and that "Enable Kernel-mode" authentication is unchecked.

    Kerberos

  10. Click Cancel.

  11. Ignore below warnings.

    Kerberos

  12. Update Site Bindings with Host Name and default Port number 80. If the web application’s port number is not default port (i.e. port 80), then we need to convert it to port 80; else run SPN commands with non default port number. See the section 3.3 & 3.4.

    • Open IIS Manager.
    • Click on your web application.
    • Click on Bindings… on right most panel.
    • Site Binding dialog box will open.
    • Click on your respective web application’s host name and click Edit button.
    • Convert port number from non default port to default port 80.

      Kerberos

    • Click OK
    • Add one more binding for FQDN with host name (see final bindings in the below screen).

  13. Add bindings for SSL also

    • Open IIS Manager
    • Click on your web application
    • Click on Bindings… on right most panel
    • Site Binding dialog box will open
    • Click Add button
    • Convert type drop down to “https”
    • Input host name as “host name”
    • Select SSL certificate “*.”
    • Click OK

  14. Final bindings should look like the below.

    Kerberos

  15. Open command prompt with administrator rights.
  16. Do IISRESET in command prompt.

Verify or Assign access to Service Account on SQL Server

  1. Open SQL Server instance on your DB Server .
  2. Server Name -> Security -> Logins
  3. Verify if account exists, if not create it.
  4. After creating user. Right click on user account and click on Properties
  5. Assign Server Roles as below:-

    1. public
    2. sysadmin

Configure Alternate Access Mapping

  1. Open Central Administrator screen
  2. Application Management -> Web Applications
  3. Configure Alternate Access Mappings
  4. Add alternate access mappings.

Verification of functionality

  1. Klist is an in-built tool on Windows Server 2008 & Windows 7 and above to verify if Kerberos is configured properly & to generate Kerberos TGT ticket and Service Ticket.

    Note
    Please close all IE browsers and follow below steps on Client machine.

  2. On the client, start command prompt as administrator.

    Kerberos

  3. On command prompt, flush the DNS cache.

    Ipconfig -flushdns

  4. List all tickets on the system.

    klist

    Note - 
    This does not affect any other functionality on the Client or Server.

  5. Now, we want to clean up this list so that we can see if a new ticket is granted to our user when logging on to the SharePoint site 
  6. Clear the list, type:

      klist purge

    Note -
     This does not affect any other functionality on the Client or Server

  7. In the prompt, you will see

    Deleting all tickets
    Ticket(s) purged!

    Kerberos

  8. Try again listing all tickets, type: klist in command prompt.

    Kerberos

    This time the list should be empty.

  9. With an empty Kerberos ticket list, open up a new Internet Explorer session and go to the URL of the Web Application.

    Note

    You cannot start a browser as a different user, if you do, the tickets will not be available to the klist command for the logged on user.

  10. Open and refresh your web application URL in IE browser.
  11. Enter valid credentials in login window.
  12. Switch back to the command prompt and again type

    klist OR klist<space>get<space>HTTP/URL

  13. Now, with Kerberos working, you find Kerberos TGT ticket.
  14. Follow below steps to validate Kerberos authentication. This is good.