We help IT Professionals succeed at work.

Sharepoint 2007 Kerberos Authentication

587 Views
Last Modified: 2012-05-11
I have Sharepoint 2007 SP2 on a Server 2008 domain. I have set up moss with a Shared Service Provider, MySite & another app to use as a live portal, everything is working fine with no errors in the logs.

When I use NTLM authenticaion it works fine but I really need to get Kerberos working. It was working yesterday but I had to reinstall MOSS & I set it up in exactly the same way but now when I turn on Kerberos (& set the app pool to network service) I get the standard Access Denied sharepoint screen for any account I try.

We were getting an error in the event logs about the Network Service accounts permissions but have fixed that issue, the error has gone away in the event log but still I get the access denied message when I try to get in to sharepoint. If I switch it back to NTLM it works fine again.

Any help would be much appreciated
Comment
Watch Question

Hi Trevor

I will try to help - I too have had lots of issues with SharePoint and Kerberos!

I would recommend a domain account rather than using the Network Service account.

When you set the App Pool to use the Network Service account, did you do it through the IIS admin interface or did you use STSADM?

Have you run to setspn to set up an SPN for your SharePoint Server on your PDC?

Is your database on the same server as SharePoint or a separate server?

What errors are you getting in your SharePoint ULS log and what errors appear in your System Event Log?


Author

Commented:
Hello,
       Thanks for that.
I use the network service abccount as that's what central admin suggests when I turn on kerberos, would the domain account need any specific permsiisons or can it just be a standard one?

I set the App Pool as network service through the IIS interface, is this a bad way to do it?

SQL 2008 is on a seperate server with the databases themselves stored on a network storage array.

There are no errors in the system event log & I can find anything specific in the ULS logs either.

Thnaks for your help
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Forgot to mention in case it is not obvious that the account you create

should not have log in permission on the system
should only have log in as service permission
should not have any lockout/expiration settings

Author

Commented:
Hairbrush,
         Thanks for your help, my server admin people have now had a look & kerberos seems to be working except for one problem. When I turn Kerberos on I no longer have the link to MySite. I have set MySites to be kerberos too & still have that issue, if I set everything back to NTLM it works. I do get the MySite link on the central admin page but I just get a page saying "An unexpected error occured" & it fails to pick up the username etc for the URL. There isnt anything in the logs about it.
Did you encounter this problem?
Hi Trevor

Sorry for the delay in replying.  This sounds like a Kerberos problem too.  Can you switch back to Kerberos and reproduce the problem, and double-check your Windows security log, system log and application log looking for any Kerberos related errors.  It is also worth installing a ULS Viewer and looking at the ULS log in real-time to see if anything appears there.

Failing that, check and double check your SPNs for your mysite URLs and that the relevant account is trusted for delegation.

Author

Commented:
My server people have been playing & fixed the SPN's, good timing too as we go live on friday! Thanks for your help
Great to hear it is sorted, glad to have been of assistance.

Hairbrush
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.