Avatar of trevor1940
 asked on

Sharepoint 2007 Kerberos Authentication

I have Sharepoint 2007 SP2 on a Server 2008 domain. I have set up moss with a Shared Service Provider, MySite & another app to use as a live portal, everything is working fine with no errors in the logs.

When I use NTLM authenticaion it works fine but I really need to get Kerberos working. It was working yesterday but I had to reinstall MOSS & I set it up in exactly the same way but now when I turn on Kerberos (& set the app pool to network service) I get the standard Access Denied sharepoint screen for any account I try.

We were getting an error in the event logs about the Network Service accounts permissions but have fixed that issue, the error has gone away in the event log but still I get the access denied message when I try to get in to sharepoint. If I switch it back to NTLM it works fine again.

Any help would be much appreciated
Microsoft SharePointWindows Server 2008

Avatar of undefined
Last Comment

8/22/2022 - Mon

Hi Trevor

I will try to help - I too have had lots of issues with SharePoint and Kerberos!

I would recommend a domain account rather than using the Network Service account.

When you set the App Pool to use the Network Service account, did you do it through the IIS admin interface or did you use STSADM?

Have you run to setspn to set up an SPN for your SharePoint Server on your PDC?

Is your database on the same server as SharePoint or a separate server?

What errors are you getting in your SharePoint ULS log and what errors appear in your System Event Log?


       Thanks for that.
I use the network service abccount as that's what central admin suggests when I turn on kerberos, would the domain account need any specific permsiisons or can it just be a standard one?

I set the App Pool as network service through the IIS interface, is this a bad way to do it?

SQL 2008 is on a seperate server with the databases themselves stored on a network storage array.

There are no errors in the system event log & I can find anything specific in the ULS logs either.

Thnaks for your help

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Forgot to mention in case it is not obvious that the account you create

should not have log in permission on the system
should only have log in as service permission
should not have any lockout/expiration settings
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

         Thanks for your help, my server admin people have now had a look & kerberos seems to be working except for one problem. When I turn Kerberos on I no longer have the link to MySite. I have set MySites to be kerberos too & still have that issue, if I set everything back to NTLM it works. I do get the MySite link on the central admin page but I just get a page saying "An unexpected error occured" & it fails to pick up the username etc for the URL. There isnt anything in the logs about it.
Did you encounter this problem?

Hi Trevor

Sorry for the delay in replying.  This sounds like a Kerberos problem too.  Can you switch back to Kerberos and reproduce the problem, and double-check your Windows security log, system log and application log looking for any Kerberos related errors.  It is also worth installing a ULS Viewer and looking at the ULS log in real-time to see if anything appears there.

Failing that, check and double check your SPNs for your mysite URLs and that the relevant account is trusted for delegation.

My server people have been playing & fixed the SPN's, good timing too as we go live on friday! Thanks for your help
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

Great to hear it is sorted, glad to have been of assistance.