asked on
Sharepoint 2007 Kerberos Authentication
I have Sharepoint 2007 SP2 on a Server 2008 domain. I have set up moss with a Shared Service Provider, MySite & another app to use as a live portal, everything is working fine with no errors in the logs.
When I use NTLM authenticaion it works fine but I really need to get Kerberos working. It was working yesterday but I had to reinstall MOSS & I set it up in exactly the same way but now when I turn on Kerberos (& set the app pool to network service) I get the standard Access Denied sharepoint screen for any account I try.
We were getting an error in the event logs about the Network Service accounts permissions but have fixed that issue, the error has gone away in the event log but still I get the access denied message when I try to get in to sharepoint. If I switch it back to NTLM it works fine again.
Any help would be much appreciated
When I use NTLM authenticaion it works fine but I really need to get Kerberos working. It was working yesterday but I had to reinstall MOSS & I set it up in exactly the same way but now when I turn on Kerberos (& set the app pool to network service) I get the standard Access Denied sharepoint screen for any account I try.
We were getting an error in the event logs about the Network Service accounts permissions but have fixed that issue, the error has gone away in the event log but still I get the access denied message when I try to get in to sharepoint. If I switch it back to NTLM it works fine again.
Any help would be much appreciated
Microsoft SharePointWindows Server 2008
Last Comment
Hairbrush
ASKER
Hello,
Thanks for that.
I use the network service abccount as that's what central admin suggests when I turn on kerberos, would the domain account need any specific permsiisons or can it just be a standard one?
I set the App Pool as network service through the IIS interface, is this a bad way to do it?
SQL 2008 is on a seperate server with the databases themselves stored on a network storage array.
There are no errors in the system event log & I can find anything specific in the ULS logs either.
Thnaks for your help
Thanks for that.
I use the network service abccount as that's what central admin suggests when I turn on kerberos, would the domain account need any specific permsiisons or can it just be a standard one?
I set the App Pool as network service through the IIS interface, is this a bad way to do it?
SQL 2008 is on a seperate server with the databases themselves stored on a network storage array.
There are no errors in the system event log & I can find anything specific in the ULS logs either.
Thnaks for your help
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Forgot to mention in case it is not obvious that the account you create
should not have log in permission on the system
should only have log in as service permission
should not have any lockout/expiration settings
should not have log in permission on the system
should only have log in as service permission
should not have any lockout/expiration settings
ASKER
Hairbrush,
Thanks for your help, my server admin people have now had a look & kerberos seems to be working except for one problem. When I turn Kerberos on I no longer have the link to MySite. I have set MySites to be kerberos too & still have that issue, if I set everything back to NTLM it works. I do get the MySite link on the central admin page but I just get a page saying "An unexpected error occured" & it fails to pick up the username etc for the URL. There isnt anything in the logs about it.
Did you encounter this problem?
Thanks for your help, my server admin people have now had a look & kerberos seems to be working except for one problem. When I turn Kerberos on I no longer have the link to MySite. I have set MySites to be kerberos too & still have that issue, if I set everything back to NTLM it works. I do get the MySite link on the central admin page but I just get a page saying "An unexpected error occured" & it fails to pick up the username etc for the URL. There isnt anything in the logs about it.
Did you encounter this problem?
Hi Trevor
Sorry for the delay in replying. This sounds like a Kerberos problem too. Can you switch back to Kerberos and reproduce the problem, and double-check your Windows security log, system log and application log looking for any Kerberos related errors. It is also worth installing a ULS Viewer and looking at the ULS log in real-time to see if anything appears there.
Failing that, check and double check your SPNs for your mysite URLs and that the relevant account is trusted for delegation.
Sorry for the delay in replying. This sounds like a Kerberos problem too. Can you switch back to Kerberos and reproduce the problem, and double-check your Windows security log, system log and application log looking for any Kerberos related errors. It is also worth installing a ULS Viewer and looking at the ULS log in real-time to see if anything appears there.
Failing that, check and double check your SPNs for your mysite URLs and that the relevant account is trusted for delegation.
ASKER
My server people have been playing & fixed the SPN's, good timing too as we go live on friday! Thanks for your help
Great to hear it is sorted, glad to have been of assistance.
Hairbrush
Hairbrush
I will try to help - I too have had lots of issues with SharePoint and Kerberos!