Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
Medium Priority
Last Modified: 2013-01-02


I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used


Identified the service application used for the app pool


Allowed delegation in AD for the service account


Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool


Run SETSPN command "setspn -a http/abcdev domain\service account"


Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".


Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:


Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."


Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
Question by:vpit
LVL 14

Expert Comment

ID: 38737205
is the sharepoint site url in the trusted sites of the browser on the client?

Author Comment

ID: 38737211
yes, it is.
LVL 14

Expert Comment

ID: 38737219
and afetr providing the credentials all is fine?
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

LVL 14

Accepted Solution

theruck earned 2000 total points
ID: 38737223
LVL 13

Expert Comment

by:Yagya Shree
ID: 38737238
Please have a look into below post

The final Kerberos guide for SharePoint technicians
LVL 38

Expert Comment

by:Justin Smith
ID: 38737241
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).

Author Closing Comment

ID: 38737292
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
LVL 14

Expert Comment

ID: 38737303
glad it helped

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Are you looking to start a business? Do you own and operate a small company? If so, here are some courses you need to take before you hire a full-time IT staff.
A discussion about Penetration Testing and the Tools used to help achieve this important task.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question