Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
8
Medium Priority
?
495 Views
Last Modified: 2013-01-02

1.

I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used

2.

Identified the service application used for the app pool

3.

Allowed delegation in AD for the service account

4.

Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool

5.

Run SETSPN command "setspn -a http/abcdev domain\service account"

6.

Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".

7.

Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:

1.

Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."

2.

Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
0
Comment
Question by:vpit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:theruck
ID: 38737205
is the sharepoint site url in the trusted sites of the browser on the client?
0
 

Author Comment

by:vpit
ID: 38737211
yes, it is.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737219
and afetr providing the credentials all is fine?
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 14

Accepted Solution

by:
theruck earned 2000 total points
ID: 38737223
0
 
LVL 13

Expert Comment

by:Yagya Shree
ID: 38737238
Please have a look into below post

The final Kerberos guide for SharePoint technicians
http://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 38737241
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:

            HTTP/abcdev
            HTTP/abcdev.domain.com


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).
0
 

Author Closing Comment

by:vpit
ID: 38737292
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737303
glad it helped
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Check out what's been happening in the Experts Exchange community.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question