Solved

Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
8
483 Views
Last Modified: 2013-01-02

1.

I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used

2.

Identified the service application used for the app pool

3.

Allowed delegation in AD for the service account

4.

Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool

5.

Run SETSPN command "setspn -a http/abcdev domain\service account"

6.

Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".

7.

Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:

1.

Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."

2.

Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
0
Comment
Question by:vpit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:theruck
ID: 38737205
is the sharepoint site url in the trusted sites of the browser on the client?
0
 

Author Comment

by:vpit
ID: 38737211
yes, it is.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737219
and afetr providing the credentials all is fine?
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 
LVL 14

Accepted Solution

by:
theruck earned 500 total points
ID: 38737223
0
 
LVL 13

Expert Comment

by:Yagya Shree
ID: 38737238
Please have a look into below post

The final Kerberos guide for SharePoint technicians
http://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 38737241
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:

            HTTP/abcdev
            HTTP/abcdev.domain.com


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).
0
 

Author Closing Comment

by:vpit
ID: 38737292
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737303
glad it helped
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question