Solved

Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
8
488 Views
Last Modified: 2013-01-02

1.

I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used

2.

Identified the service application used for the app pool

3.

Allowed delegation in AD for the service account

4.

Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool

5.

Run SETSPN command "setspn -a http/abcdev domain\service account"

6.

Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".

7.

Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:

1.

Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."

2.

Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
0
Comment
Question by:vpit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:theruck
ID: 38737205
is the sharepoint site url in the trusted sites of the browser on the client?
0
 

Author Comment

by:vpit
ID: 38737211
yes, it is.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737219
and afetr providing the credentials all is fine?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 14

Accepted Solution

by:
theruck earned 500 total points
ID: 38737223
0
 
LVL 13

Expert Comment

by:Yagya Shree
ID: 38737238
Please have a look into below post

The final Kerberos guide for SharePoint technicians
http://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 38737241
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:

            HTTP/abcdev
            HTTP/abcdev.domain.com


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).
0
 

Author Closing Comment

by:vpit
ID: 38737292
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737303
glad it helped
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question