Solved

Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
8
443 Views
Last Modified: 2013-01-02

1.

I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used

2.

Identified the service application used for the app pool

3.

Allowed delegation in AD for the service account

4.

Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool

5.

Run SETSPN command "setspn -a http/abcdev domain\service account"

6.

Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".

7.

Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:

1.

Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."

2.

Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
0
Comment
Question by:vpit
8 Comments
 
LVL 14

Expert Comment

by:theruck
Comment Utility
is the sharepoint site url in the trusted sites of the browser on the client?
0
 

Author Comment

by:vpit
Comment Utility
yes, it is.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
and afetr providing the credentials all is fine?
0
 
LVL 14

Accepted Solution

by:
theruck earned 500 total points
Comment Utility
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:Yagya Shree
Comment Utility
Please have a look into below post

The final Kerberos guide for SharePoint technicians
http://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/
0
 
LVL 38

Expert Comment

by:Justin Smith
Comment Utility
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:

            HTTP/abcdev
            HTTP/abcdev.domain.com


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).
0
 

Author Closing Comment

by:vpit
Comment Utility
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
0
 
LVL 14

Expert Comment

by:theruck
Comment Utility
glad it helped
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now