Solved

Kerberos setup and config problem when using SharePoint 2010

Posted on 2013-01-02
8
473 Views
Last Modified: 2013-01-02

1.

I am using SharePoint 2010 and attempting to setup Kerberos authentication, but I get continue getting prompted when logging into site.  I am converting our SharePoint portal over to Kerberos from NTLM.  Here are the steps I have taken so far:
Determined the app pool to be used

2.

Identified the service application used for the app pool

3.

Allowed delegation in AD for the service account

4.

Enabled Kerberos in SharePoint 2010 under the "Authentication Providers" for the Application Pool

5.

Run SETSPN command "setspn -a http/abcdev domain\service account"

6.

Under "Users and Computers" in AD selected the radio buttons for Delegation "Trust this user for delegation to specified services only" and then also "Use any authentication protocol".

7.

Verified the Service Principal Name using SETSPN "setspn -L domain\app pool"

When attempting to log onto the development server I continue to receive the authentication prompt. I then went to the server to view the event log and found under the "Security" events:

1.

Audit Success - Event ID (4624) - Logon - stating logon process used Kerberos and "this event is generated when a logon session is created."

2.

Audit Success - Event ID (4634) - Logoff - "this event is generated when a logon session is destroyed"

I don't know if I am reading this correctly, but it looks as if Kerberos is authenticating or logging on successfully, but then immediately logging off. The time stamp is exactly the same time: 1/2/2013 10:43:59 AM.

Also, under the "Application" events:
•Critical - Event ID (3760) - Database - SQL Database "abc" on SQL Server Instance "1234" not found. Cannot open database requested by login for the farm account.

I presume these three events are related, however, I need help determining that. Has anyone else had issues like this with Kerberos setup and configuration using SharePoint 2010? Our network is already setup to use Kerberos.
0
Comment
Question by:vpit
8 Comments
 
LVL 14

Expert Comment

by:theruck
ID: 38737205
is the sharepoint site url in the trusted sites of the browser on the client?
0
 

Author Comment

by:vpit
ID: 38737211
yes, it is.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737219
and afetr providing the credentials all is fine?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 14

Accepted Solution

by:
theruck earned 500 total points
ID: 38737223
0
 
LVL 13

Expert Comment

by:Yagya Shree
ID: 38737238
Please have a look into below post

The final Kerberos guide for SharePoint technicians
http://blog.blksthl.com/2012/09/26/the-final-kerberos-guide-for-sharepoint-technicians/
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 38737241
You need to create an SPN for the web app pool account using both the FQDN and just the host name of the URL:

            HTTP/abcdev
            HTTP/abcdev.domain.com


Also, adding to the Trusted Sites in Internet Explorer doesn't help unless Trusted Sites is set to auto-login with the current credentials (by default it is not, but the Intranet zone is).
0
 

Author Closing Comment

by:vpit
ID: 38737292
The error was that the DNS for our portal was using a "CNAME record" and as this link http://sharepoint.stackexchange.com/questions/37287/why-does-kerberos-authentication-fail points out it requires an "A record". Once this was changed and the DNS cache was flushed, it worked like a charm.
0
 
LVL 14

Expert Comment

by:theruck
ID: 38737303
glad it helped
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
New firewall implementation guidance 12 90
ticket bloat 3 53
Admin account lockout 10 52
exchange, activesync 2 46
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question