Running SharePoint or WSS with Kerberos authentication can be a tricky thing to get right at the best of times. The following are a number of steps in assisting with diagnosing the cause of any such Kerberos related problems.
1. Check that IIS to configured to handle Kerberos Authentication
Ensure that your ‘web application’ is set to run using Kerberos authentication. To do this open up the SharePoint ‘Central Administration’ tool. Select the ‘Application Management’ tab and then from underneath the ‘Application Security’ heading click ‘Authentication providers’.
Select the ‘Web Application’ you want to check the settings of and then click the relevant zone, ie: ‘Default’. On the right hand side of the window you will see the following options:
Make sure that ‘Enable anonymous access’ is unchecked as Kerberos does not work with anonymous access. ‘Authentication Type’ should be set to ‘Windows’, the ‘Integrated Windows authentication’ box checked and ‘Negotiate (Kerberos) selected.
It pays to double check that these Kerberos authentication settings that were set within the ‘Central Administration’ tool have been flowed through correctly to IIS.
To do this we will use a script called adsutil.vbs. This script is installed by default with IIS 6 and can be found in the InetpubAdminScripts directory. If for some reason you can’t find it here it can be found in the W2K3 source files. The location is i386IIS6.CAB – the script is inside this CAB. If you are unsure how to extract a CAB an easy option is to use a utility such as WinRar.
Once you are ready to run adsutil.vbs, open a command prompt and enter the in the following:
The ‘SiteID’ is the ID IIS allocates to your virtual directory. The ‘Default’ web site that is configured when you first install IIS is always numbered ‘1’. Now you’d think that the next site you create would be number ‘2’ and so on. But no, that would be too easy. Now there is probably a good technical reason why unique sequential numbers aren’t used but I don’t know the reason for this.
There are two easy methods of finding a web sites ID. Both are via the Internet Information Services (IIS) Manager.
The first way is by clicking on the ‘Web Sites’ folder and looking at the right hand pane in the ‘Identifier’ column (see below).
The second is by selecting the properties of a particular site, selecting the ‘Web Site’ tab and clicking the ‘Properties’ button at the bottom of the screen. On the next window that opens look at the ‘Log file Name’ at the bottom. You will see a long number containing a mixture of characters and numbers. The numbers after the first set of letters is the ‘SiteId’ (see below).
2. Ensure that the SPN’s and Delegation are set correctly
3. Useful Links:
Martin Kearn’s blog article on SharePoint and Kerberos is widely referenced and held as being one of the main sources of information on this subject.
James World has some great tips and outline many of the gotcha’s associated with configuring Kerberos.
A Microsoft article on configuring Kerberos authentication for SharePoint.
Sonoma Partners have a really good article regarding Kerberos. Although it has a very slight slant towards MS CRM the information it contains regarding Kerberos still applies.
Here’s another Microsoft article that this time is about ‘Troubleshooting Kerberos Delegation’.
Tudor’s Weblog has some information on advanced Reporting Services deployment options which includes Kerberos.