Want to authenticate with Kerberos? (on your MOSS site)

When you create a new web application on your MOSS 2007 server, you have to make a tough choice: NTLM or Kerberos.
The differences for the user are not visible, but we have to make a few settings to make Kerberos work.

The easy settings are done with the Central Admin of MOSS:
Kerberos-CA
Just enable Kerberos in the Authentication Provider of the desired Web Application.

That was the easy one.

Another thing we have to do is to set a “Server Principle Name”(SPN). A SPN is needed, because the user who wants to authenticate with Kerberos needs to know the account under which the Application Pool is running (Application Pool ID). The authenticating user needs this information, because he needs to ask the Kerberos Key Distribution Center (KDC) for a ticket for this account.
Naturally, we provide this information with a directory service. You have three guesses what directory service we will use.

The tool for registering SPNs is called SETSPN and it is installed with the Support Tools.

Here is an example:

Application Pool ID:

Kerberos-Hostheader 
The application pool ID in my example is the user MOSSSERVICE in the domain TEST.LOCAL (TEST).

URL (Hostheader) of the application:
Kerberos-AppID
This is what your users enter into the address bar of their browser.

So we have:

Application Pool ID Hostheader:
testmossservice testapp.local

That gives us this SETSPN command:
setspn -a http/testapp.local testmossservice

That’s it.

Yes, really, it is that easy!

In my next post I will show you how to test if the authentication is made with Kerberos or falls back to NTLM.

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>