To enable Kerberos authentication for sharepoint, the first step is to register SPN for differernt serveice accout.
1. SQl service accountit should be in the following format:
setspn -A MSSQLSvc/mySqlhost.myComany.com:1433 accountname
or
setspn -A MSSQLSvc/mySqlhost.myComany.com:MOSSInstance accountname
After that you can verify the kerberos by running the following query:
select auth_scheme from sys.dm_exec_connections where session_id=@@spid
note: you have to
remotely connect to your SQL server, otherwise if you run SQL Studio inside the SQL server as I normally did, the above query always returns NTLM
2 web application pool account:Assuming you have 2 web applications, one is at 80 and the other is at 8888.The best practice is to register in the format of:
HTTP/NetbiosName.domain
HTTp/NetbiosName
HTTP/NetbiosName.domain:8888
Http/NetbiosName:8888
if a FQDN is used in place of Netbios, make sure FQDN is a A record in DNS, not a CNAME. CNAME will be translated into a different FQDN. How to find the type?
NSLookup
>Set type=A (or CNAME)
> your FQDN
note: do NOT append append default 80, it will break if browser strips off 80, and also the bonus is it can make IE6 which doesn't append port number work without hotfix.
for eaxmple, if a request
http://mysharepoint.domain.com:8888/ is made from IE 6.0, IE 6 will compose SPN as http/mySharePoint.myCompany.com which happens to match the one registered. It can fail if HTTP/mySharePoint.myCompany.com:80 is registered instead. If the same request is made from IE7, the SPN will be http/mySharePoint.myCompany.com:8888, and that is why we need the second format.
Beaware though, after registering Http\NetBiosName, it will overtake Host\NetBiosName which can cause Http 401.1 error as described in this
post.
3.
SSP service accountDon't even bother to register SPN in the format of HTTP/. It won't work. You have to install Infrastructure Update or
CU which includes IP,and then use the new custom format:
MSSP/mySharepint.myCompany.com:56737/mySSPMSSP/mySharepint.myCompany.com:56738/mySSPAssuming SSP name is mySSP. read more
here4.
Farm Admin and My Site serveice accountsYou can register them either using header or port number to avoid duplicates. It really should not matter, but normally people use port for Farm Admin, and use header for MySite.Note: if any service account is using newbiosname account(Network Service, Local Service and Local System), you don't have to set SPN for them, since they already have a SPN (HOST/netbioname) by default.
with SPN registration done, you can verify kerberos authentication from the event logs. I will cover delegation in another post.
This post is based on IIS 6.0 for ISS 7 please read here.