Mar 21, 2009

SharePoint Kerberos: How to register SPN

To enable Kerberos authentication for sharepoint, the first step is to register SPN for differernt serveice accout.

1. SQl service account

it should be in the following format:

setspn -A MSSQLSvc/ accountname
setspn -A MSSQLSvc/ accountname

After that you can verify the kerberos by running the following query:

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

note: you have to remotely connect to your SQL server, otherwise if you run SQL Studio inside the SQL server as I normally did, the above query always returns NTLM

2 web application pool account:
Assuming you have 2 web applications, one is at 80 and the other is at 8888.The best practice is to register in the format of:


if a FQDN is used in place of Netbios, make sure FQDN is a A record in DNS, not a CNAME. CNAME will be translated into a different FQDN. How to find the type?

>Set type=A (or CNAME)
> your FQDN

note: do NOT append append default 80, it will break if browser strips off 80, and also the bonus is it can make IE6 which doesn't append port number work without hotfix.
for eaxmple, if a request is made from IE 6.0, IE 6 will compose SPN as http/ which happens to match the one registered. It can fail if HTTP/ is registered instead. If the same request is made from IE7, the SPN will be http/, and that is why we need the second format.

Beaware though, after registering Http\NetBiosName, it will overtake Host\NetBiosName which can cause Http 401.1 error as described in this post.

3. SSP service account
Don't even bother to register SPN in the format of HTTP/. It won't work. You have to install Infrastructure Update or CU which includes IP,and then use the new custom format:

Assuming SSP name is mySSP. read more here

4. Farm Admin and My Site serveice accounts
You can register them either using header or port number to avoid duplicates. It really should not matter, but normally people use port for Farm Admin, and use header for MySite.

Note: if any service account is using newbiosname account(Network Service, Local Service and Local System), you don't have to set SPN for them, since they already have a SPN (HOST/netbioname) by default.

with SPN registration done, you can verify kerberos authentication from the event logs. I will cover delegation in another post.

This post is based on IIS 6.0 for ISS 7 please read here.