Jun 24, 2009

Sharepoint Kerberos, really?

when you change authentication type to Negotiate(Kerberos) in SharePoint central admin, all sharepoint do is to change NTAuthenticationProvider of sharepoint site in IIS to "Negotiate, NTML" from "NTLM". (how to find NTAuthenticationProvider value? see this post. If there are multiple WFEs in your farm, check each of them as I experienced a problem seeing the failure of setting this IIS meta data from SharePont Central Admin UI.).

What does that mean? is Kerberos guaranteed? not really. Kerberose will be selected only if clients support Kerberos (such as "intergrated window authentication" checked in IE), and  SPN is registered (which make sure Kerberos is selected) and registered correctly (which make sure authentication will not fail)
But how do you know for sure you have Kerberos functioning? I usually go to EvntView of server and in security log find event id = 540, and if you have logon type =3 and AuthenticationPackage = Kerberos. you are good to go.