How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication

How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication

Article ID : 953130
Last Review : July 2, 2008
Revision : 1.0
On This Page

INTRODUCTION

This article describes how to configure a server that is running Windows Server 2003, Microsoft Office SharePoint Server 2007, and Excel Services for Kerberos authentication.

Back to the top

MORE INFORMATION

Follow these steps in the order in which they are presented to configure the Kerberos protocol on SharePoint Server 2007 and on Excel Services.

Back to the top

Configure SharePoint Server 2007 for Kerberos authentication

Step 1: Set up the SPN for the user accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D (http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D)

After you download and install the Windows Support Tools, follow these steps:

1. Set the SPN for the server farm account. At a command prompt, type the following to set the SPN for the server farm account, and then press ENTER:

setspn.exe -A HTTP/SharePoint_server .domain.com domain SharePoint_Server_farm_acct

For example, type the following at the command prompt:

setspn.exe -A HTTP/mossserver.contoso.com contoso SharePoint_Server_farm_acct
2. Set the SPN for the SharePoint Server 2007 application pool accounts. To do this, type the following, and then press ENTER after each one:

• setspn.exe -A HTTP/SharePoint_server domain application_pool_account

For example, type the following, and then press ENTER:

setspn.exe -A HTTP/mossserver:80 contoso application_pool_account
• setspn.exe -A HTTP/SharePoint_server.domain.com domain app_pool_acct

For example, type the following, and then press ENTER:

setspn.exe -A HTTP/mossserver:80 contoso application_pool_account
3. After you set the SPN, verify that the SPN is set correctly on the server.To do this, follow these steps:

a. At a command prompt, type the following, and then press ENTER:

Setspn –L Domain SharePoint_Server_farm_acct

For example, type the following, and then press ENTER:

setspn -L contoso SharePoint_Server_farm_acct
b. If the SPN for the SharePoint Server farm account is configured correctly, the SharePoint Server URL address will be displayed.For example, type the following, and then press ENTER:

setspn -L contoso SharePoint_Server_farm_acct

At the command prompt, the following is displayed:

HTTP/mossserver.domain.com
c. At a command prompt, type the following, and then press ENTER:

Setspn –L DomainName application_Pool_Account

For example, type the following, and then press ENTER:

setspn -L contoso application_pool_account
d. If the SPN for the SharePoint Server 2007 application pool accounts is configured correctly, the pool account URL address and the port number will be displayed.For example, type the following, and then press ENTER:

setspn -L contoso application_pool_account

At the command prompt, the following is displayed:

HTTP/mossserver.domain.com:80
HTTP/mossserver:80

Step 2: Trust for delegation on the user accounts and on the computer accounts

Make sure that the following user accounts are in a trust relationship on all servers that will participate in Kerberos authentication:

• Microsoft Office SharePoint Server 2007 Servers, computer account
• Microsoft SQL Server/Analysis server, computer account
• Microsoft Office SharePoint Server 2007 farm, user account
• Web Application Pool, user account

To configure a computer account so that it is trusted for delegation, follow these steps:

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the navigation pane, click Computers.
3. Right-click the computer that you want to configure, and then click Properties.
4. Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.

To configure a user account so that it is trusted for delegation, follow these steps:

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the navigation pane, click Users.
3. Right-click the user who you want to configure, and then click Properties.
4. Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.

Step 3: Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication. To do this, follow these steps:

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click SharePoint Central Administration.
2. Click the Application Management tab, and then click Authentication Providers.
3. In the Web Application list, select the Web application that you have to update.
4. Click the zone that you want.
5. On the Edit Authentication page for IIS Authentication Settings, click Negotiate (Kerberos). When you are prompted for confirmation, click OK.
6. Click Integrated Windows authentication, click Negotiate (Kerberos), and then click OK.
7. To apply the change, click Save.

For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:

832769 (/Feedback.aspx?kbNumber=832769/) How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication

Step 4: Configure Component Services on Windows Server 2003

1. On the server that is running SharePoint Server 2007, click Start, click Run, type dcomcnfg in the Open box, and then click OK.
2. Expand Component Services, expand Computers, right-click My Computer, and then click Properties.
3. Click the Default Properties tab, click Delegate in the Default Impersonation Level box, and then click OK. For more information about how to set an impersonation level, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms681722.aspx (http://msdn2.microsoft.com/en-us/library/ms681722.aspx)
4. Expand Component Services, expand Computers, and then double-click My Computer.
5. Double-click the DCOM Config folder, and then right-click IIS WAMREG admin Service.
6. Click Properties, click the Security tab, and then under Launch and Activate Permissions, click Edit.
7. In the Launch Permission dialog box, click Add.
8. In the Select Users, Computers, or Groups dialog box, type the user account that you specified as the SharePoint Server 2007 application pool account, click Check Names, and then click OK.
9. In the Permissions for UserName list, click to select the Allow check box that is next to Local Activation, and then click OK.
10. If you have more than one application pool account, repeat steps 7 to 9 for each one.
11. Click OK.

Step 5: Enable the Kerberos protocol on the SSP

You must enable the Kerberos protocol on the Shared Services Provider (SSP). At a command prompt, type the following, and then press ENTER:

STSADM -o SetSharedWebServiceAuthn -negotiate

Back to the top

Configure Excel Services for Kerberos authentication

After you have configured SharePoint Server 2007 for Kerberos authentication, you can now configure Excel Services for Kerberos authentication. Follow these steps in the order in which they are presented to configure Excel Services for Kerberos authentication.

Step 1: Configure user permissions in SQL Server 2005 Analysis Services

1. Start SQL Server Management Studio, and then connect to the instance of SQL Server 2005 Analysis Services.
2. Right-click the Analysis Services folder, and then click Properties.
3. Click Security in the navigation pane.
4. Under NT Users and Groups, click Add, and then add each user who you want to grant access to Excel services. If you want to grant access to all users, add Authenticated users.
5. Close Analysis Services Properties.

Step 2: Configure SQL Server 2005 Analysis Services to use Kerberos authentication

For more information about how to configure SQL Server 2005 Analysis Services to use Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:

917409 (/Feedback.aspx?kbNumber=917409/) How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

Step 3: Configure Excel Services for delegation

To configure Excel Services for delegation, follow these steps:

1. At a command prompt, type the following, and then press ENTER:

STSADM -o set-ecssecurity -ssp Shared Services Provider Name -accessmodel delegation
2. Type the following, and then press ENTER:

STSADM -o execadmsvcjobs

Back to the top


APPLIES TO
• Microsoft Office SharePoint Server 2007

Back to the top

Keywords: 
kbkerberos kbexpertiseadvanced kbhowto kbinfo KB953130

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image