Hi, Environment: SharePoint & Kerberos Can someone explain how does client browser know which KDC to send request to get ticket in step 3 below: The user types in a URL in the Internet Explorer (e. g. http://intranet.domain.local ) The client browser constructs the SPN, which contains a name of the host and the service type (SPN: http/intranet.domain.local – Service type: HTTP Name: intranet.domain.local) The client sends a request to the KDC to get a ticket for this SPN Thanks in advance, Frank

Explain your terms, please. KDC = ? SPN = ? Also which SharePoint ? 2010 Books: SPF 2010; SPS 2010; SPD 2010; InfoPath 2010; Workflow etc. 2007 Books: WSS 3.0; MOSS 2007; SPD 2007; InfoPath 2007; PerformancePoint; SSRS; Workflow Both lists also include books in French; German; Spanish with even more languages in the 2007 list.

Frank, The lookup of the KDC is a function of Windows. Once you receive your TGT from the KDC, the client will normally just continue to use the same KDC to have other Kerberos service tickets issued. However, to find a KDC for the first time or when a KDC may become unavailable, Windows uses DNS to find KDC server.JD Wade, MCITP SharePoint Consultant, Horizons Consulting, Inc. Blog: http://wadingthrough.com Twitter: http://twitter.com/jdwade

I'll explain this in the context of a Windows environment where the KDC (Key Distribution Center) has been installed as part of a domain controller and the client is on the local network - a common scenario for SharePoint intranet environments. These steps are taken from http://technet.microsoft.com/en-us/magazine/ee914605.aspx : A client browser makes an HTTP GET request as anonymous using a host name (FQDN or alias). A front-end SharePoint server responds with a 401.2 error and the WWW-Authenticate: Negotiate header and/or the WWW-Authenticate: Kerberos header, which indicates that it supports Kerberos authentication. The client contacts the KDC on the domain controller and requests a ticket for the SPN based on what the browser client sent as the hostname. I believe the third point is probably the most helpful in answering your question - basically, the client will contact the KDC that is part of whichever domain controller is serving the logon request. So in answer to your question, the client browser will send a request to the KDC that is part of whichever domain controller it has authenticated with - and that is determined by your network (DNS, DHCP) settings.Benjamin Athawes Twitter SharePoint Blog