MOSS, Kerberos, and IIS7
Hi All, Done a ton of research and am still confused as to whether or not setspn needs to be run or not, and what it needs to be run for (machine name vs service account for app pool) We have 1 WFE, MOSS 2007 SP2 on a Windows 2K8 server with a SQL 2K8 separate back-end. We do not run the application pools under the network service. We do use IPs and custom host names for the sites themselves. Can someone point me to a good article that kind of goes step by step for 2K8? I found a Microsoft one, but that was a little confusing as it had BOTH 2K3 and 2K8 directions all mixed up. Even our network admin was scratching his head over that one. Thanks! Veronica
April 20th, 2010 4:24pm

Veronica The holy grail documentation for Configuring Kerberos authentication is provided by Microsoft. Follow it to the tee and read everything carefully. I have myself followed it step by step and made sure I understood it all before continuing. Now if your still having problems there are few other articles you can review: HIGHLY RECOMMENDED Configuring Kerberos authentication DelegConfig v2 beta - a tool to help resolve Kerberos authentication and delegation issues. Check out how to use DelegConfig Using Kerberos with SharePoint on Windows Server 2008 - SharePoint MVP Spence Harbar also has a great article on disabling "Kernel Mode Authoriztion" in IIS 7 so it will support the AppPool ID (as defined in SharePoint) instead of the machine name when using Kerberos! In case the HIGHLY RECOMMENDED Configuring Kerberos authentication article is confusing (read it again), you might want to read how to configure SharePoint for Kerberos Authentication OR Implementing Kerberos for SharePoint running on Windows Server 2008 and IIS7 as it provides all the steps. however i do recommend you understand the microsoft article and read that one carefully Kanwal SharePoint Buzz
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 5:32pm

Thank you, Kanwal, but I have found that article already and it's the one that's so jumbled up with server 2K3 that it becomes more confusing than helpful. Our 2K3 environment works just fine. Is there actually a document that goes over JUST server 2K8 and Kerberos? Thanks! Veronica
April 20th, 2010 5:42pm

Completely understand. Maybe, I should have provided a bit more information: Windows 2008 Server runs IIS 7, which has a great feature that (by default) means you don't have to set up SPN's for Kerberos-based sites - it uses Kernel-mode authentication (which means "things just work"). For this reason, you should check out SharePoint MVP Spence Harbar's post on Using Kerberos with SharePoint on Windows Server 2008 - shows you how to disable "Kernel Mode Authoriztion" in IIS 7 so it will support the AppPool ID (as defined in SharePoint) instead of the machine name when using Kerberos!Kanwal SharePoint Buzz
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 5:52pm

Not sure Mukesh. All links work for me.Kanwal SharePoint Buzz
April 20th, 2010 6:24pm

My understanding of your issue is that you cannot open your SSP Admin site (something like http://SharePointServer:SSPAdminPort/SSP/Admin), however, you can open other site collection created in the same web application (http://SharePointServer:SSPAdminPort/). Since both site collection are in the same web application, the authentication process should be the same. So, does the user have appropriate permission in the SSP Admin site collections? You can login to Central Administration as the Farm Administrator and grant the user site collection administrator for the SSP Admin site collection and test again (http://technet.microsoft.com/en-us/library/cc262153.aspx ).
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2010 8:36am

In fact, we created the sites with named host headers through the CA UI, and then went into IIS afterwards and changed the bindings to add the IP and remove the host header This is the recommended operation in http://blogs.msdn.com/joelo/archive/2007/01/02/relationship-between-the-iis-metabase-and-sharepoint-configuration-database.aspx : What is the recommended way to configure IP bound Virtual Servers or SSL certificates in both a single server and those with more than 1 WFE? In both cases, it's best to first to have SharePoint extend the web application with a host header binding, then go into IIS Manager to remove the host header binding and then add the IP binding and/or SSL certificate to the IIS Web site, backup the metabase, restart the WSS Web Application Service, and restore the IIS metabase. Then follow the same steps on all other servers as they are added to the farm. However, you did not mention backup and restore IIS configuration (IIS metabase refered before) when the SharePoint Web Application service is restarted. If you are using IIS 7, you can backup and restore IIS configuration with the AppCmd.exe (http://blogs.iis.net/bills/archive/2008/03/24/how-to-backup-restore-iis7-configuration.aspx ) Update: Sorry, you don't need to restore IIS configuration when IIS or the Computer is restarted. You only have to do this when the Windows SharePoint Services Web Application (in Central Administration->Operation->Services on Server) is stopped and restarted. Since it will delete and recreate IIS sites based on information in configuration database. Thanks for remind me of this mistake. Gu Yuming TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
May 6th, 2010 5:41am

I have unmarked the answers as we have no yet verified that they ARE the correct answer. If and when we do, I will mark them as answers. As of yet, we have not found a solution.
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2010 9:11pm

Disable kernel mode? Really? I've read that this is NOT the recommended best practice. Yes, it will work (I'm struggling through Kerberos myself and tried this just as a test and it works), but not recommended. Sorry for the late reply, but we're just making the move this month. Was this really your final fix?/bac
November 15th, 2010 3:43pm

It was, and it was what Microsoft suggested we do.
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 4:02pm

Okay, thanks for letting me know. I will let you know if I hear anything else regarding disabling kernel mode. So, I did a little more digging and Here's what I found... Here is the MSFT explanation for disabling kernel-mode: http://blogs.msdn.com/b/chunliu/archive/2010/03/24/why-sharepoint-2010-not-use-kernel-mode-authentication-in-iis7.aspx I guess kernel-mode is not an issue!/bac
November 16th, 2010 2:59am

Very interesting, thanks for posting that!
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 9:02am

Veronica, Since you had a support case open on this topic I wonder if you could get additional feedback from MSFT as to whether this approach is to be considered "Best Practice"? I can open a new case, but you already have an "in"... Thanks./bac
November 16th, 2010 3:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics