SharePoint Kerberos Authentication wtih IIS 7+

When Microsoft designed IIS 7 they decided to add in a new feature that automaticaly uses the LocalSystem account for Windows Authentication by the kernel.  The problem with this is that is causes problems when a domain account is being used for the SharePoint applicaiton pools and Kerberos is enabled.  Because the authenication is happening as LocalSystem the application pool account is desregarded when it comes to kerberos.

Symptom(s):
When I had kerberos enabled and the kernel-mode authentication was enabledI would get prompted for user credentials until finally receiving a 401 error in the browser.

Fix(s):

There are two ways to fix this issue.  You can fix it for all websites or for a specific website.  The first solution is to apply to all websites.

Apply to all sites:
Right click on Notepad and choose "Run as administrator"

Navigate to and open: C:\Windows\System32\inetsrv\config\applicationHost.config

Under the system.webServer/security/authentication/windowsAuthentication section ensure the following.

<windowsauthentication enabled="true" useapppoolcredentials="true" usekernelmode="true">

Apply to individual site:
The second way will allow you to apply this change to a specific website.

Open the IIS Manager and click on the website you would like to change.  Then double click on the Authentication icon in the center pane.


Click on the Windows Authentication option in the center pane and then click Advanced Settings... in the right hand pane.


Finally un-check the Enable Kernel-mode authentication box.


Supporting Post(s):
http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx



Comments

Post a Comment

Popular posts from this blog

Add User As Local Administrator On Domain Controller

I recently was settting up a new Microsoft SharePoint 2010 machine and had promoted the machine to a domain controller before creating my SharePoint admin accounts.  I needed to add several of my accounts to the local Administrators group.  Unfortunately after you promote a server to a domain controller you can no longer access the GUI for Local Users and Groups.  Instead I had to use the command line to add the users. Open a command promt using the "Run as administrator" function and then run the following command. net localgroup Administrators /add {domain}\{user} Note: do not include the {} brackets.
Read more

Calling Dataverse Web API in PowerShell using Client Credentials

Image
Connecting to Dataverse using PowerShell can be very helpful for data migrations and use within Azure DevOps. Connecting to an instance in a non-interactive way can be tricky though. This article will provide you the links you need for creation and App registration and adding the app user to your environment. You can then utilize the script provided to call Web API requests including ones you define using the new Custom API functionality now available. The script was written so that it is not dependent on any outside libraries such as the Microsoft.Xrm.Tooling connector. This is helpful in situation where involving an outside library will slow down your deployment time by having to be approved in a change control board. If utilizing an outside code library is not a concern you can create a connection to Dataverse utilizing the Microsoft.Xrm.Tooling connector Get-CrmConnection cmdlet. Create App Registration The first thing to do is create an App Registration within Azure AD for
Read more

Windows Server 2008R2 VMs Shut Down After 1 to 2 Hours

Image
When created a lab environment to test ADFS 2.0 I utilized the Windows 2008R2 VM baselines distributed by Microsoft.  After a few days I was told that I had to activate.  The VMs included a 180 day license for use but I didn't feel like adding another network adapter into Hyper-V to connect them to the internet.  I started having issues though where the servers would shut down every hour or so.  I though that maybe there was a memory issue and Hyper-V was shutting them down in order to free up RAM.  Turns out that if Server 2008R2 is not activated it automatically shuts down after a period of time.  After connecting the server to the internet and activating them the problem went away. Finally the madness of the unknown shut downs has ended :)
Read more