Thursday, July 1, 2010

SharePoint Kerberos Authentication wtih IIS 7+

When Microsoft designed IIS 7 they decided to add in a new feature that automaticaly uses the LocalSystem account for Windows Authentication by the kernel.  The problem with this is that is causes problems when a domain account is being used for the SharePoint applicaiton pools and Kerberos is enabled.  Because the authenication is happening as LocalSystem the application pool account is desregarded when it comes to kerberos.

Symptom(s):
When I had kerberos enabled and the kernel-mode authentication was enabledI would get prompted for user credentials until finally receiving a 401 error in the browser.

Fix(s):

There are two ways to fix this issue.  You can fix it for all websites or for a specific website.  The first solution is to apply to all websites.

Apply to all sites:
Right click on Notepad and choose "Run as administrator"

Navigate to and open: C:\Windows\System32\inetsrv\config\applicationHost.config

Under the system.webServer/security/authentication/windowsAuthentication section ensure the following.

<windowsauthentication enabled="true" useapppoolcredentials="true" usekernelmode="true">

Apply to individual site:
The second way will allow you to apply this change to a specific website.

Open the IIS Manager and click on the website you would like to change.  Then double click on the Authentication icon in the center pane.


Click on the Windows Authentication option in the center pane and then click Advanced Settings... in the right hand pane.


Finally un-check the Enable Kernel-mode authentication box.


Supporting Post(s):



No comments: