This blog post will show you how to configure Kerberos & KCD (Kerberos Constrained Delegation) from start to finish for MOSS 2010 and UAG 2010.
A powerful feature of UAG is its ability to support KCD internally between UAG and the SharePoint 2010 server. This feature helps reduce traffic between the servers because NTLM is considered very network chatty. Also, KCD allows for a truly seamless SSO experience for smartcard users.
Configuring Kerberos Authentication Internally – SharePoint Side
You can’t have KCD support if you don’t have Kerberos working internally! I will show you an easy way to setup Kerberos authentication for SharePoint 2010.
1) Go to the SharePoint Central Administration >> Manage Web Application >> then click on your SharePoint Site >> Authentication Providers
2) A MOSS 2010 configuration window will come out displaying a link labeled “default”. Click it and scroll down until you find “IIS Authentication Settings”.
3) Under “IIS Authentication Settings” check the box that says “Negotiate (Kerberos),” & click “Save”.
The term negotiate means that if Kerberos doesn’t work, then fall back to NTLM.
4) Restart IIS!!! Start >> run >> “CMD” >> type in “iisreset”
Configuring Kerberos Authentication Internally – Active Directory
Forget the SetSPN application, many administrators find it difficult to use. I will show you the manual way to configure SPN’s which is pretty much foolproof. If you are using Server 2003, then you may need to download the ADSI Editor MMC. The ADSI editor comes built-in with Server 2008. Do NOT enter multiple SPN’s.
1) Open the ADSI editor >> find the Service Account used to run IIS Services|Application Pool for your SharePoint Server or SharePoint Farm. In the case of a farm, it should still be the same account across all servers.
2) Click Properties and scroll down until you find “ServicePrincipalName”. Click Add and enter in your SharePoint site name such as: http/sharepoint.domain.com
3) Run “Active Directory Users and Computers” >> Find the account we just added the SPN to >> click “Delegation”.
A nice thing to note is that the “Delegation” tab is not available until you configure the SPN.
4) Check the box that says “Trust this user for delegation to any service (Kerberos Only)”. Click OK and allow enough time for your changes to replicate.
Verifying that Kerberos works
It is very important to verify that KCD is working internally before preceding to configuring UAG.
1) Open up the event viewer on your SharePoint Server and click “Security”
2) Filter by event ID “4624” to make sure you only see logon and logoff logs
3) Look for a user logging in and scroll down and make sure you see the logon process was verified using Kerberos.
Publishing SharePoint 2010 – UAG 2010 Side
There any many ways to publish SharePoint 2010 through UAG and the method used should reflect how you want SharePoint and UAG configured. Below describe the steps for a typical deployment where your internal and external SharePoint URLs are different.
1) Click “Add” and Select “Web Application” >> Enter in an Application Name >> Single server.
2) Under Addresses, make sure to enter in the server name used for the SPN.
3) Select the proper authentication server, which should be AD-based. At this time you cannot select KCD.
Keep clicking next and configure SharePoint the way you want it. Typically, I will click the boxes that allow you to bypass trunk authentication.
4) Go into the application properties for the application created above >> Authentication >> check the box that says “Use Kerberos constrained delegation for single sign-on”.
5) Enter in the SPN name accordingly, as shown below:
Configuring Delegation in AD
In the official Microsoft documentation, the articles teach you how to use the LDIF file. In doing so, you get a nasty warning saying existing data will get deleted. Don’t worry! You won’t replace all your AD data; however you will replace existing delegation data inside your UAG computer object. Let me explain: let’s say you configured delegation in UAG before for MOSS 2007; well, MOSS 2007 is gone now and you have MOSS 2010. If you didn’t clean up AD, then a delegation rule under UAG for MOSS 2007 should still be there. Your LDIF import will clean up that rule.
Next, I will show you how to manually configure delegation in AD.
1) Run “Active Directory Users and Computers” and search for your UAG Server computer object.
2) Click the “Delegation” tab >> check the box that says “Trust this computer for delegation to specified services only” and click “ADD”.
3) Type in the name of your SharePoint Server as its name in AD. Scroll down in the list until you find HTTP and select it.
4) Click Apply and you are done!!! Rinse and repeat the above steps if you have multiple UAG servers or Celestix WSA Appliances.
If you would like to import the LDIF file then that’s OK, too. After you are finished with the SharePoint wizard and authentication change to KCD, do the following.
1) Admin >> Export KCD Settings to Active Directory >> click “Export Settings to an LDIF file”.
2) Copy the LDIF file from your UAG server to your Domain Controller.
3) Open a command prompt and type in the following:
LDIFDE –i –f c:\pathhere\filenamehere.ldif
You are all set!!! Remember to log into UAG and then check your SharePoint logs to make sure you are truly using KCD. You will need to configure AAM in SharePoint.
Note that setting up Kerberos on the inside doesn’t mean you will get a truly SSO experience internally. You may need to add the SharePoint URL to your Trusted Zone.
If you are publishing SharePoint 2010 without Kerberos, then go through my article and set it up. Trust me, in an environment of 500+ users the savings in bandwidth is well worth it.
Thank you for reading my post!