Configuring Kerberos for SharePoint. A Couple of Tips …

I’ve been back in the Kerberos Configuration Groove lately. Yes that, multi-step process which foxes so many people.   If you have to engage in this process then I recommend a few things:

If you’re not already aware of it I strongly recommend that you download  a copy of the “Configure Kerberos Authentication for SharePoint 2010 Products” from Microsoft from here and keep it close.

Try to get to understand the process of what is happening rather than just follow by rote.  You’ll find you fix errors much easier.  The document I just mentioned really helps.

Bear in mind that a few things in the document are a bit of overkill IMHO … two in particular are:

Having a domain account running the Claims to Windows Token Service.  I personally would just let this run as  “Local Service”.  Before you security guru’s start jumping all over me on that one, I’ll refer you to the document which says that the account which runs the C2WTS has to be a Local Administrator, Act as Part of the Operating System, Log On As A Service and Impersonate a Client After Authentication.  Also the C2WTS has no remote access capability, as you have to run it on every server which runs Excel Services or PerformancePoint Services.   If this is the case  why on earth have a domain account?  Surely it’s more secure to have one less domain account to worry about, and if you have your LocalSystem account hacked I think you have bigger fish to fry …

On the Reporting Services Configuration the document recommends using Constrained Delegation to Any Authentication Protocol.  This is not necessary if you are connecting to SQL Server and to Analysis Services as the document example is doing.  You only need Constrained Delegation for Kerberos.  Trust me, try it, it works fine.  Using any authentication protocol is less secure than Kerberos Only and SSAS and SQL Server don’t understand things like claims at the moment, so it’s totally pointless.

Other than that the document whilst a weighty tome at over 200+pages, is a very good reference.  I only hope as we move forward that Microsoft manage to simplify the process so that some pages can be removed …


Dave Mc

About davemcmahon81
Software Developer & Architect, User Group Leader, Speaker, Writer, Blogger, Occasional Guitarist, Man-made Global Warming Sceptic, Climate Change Believer, General Optimist but most of all proud Husband and Dad ...

One Response to Configuring Kerberos for SharePoint. A Couple of Tips …

  1. Pingback: Configuring Kerberos for SharePoint. A Couple of Tips … « Dave … | Mastering Sharepoint

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: