Sharepoint Server Farm and Kerberos Authentication

All Replies

• Wednesday, July 30, 2008 7:14 PMFrancesco Sodano

   
  

  0

  Sign In to Vote
   

  Key Points of Kerberos;

  -       More Secure than NTLM

  -       More scalable than NTLM

  -       Provides user delegation (RSS Viewer for example!)

  -       Supports constrained delegation

  -       Reduces load to Active Directory

  -       Kerberos is integrated into Active Directory a service only needs to be configured to utilize the protocol
  
  
  Regards,
  
  Francesco
  
  

  ---

  www.sharepointinside.it

  • Marked As Answer byLionel Chen - MSFT Thursday, July 31, 2008 10:17 AM
  •  
  • Reply
  • Quote

   
• Wednesday, July 30, 2008 8:27 PMVeronica Harris

   
  

  0

  Sign In to Vote
  I agree with Francesco.
  
  We have very successfully deployed 3 separate farms with Kerberos authentication and it works very well.  Now, there *are* some "gotchas" with Kerberos, but if you know about them and make sure to always perform all steps that need to be done with each new addition to a farm you will be just fine.
  • Reply
  • Quote

   
• Thursday, July 31, 2008 5:04 AMLiluPat

   
  

  0

  Sign In to Vote
  Hi Francesco,
  
  Thanks for replying !!
  
  Does it mean even if I do not use the user delegation for RSS viewer or WebPart that access the DB server that is not hosted in SharePoint server, I can still go for Kerberos authentication because it provides other benefits like more secure & scalable?
  
  Regards,
  LiluPat
  • Reply
  • Quote

   
• Thursday, July 31, 2008 8:42 AMFrancesco Sodano

   
  

  0

  Sign In to Vote
  Yes!
  
  Kerberos is a great authentication protocol!
  
  Live for Tickets! :)
  
  Francesco.
  
  

  ---

  www.sharepointinside.it

  • Edited byFrancesco Sodano Thursday, July 31, 2008 8:43 AMadd name
  •  
  • Reply
  • Quote

   
• Thursday, July 31, 2008 9:17 AMlanfear

   
  

  0

  Sign In to Vote
  I have questions on the same topic:
  
  

  1. If you look at it the other way - what are the reasons for not using Kerberos? Are there any?
     
     
  2. I've heard someone say that web traffic requires new tickets more often than traffic over other protocols, therefore negating the quoted advantage (for SharePoint purposes) that Kerberos creates less authentication traffic than NTLM. Is that true?
     
     
  3. Also, in the case of the RSS viewer webpart that requires Kerberos - can anyone explain what are the security implications of using a 3rd party reader like Smiling Goat, that doesn't require Kerberos for viewing authenticated MOSS feeds?
     
     

  Thanks for any insights, I'm trying to do my research thoroughly. :) And maybe a Kerberos FAQ should be a sticky thread?
  
  Best regards,
  
  lf
  

  • Edited bylanfear Thursday, July 31, 2008 9:19 AMCosmetic improvement!
  •  
  • Reply
  • Quote

   
• Thursday, July 31, 2008 9:38 AMFrancesco Sodano

   
  

  0

  Sign In to Vote
  1. Kerberos is more difficult to configure and throubleshoting (in my opinion)
  2. The tickets are request one time, after the first request the authentication traffic is less than NTLM
  3. i don't know Smiling Goat, but i think that is an implementation for how don't have kerberos or don't want kerberos on is infrastructure
  4. The link i suggest is this :http://technet.microsoft.com/en-us/library/cc263449.aspx, so you can see what mean configuring Kerberos on a Medium/Large Farm

  Regards,
  
  Francesco.

  ---

  www.sharepointinside.it

  • Marked As Answer byLionel Chen - MSFT Thursday, July 31, 2008 10:18 AM
  •  
  • Reply
  • Quote

   
• Thursday, July 31, 2008 4:24 PMLiluPat

   
  

  0

  Sign In to Vote
   Hi Francesco,
  
      
  Thanks for clarifying this ..
  
  I have one more query, we will have some hyper link from the current portal. These links will point to some ASP.NET applications which are hosted in a different IIS web server than the current portal. But both SharePoint portal and ASP.NET applications will use the same AD server for user authentication. The portal is configured for Kerberos authentication.
  
  1> In the above case after the user is authenticated for SharePoint portal, will he be able to access the ASP.NET application without enter his/her user id/password for the 2nd time? 
  
  2> Do I have to configure for SSO in the above case?
  
  3> Is  Kerberos authentication is used an alternate for SSO?
  
  Thanks in advance !!!
  
  Regards,
  LiluPat
  • Reply
  • Quote

   
• Thursday, July 31, 2008 7:19 PMMULTISY

   
  

  0

  Sign In to Vote
  Kerberos will be used if using Windows Authentication; and if accessing different server inside the same domain it is likely the same Kerberos ticket will be used.  Kerberos tickets get cached on the client and server, so each of them can securely communication without alway asking the Domain Controller (as with NTLM).
  
  SSO uses a persisted cookie to identify user, and is used by the office products when opening documents to avoid the double sign-on; if not using windows authentication your ASP.NET can use SSO SDK objects to identify user, but more commonly the SSO is used to access other systems from within SharePoint by looking up current user sign-on information for that specific system.  SSO must be configured for each system and user information.
  
  Kerberos is not SSO, be sure the ASP.NET application is also configured to use Kerberos and all should be good.

  • Marked As Answer byLionel Chen - MSFT Friday, August 01, 2008 7:58 AM
  •  
  • Reply
  • Quote