locked
Kerberos with Central Administration in SharePoint 2007 RRS feed

  • Question

  • I have a sharepoint 2007 development farm configured correctly in kerberos, except I get errors with central administation.  This is for sharepoint 2007, windows server 2008, sql server 2008, and iis 7.  Central Administration was originally set up in ntlm, and I was asked to switch it to kerberos.  I had two spn's created for its application pool account:  http/server:5555 and http/server.company.com:5555.  In the authentication section of central administration, I added useKernelMode="true" and useAppPoolCredentials="true".  I switched central administration to kerberos in the authentication providers section of central administration.  server:5555 was also added to BackConnectionHostNames registry key.

    Central administration renders from the server but not from the client (windows 7 and ie 8.)  From the client, I get "Not Authorized.  HTTP Error 401. The requested resource requires user authentication" after three attempts.  Fiddler does show it is using kerberos.  If I use the ip address (100.100.100.100:5555) from the client, central administration renders, but fiddler shows it is falling back to ntlm.

    Wireshark just shows KRB5KDC_ERR_PREAUTH_REQUIRED.  The event viewer shows:

          Audit Failure Event ID 4625.  Unknown user name or bad password.  Status 0xc000006d and sub status 0xc000006a.

    This would seem to indicate that the user name is correct but the password is wrong.  But I'm sure the password is fine because it works on other sharepoint sites.  I also checked if I had any duplicate spn's.

    Monday, September 26, 2011 4:57 PM

Answers

  • Hi,

     

    What is your Internet Explorer’s version on your client?

     

    If it were Internet Explorer 6, 7 or 8, please apply this fix to resolve your issue.

     

    Furthermore, if a single web server is configured to use Kernel Mode authentication, Kerberos will work without any additional configuration or additional SPNs because the server will automatically register a HOST SPN when it is added to the domain. If multiple web servers are load balanced, the default Kernel Mode Authentication configuration will not work, or at least will intermittently fail, because the client has no way of ensuring the service ticket they received in the TGS request will work with the server authenticating the request.

     

    To work around this issue you can do the following:

     

    ·         Turn off Kernel Mode Authentication

    ·         Configure HTTP.sys to use the IIS application pool’s identity when decrypting service tickets. See Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings.

    ·         You may also need a hotfix when configuring HTTP.sys to use the application pool’s credentials: FIX: You receive a Stop 0x0000007e error message on a blue screen when the AppPoolCredentials attribute is set to true and you use a domain account as the application pool identity in IIS 7.0

     

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

     

     


    Regards, Rock Wang Microsoft Online Community Support
    • Marked as answer by djsablosky Wednesday, September 28, 2011 2:15 PM
    Tuesday, September 27, 2011 2:57 AM

All replies

  • Hi,

     

    What is your Internet Explorer’s version on your client?

     

    If it were Internet Explorer 6, 7 or 8, please apply this fix to resolve your issue.

     

    Furthermore, if a single web server is configured to use Kernel Mode authentication, Kerberos will work without any additional configuration or additional SPNs because the server will automatically register a HOST SPN when it is added to the domain. If multiple web servers are load balanced, the default Kernel Mode Authentication configuration will not work, or at least will intermittently fail, because the client has no way of ensuring the service ticket they received in the TGS request will work with the server authenticating the request.

     

    To work around this issue you can do the following:

     

    ·         Turn off Kernel Mode Authentication

    ·         Configure HTTP.sys to use the IIS application pool’s identity when decrypting service tickets. See Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings.

    ·         You may also need a hotfix when configuring HTTP.sys to use the application pool’s credentials: FIX: You receive a Stop 0x0000007e error message on a blue screen when the AppPoolCredentials attribute is set to true and you use a domain account as the application pool identity in IIS 7.0

     

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

     

     


    Regards, Rock Wang Microsoft Online Community Support
    • Marked as answer by djsablosky Wednesday, September 28, 2011 2:15 PM
    Tuesday, September 27, 2011 2:57 AM
  • Hi,

    Did you have any questions, if anything is unclear, feel free to let me know.

    Thanks,

    Rock Wang

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

     


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, September 28, 2011 8:34 AM
  • Rock:

    Thank you for the explanation.  The index server had Internet Explorer 7, where no kerberos was working .  The client had Internet Explorer 8, where Kerberos was working for the main portal and mysites (on default ports,) but not for Central Administration.  (I have not had the hotfix installed yet or changed the registry.)  Other web sites had said to set useAppPoolCredentials to true but leave Kernel Mode Authentication on (there is a warning in IIS 7 when this is disabled,) but now I disabled it for Central Administration.  If multiple web servers are load balanced, are the spn's for Central Administration still required?

    Wednesday, September 28, 2011 12:48 PM