locked
Kerberos implementation; Where do I start? RRS feed

  • Question

  • I want to implement Kerberos authentication across the whole network.

    Can anyone please let me step-by-step guide or let me what actions are required for this.

    Building SP2010 Reporting Services is the main objective and wining over double-hop matter will be another milestone.

    I have Domain Controller on Server 2008 R2, member domain controllers on server 2003, SharePoint 2010, Exchange 2007, Blackberry enterprise server, sql 2008. XP pcs.

    So, where do I have to start?  Do I need a saperate server for KDC or it should be on the Domin Controler where the PDC emulator is?

    Wednesday, February 9, 2011 11:43 PM

Answers

  • Your Domain Controller is the KDC, there for you don't need separate KDC

    You don't implement Kerberos on your Domain controller, but you do it on the services, like Exchange OWA, SharePoint Reporting Services, Excel Services etc.

    Kerberos implementation is not very easy, i found. If your Kerberos implementation is not correct, many services (example Kerberos in SQL) will try to use Kerberos authentication first, when will fail to use Kerberos, it will automatically try NTLM. 

     In Some situation may be required to configure constrained delegation to allow service applications (such as Excel Services, Performance Point Service, InfoPath Form Services and Visio Services)

    In terms of Kerberos implementation on SharePoint, you may read this fantastic Microsoft Step-By-Step guide.  http://technet.microsoft.com/en-us/library/ee806870.aspx

     

    Good luck everyone.

     

    • Marked as answer by mkhan100 Monday, February 28, 2011 12:15 AM
    Monday, February 28, 2011 12:15 AM

All replies

  • Hi,

     

    Thanks for posting here.

     

    I am not quite understand what is the meaning of across the whole network ?

    Do you want to deploy share point reporting services in another location and authenticate with active directory?

     

    If in this case, you should at least create a logic link between two sites first and deploy additional domain controller on remote site.

    For more information please refer to the link below:

     

    Adding Domain Controllers in Remote Sites

    http://technet.microsoft.com/en-us/library/cc778771(WS.10).aspx

     

    it’s appreciate that if you could discuss your purpose in detail .

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, February 10, 2011 8:40 AM
  • Hi,

    I am not sure what makes you think that I want to add a Domain Controller in Remote Sites. I am not sure I have indicated anything like that. I clearly indicated my primary intension there.

    I wanted know about the Kerberos authentication and have some questions, like,

    -       Do I need a separate server for KDC

    -       If default domain authentication is not set to Kerberos, what steps are involved to change the authentication method?

    -       If both authentications method can co-exist, then, how do I make sure that Kerberos with take precedence over NTLM.

    -       Is there any step-by-step guide for relevant topics?

    Thanks

    Friday, February 11, 2011 3:44 AM
  • Your Domain Controller is the KDC, there for you don't need separate KDC

    You don't implement Kerberos on your Domain controller, but you do it on the services, like Exchange OWA, SharePoint Reporting Services, Excel Services etc.

    Kerberos implementation is not very easy, i found. If your Kerberos implementation is not correct, many services (example Kerberos in SQL) will try to use Kerberos authentication first, when will fail to use Kerberos, it will automatically try NTLM. 

     In Some situation may be required to configure constrained delegation to allow service applications (such as Excel Services, Performance Point Service, InfoPath Form Services and Visio Services)

    In terms of Kerberos implementation on SharePoint, you may read this fantastic Microsoft Step-By-Step guide.  http://technet.microsoft.com/en-us/library/ee806870.aspx

     

    Good luck everyone.

     

    • Marked as answer by mkhan100 Monday, February 28, 2011 12:15 AM
    Monday, February 28, 2011 12:15 AM