locked
SharePoint 2010 Kerberos with Safari Browser RRS feed

  • Question

  • Hi all, I planned to setup sharepoint 2010 with Kerberos and would like to known if there is any issue with user that using Mac =-Safari browsing sharepoint website and what version of Safari that works with sharepoint 2010 Kerberos?

    Thanks

    T

    • Moved by Mike Walsh FIN Wednesday, April 20, 2011 4:57 PM "I planned to setup sharepoint 2010 with Kerberos". More a general question than Admin and certainly not a pre-SP 2010 question (From:SharePoint - Setup, Upgrade, Administration and Operation (pre-SharePoint 2010))
    Wednesday, April 20, 2011 4:26 PM

Answers

  • I don't think Safari supports Kerberos, so they will negotiate down to NTLM. Safari can't run the data sheet view, thats probably the largest limitation of non-IE browsers. FireFox can do Kerberos, so if Kerberos is a requirement then tell mac users to use FireFox

    Wednesday, April 20, 2011 5:11 PM
  • How are you actually getting users from multiple domains onto your SharePoint site? If its windows authentication through a domain trust then it depends on if its a one way trust or a two way trust. I believe Kerberos doesn't work with one way trusts, only two way trusts. So if the App Pool account is ACME\AppPool, only ACME users will kerberos in a one way trust, GUN users will revert to NTLM, which is normally not a problem. I'm not an AD guy but AD guys tell me you can have a two way trust be as secure as a one way trust, and then you'd have Kerberos for both ACME and GUN

    Thursday, April 21, 2011 5:13 PM

All replies

  • I don't think Safari supports Kerberos, so they will negotiate down to NTLM. Safari can't run the data sheet view, thats probably the largest limitation of non-IE browsers. FireFox can do Kerberos, so if Kerberos is a requirement then tell mac users to use FireFox

    Wednesday, April 20, 2011 5:11 PM
  • Thanks Todd, so if Safari does not support Kerberos, Is sharepoint user still able to browse sharepoint 2010 site and use other features except datasheet view?

    T

    Wednesday, April 20, 2011 5:16 PM
  • Yes, it will browse everything but datasheet view. Some other subtle things won't work either (unless you enable claims), like rss web parts whos feeds are other sharepoint lists, or any content where a "double hop" occurrs
    Wednesday, April 20, 2011 7:05 PM
  • Thanks Todd, what will happen to the users from different domain. for example current domain has read access as "ACME\domain users" and I also assign read access to different domain "GUN\domain users". Are GUN domain user able to browse sharepoint website if I used Kerberos?

    T

    Thursday, April 21, 2011 5:02 PM
  • How are you actually getting users from multiple domains onto your SharePoint site? If its windows authentication through a domain trust then it depends on if its a one way trust or a two way trust. I believe Kerberos doesn't work with one way trusts, only two way trusts. So if the App Pool account is ACME\AppPool, only ACME users will kerberos in a one way trust, GUN users will revert to NTLM, which is normally not a problem. I'm not an AD guy but AD guys tell me you can have a two way trust be as secure as a one way trust, and then you'd have Kerberos for both ACME and GUN

    Thursday, April 21, 2011 5:13 PM
  • Thanks Todd, what will happen to the users from different domain. for example current domain has read access as "ACME\domain users" and I also assign read access to different domain "GUN\domain users". Are GUN domain user able to browse sharepoint website if I used Kerberos?

    T

    Mr. T1, that multi-domain question is not related to Kerberos.  That's a different topic, so please post it in a new thread.  We prefer not to string along threads with question after question once the original question is answered.  Thanks!

    Also, Todd and I have the Firefox w/Kerberos thing working (thanks to Todd), but it requires configuration on each client and is not widely-known I don't think, so this is definitely a serious topic that you need to be aware of before deploying.


    SharePoint Architect || Microsoft MVP || My Blog
    Planet Technologies || SharePoint Task Force
    Monday, May 2, 2011 4:32 AM