Implementing Kerberos from Win 7 to Win 2008R2, using RSADSI instead of AES256


  • Hi there,

    I have implemented Kerberos on a Win2008R2 machine hosting SharePoint. I have created an account MYDOMAIN\SharePointAppSvcAcct.

    I have ensured that Kerberos is being used by setting up the service account, logging into SQL Server 2008 R2 (which is on a different machine) and running the kerberos verification query, SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid, which returns KERBEROS.

    I have set up SharePoint to use Kerberos for it's main site. I have run both klist and kerbtray to get information about kerberos tickets. I am on the SQL machine and I call to the Win2008R2 machine to access SharePoint 2010, which will access the databases on the SQL Machine. I figure that Kerberos will use NTLM if I do everything on the local machine.

    I have done a setspn to register the service principal name of the web site hosting sharepoint.

    setspn -S http/sharepoint SharePointAppSvcAcct


    setspn -S http/sharepoint.mydomain.local SharePointSvcAcct

    Next I ran a klist purge.

    Then I opened the sharepoint site using http://sharepoint

    It successfully opens.

    I run klist, and it is completely empty, which makes me wonder if kerberos is being used

    So I run kerbtray, and it shows


    but it is using RSADSI RC4 HMAC as its encryption type. This confuses me also, as both the environment I am on (Win 7) and the environment that SharePoint on (Win2008R2) support AES256.

    Why would it be using RSADSI instead of AES256, and also if klist is not showing anything, have I configured it properly - what am I doing wrong?

    • Editado Tony Wright quarta-feira, 20 de junho de 2012 05:45
    quarta-feira, 20 de junho de 2012 05:40


Todas as Respostas