TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Simin Maleki
When:
1 Sep 2014 10:18 PM
Last revision by
Richard Mueller
(MVP, Microsoft Community Contributor)
When:
31 Mar 2015 9:45 AM
Revisions:
5
Comments:
5
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
How to activate Negotiate(Kerberos) authentication in SharePoint 2013
How to activate Negotiate(Kerberos) authentication in SharePoint 2013
Article
History
How to activate Negotiate(Kerberos) authentication in SharePoint 2013
Selecting Negotiate(Kerberos) for SP Authentication is not as simple as changing the authentication type in SP Central Admin. You should follow some steps before. you need an Active Directory
Administrator
help.
in order to enable Kerberos authentication on Application Server (in which IIS is running), these steps must be followed:
1- run SharePoint Powershell as administrative.
2- Go to the path "
windows drive
:\inetpub\adminscripts"
3- Type the following command and press ENTER:
cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "Negotiate,NTLM"
"1" is the virtual server ID Number which is "1" by default.
4- IISReset
5- if in IIS, the
application
pool is running by one of system account such as network account, you don't need to do this step but
if the application pool identity is configured to use a domain user account
you have to define a SPN for that. So,Download and install the Setspn.exe command-line tool. then use the setspn command tool and Type the following command in SP Powershell and press ENTER
Setspn -A HTTP/FQDN
ServerName Domain
\
UserName
Example :
Setspn –a http/tochal34.tamco.eng tamco.eng\spfarm
6- Type the follwing command and press ENTER again:
Setspn -A HTTP/NETBIOS
ServerNameDomain
\
UserName
Example : Setspn –a http/tochal34 tamco.eng\spfarm
Important: for running command #5 and #6, the domain user who has a remote connection to the application server must be AD admin.
7- Now, the application (IIS) server must be trusted for delegation in active directory. in order to do that, the active directory administrator should do the following steps:
7-1- Open Active Directory users and computers.
7-2- Search for the application server name in Computers.
7-3- Right click the server name and go to it's properties.
7-4- In General Tab,
click to select the Trust computer for delegation check box, and then click OK.
8-Also if the application pool identity is configured to use a domain user account, that user should be trusted for delegation too. SO, do the step #8 for that domain user too.
9- Go to SP Central Administration.
10- Click Manage Web applications
11- Choose the application you desire.
12- Go to Authentication Providers.
13- Click Default.
14- Change the claim Authentication type to Negotiate.
15- Use the following command if you want to have only NTLM Authentication:
cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "NTLM"