In this part I will talk about configuring your SSP to use Kerberos.
The next step (if required in your environment) is to configure Kerberos for the Shared Services Provider. This includes root and virtual directory level Shared Services. A prerequisite for this step is the SharePoint Infrastructure Update (which was released post SP1).
Configuring the SSP Web Application is very similar to a normal Web Application, so we'll keep it brief. Assume we have the SSP's Web Application running on port 1234 not using a host header. Then, the commands to map the SPNs are as follows:
setspn –A HTTP/servername:1234 yourdomain\UserRunningAppPool
setspn –A HTTP/servername.yourdomain.com:1234 yourdomain\UserRunningAppPool
Turn on Kerberos authentication for the SSP Web Application as described for the content Web Application (previous post) and perform the same test, ensuring you see a successful Kerberos logon event in the Security log on the server hosting the SSP.
In order to fully configure Kerberos for the SSP and Excel Calculation Services, further SPNs must be set using a new, custom format. There are also STSADM commands to run and a change to be made to the registry of each server.
Map the SPNs with the following commands:
setspn –A MSSP/servername:56737/SSPName yourdomain\SSPServiceAccount
setspn –A MSSP/servername:56738/SSPName yourdomain\SSPServiceAccount
SSPName is simply the name you gave your SSP. It cannot contain extended characters so be sure to name your SSP with care at install time! You must also generate a pair of SPNs for each server in your farm. I.e. in a standard medium server farm (2 WFEs and 1 App server), you will set 6 SPNs, 2 for each server name.
Now run the necessary STSADM commands on a server in the farm:
stsadm –o setsharedwebserviceauthn –negotiate
stsadm –o set-ecssecurity –accessmodel delegation –ssp
stsadm –o execadmsvcjobs
In order, this sets the Shared Services Web Service to use Kerberos, Excel Calculation Services to use delegation and then forces the timer jobs to run immediately.
Lastly, each SharePoint Server will need a registry key adding to allow it to use the new custom format SPNs.
- Run regedit
- Go to the registry path HKLM\Software\Microsoft\Office Server\12.0 and right click 12.0 >> New >> DWORD Value
- For Name type in KerberosSpnFormat and change the value from 0 (default) to 1.
After this step, you must reboot your server.
There is some additional configuration required within Component Services. In order to prevent the occurrence of DCOM errors, all of your Application Pool service accounts should have Local Launch and Local Activation permissions on the IIS WAMREG Admin Service object, most easily achieved by giving the permissions to the local groups: WSS_WPG and WSS_ADMIN_WPG (this ensures that newly created Application Pool service accounts are granted the permissions, since SharePoint adds them to this group). This is well documented elsewhere.
However, there's also a modification to be made to the servers in the farm within Component Services. Click on Start > Administrative Tools > Component Services. Expand Component Services > Computers, right click on My Computer and select Properties. On the Default Properties tab, change the Default Impersonation Level to Delegate and click on OK.
My Computer Properties
References
There are a huge number of references for configuring Kerberos. Here is a useful selection:
That concludes my guide to Kerberos for SharePoint. I hope you have found it useful and if you have any queries, please send them to me.
