Monday, February 21, 2011

SharePoint 2010 on Windows Server 2008 R2 with Kerberos Troubleshooting

re-posted again with additional resource links at the botttom.

Wow. Going through some massive headaches getting kerberos setup in SharePoint 2010 on Windows Server 2008 R2. I was following my old guide from SharePoint 2007 (http://www.bryansgeekspeak.com/2010/01/enabling-kerberos-in-windows-domain-for.html) until I realized all the IIS 7.5 settings are completely different...

The first thing google turned up for me was an blog post that explains a lot of Windows 2008R2 specific gotchas for SharePoint 2010. It goes into detail about how to turn off kernel mode authentication and how to enable IIS delegation using the application pool account credentials.

http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx

With those changes and some SETSPN commands I was able to get successful kerberos logon events to the SharePoint 2010 web front end. A good start. On to the double hop delegation from a SharePoint 2010 web part to Teamworks 6...

When I hit the Teamworks webpart in SharePoint 2010, I got the usual authentication error that tells me kerberos is not working. The Teamworks server is already working in a SharePoint 2007 farm though, so I know the Teamworks piece is good - but I can see with wireshark that only NTLM2 requests are being sent from the SharePoint 2010 WFE to the jboss server - no kerberos traffic at all.

Dec 22, 2010 Update! Limited Success!
In one of my isolated SharePoint 2010 dev farms (an 8 server farm, isolated in its own domain), I was able to get kerberos working with Teamworks after working around the kinit/kerberos encryption issue (see the kinit link in the resources section). I have not had any success in larger, more complex domains. I'm now exploring the MS whitepaper on implementing kerberos (see link in resources section) hoping a solution will leap out at me *crosses fingers!*

LINKS TO KERBEROS RESOURCES

No comments: