This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.
Session by Spencer Harbar & Todd Carter
Configuring
- configure an spn for sql server and restart the sql services
- by switching the webapp to Kerberos you will have SharePoint changing the applicationhost.config (iis metabase)
- create an spn for the webapp and iisreset
- don’t try to force Kerberos, Negotiate is just fine so fallback to ntlm is possible
- use kerbtray to check if everything is working
Delegation (simple)
- delegation tab is only available in ad when you create an spn
- only configure delegation on the service account running the webapp for the simple scenario
- try to use constraint delegation only
- do an iisreset after you set delegation
- stay out of the dcom settings in w2k8, no matter what some blog posts say!
Common issues
- fat-fingered spn’s: use the correct one
- duplicate spn’s: setspn -x to check
- clock skew: ensure time sync
- pac validation: disable it
- host name issues: never use cnames
- load balancing interferes: setup webapp correctly
- authentication prompts: disable kernel mode authn
- authentication fails: configure maxtokensize
- ie6 clients use ntlm: don’t use cnames