Implementing Kerberos and using claims based Web Applications Part 2

This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.

Session by Spencer Harbar & Todd Carter


  • configure an spn for sql server and restart the sql services
  • by switching the webapp to Kerberos you will have SharePoint changing the applicationhost.config (iis metabase)
  • create an spn for the webapp and iisreset
  • don’t try to force Kerberos, Negotiate is just fine so fallback to ntlm is possible
  • use kerbtray to check if everything is working

Delegation (simple)

  • delegation tab is only available in ad when you create an spn
  • only configure delegation on the service account running the webapp for the simple scenario
  • try to use constraint delegation only
  • do an iisreset after you set delegation
  • stay out of the dcom settings in w2k8, no matter what some blog posts say!

Common issues

  • fat-fingered spn’s: use the correct one
  • duplicate spn’s: setspn -x to check
  • clock skew: ensure time sync
  • pac validation: disable it
  • host name issues: never use cnames
  • load balancing interferes: setup webapp correctly
  • authentication prompts: disable kernel mode authn
  • authentication fails: configure maxtokensize
  • ie6 clients use ntlm: don’t use cnames