Implementing Kerberos and using claims based Web Applications Part 3

This is a live blogging post from the International SharePoint Conference London 2012. So don’t expect well-written proza here.

by Spencer Harbar & Todd Carter

Troubleshooting

• Fiddler
• Eventlog
• Kerberos debug view (advanced)
• Netmon (filter capture for authn)

Advanced Delegation with the c2wts

• claims delegation is ok inside SharePoint, but most external services don’t yet support it
• bridge the gap with the claims to windows token service (c2wts)
• to use the c2wts you only need to configure delegation on 2 accounts: the service app pool account & the account running c2wts
• the user can even logon to sp with ntlm in this scenario! that’s a really powerful scenario, that’s the protocol transition part (ntlm>kerberos)
• only possible with windows claims, not saml claims (SharePoint constraint, WIF can do it) debatable workaround found here
• kerberos constrained delegation with protocol transition is needed
• downsize to protocol transition: you can’t cross domain boundaries, so the user/resource domain scenario is not possible
• c2wts must be running on the app server only
• change the c2wts from using localsystem to a named service account
• the user that runs the c2wts must be a local admin on the app server and have the “act as part of the os” and “impersonate a client after authn” local security policies
• configure delegation for the c2wts service account in AD, you might need to create a dummy spn in order to have the tab available
• delegation should use the “use any authn protocol” setting, what means: use protocol transition
• don’t forget to perform the exact same steps on the service app pool account
• restart the c2wts and iis on the app server to get it working
• never configure the spn for the sql alias used in sharepoint