Wednesday, June 19, 2013

Kerberos Implementation in SharePoint 2010

Hi,

Below is the procedure which we followed to implement Kerberos Authentication in SharePoint 2010

Ø  Change the Web Application authentication to Kerberos:


Browse to Central Administration and navigate to Manage Web Applications in the Application Management section. In the toolbar, select your web application. Ensure that the following is configured:
·         Select Classic Mode Authentication.
·         Configure the port and host header for each web application.
·         Select Negotiate as the Authentication Provider.

When creating the new web application you are also create a new zone, the default zone, configured to use the Windows authentication provider. You can see the provider and it’s settings for the zone in web application management by first selecting the web application, then clicking Authentication Providers in the toolbar. The authentication providers dialog box lists all the zones for the selected web application along with the authentication provider for each zone. By selecting the zone, you will see the authentication options for that zone.
The authentication providers dialog will list all the zones for the selected web application along with the authentication provider for each zone:
By selecting the zone, you will see the authentication options for that zone:

If you misconfigured the Windows settings and selected NTLM when the web application was created, you can use the edit authentication dialog for the zone to switch the zone from NTLM to Negotiate. If classic mode was not selected as the authentication mode, you must either create a new zone by extending the web application to a new IIS web site or delete and recreate the web application.

Create alternate access mappings

The portal web application will be configured to use HTTPS as well as HTTP to demonstrate how delegation works with SSL protected services. To configure SSL, the portal web application will need a second SharePoint Server alternate access mapping (AAM) for the HTTPS endpoint.
Ø  To configure alternate access mappings
1.    In Central Administration, click Application Management.
2.    Under Web Applications click configure alternate access mappings.
3.    In the Select Alternate Access Mapping Collection dropdown, select the Change Alternate Access Mapping Collection.
4.    Select the portal web application.
5.    Click Edit Public Urls in the top toolbar.
6.    In a free zone, add the https URL for the web application. This URL will be the name on the SSL certificate you will create in the next steps.
7.    Click Save.
You should now see the HTTPS URL in the zone list for the web application.


IIS configuration on all WFE servers:

Ø  Install SSL certificates

You will need to configure an SSL certificate on each SharePoint Server hosting the web application service for each web application that uses SSL. Again, the topic of how to configure an SSL certificate and certificate trust is out of scope for this document. See the SSL Configuration section in this document for references to material about configuring SSL certificates in IIS.

Verify that Kerberos authentication is enabled

Ø  To verify that Kerberos authentication is enabled on the web site
1.    Open IIS manager.
2.    Select the IIS web site to verify.
3.    In Features View, under IIS, double click Authentication.
4.    Select Windows , Anonymous & forms Authentication which should be enabled.
5.    On the right hand side under Actions, select Providers. Verify Negotiate is at the top of the list.

Verify that Kernel mode authentication is disabled

Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. Even in situations where the web application was configured on an existing IIS web site, SharePoint Server disables kernel mode authentication as it provisions a new web application on the existing IIS site.
Ø  To verify that kernel mode authentication should be enabled for all web applications which uses kerberos
1.    Open IIS manager.
2.    Select the IIS web site to verify.
3.    In Features View, under IIS, double click Authentication.
4.    Select Windows Authentication, which should be enabled.
5.    Click Advanced Settings.
6.    Verify both EAP and Kernel Mode Authentication are enabled



Ø  Do performance settings as per articles

1.    You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0

To resolve this problem, set the value of the authPersistNonNTLM property to True at the server level in IIS 7.0. To do this, follow these steps:

·         Click Start, click Run, type cmd, and then click OK.
·         At the command prompt, type the following commands, and then press ENTER:
cd %SystemRoot%\System32\inetsrv
appcmd set config /section:windowsAuthentication /authPersistNonNTLM:true
           
Execute this command in all application servers, web front end servers & database servers

2.    Follow the settings to be done in application servers & web front end servers mentioned in the article below
     

Ø  Test browser authentication

After configuring Active Directory, DNS and SharePoint Server you can now test whether Kerberos authentication is configured correctly by browsing to your web applications. When testing in the browser, ensure the following conditions are met:
1.    The test user is logged into a Windows XP, Vista, or Windows 7 computer joined to the domain that SharePoint Server is installed in, or is logged into a domain trusted by the SharePoint Server domain.
2.    The test user is using Internet Explorer 7.0 or later (Internet Explorer 6.0 is no longer supported in SharePoint Server 2010; see Plan browser support (SharePoint Server 2010)).
3.    Integrated Windows authentication is enabled in the browser. Under Internet Options in the Advanced tab, make sure Enable Integrated Windows Authentication* is enabled in the Security section:
4.    Local intranet is configured to automatically logon clients. Under Internet explorer option, in the Security tab, select Local Intranetand click the Custom level button. Scroll down and make sure that Automatic logon only in Intranet zone is selected.
Scroll down and make sure “Automatic logon only in Intranet zone” is selected:
note Note:
It is possible to configure automatic logon on other zones but the topic of IE security zones best practices it outside the scope of this paper. For this demonstration the intranet zone will be used for all tests.
5.    Ensure that Automatically detect intranet network is selected in Internet options->Security->Intranet Zone->Sites.
6.    If you are using fully qualified domain names to access the SharePoint Server web applications, ensure that the FQDNs are included in the intranet zone, either explicitly or by wildcard inclusion (for example, “*.vmlab.local”).
The easiest way to determine if Kerberos authentication is being used is by logging into a test workstation and navigating to the web site in question. If the user isn’t prompted for credentials and the site is rendered correctly, you can assume Integrated Windows authentication is working. The next step is to determine if the negotiate protocol was used to negotiate Kerberos authentication as the authentication provider for the request. This can be done in the following ways:

Front-end Web security logs

If Kerberos authentication is working correctly you will see Logon events in the security event logs on the front-end webs with event ID = 4624.
In the general information for these events you should see the security ID being logged onto the computer and the Logon Process used, which should be Kerberos.

 

Ø  KList

KList is a command line utility included in the default installation of Windows Server 2008 and Windows Server 2008 R2 which can be used to list and purge Kerberos tickets on a given computer. To run KLIST, open a command prompt in Windows Server 2008 and type Klist.
If you want to purge the ticket cache, run Klist with the optional purge parameter: Klist purge

KerbTray

KerbTray is a free utility included with the Windows Server 2000 Resource Kit Tool that can be installed on your client computer to view the Kerberos ticket cache. Download and install from Windows 2000 Resource Kit Tool: Kerbtray.exe. Once you have it installed, perform the following actions:
1.    Navigate to the web sites that use Kerberos Authentication.
2.    Run KerbTray.exe.
3.    View the Kerberos Ticket cache by right clicking on the kerb tray icon in the system tray and selecting List Tickets.
4.    Validate the service tickets for the web applications you authenticated are in the list of cached tickets. In our example we navigated to the following web sites which have the following SPNs registered:


Web Site URL
SPN
HTTP/Portal.vmlab.local
HTTP/Teams.vmlab.local


Ø  Fiddler

Fiddler is a free HTTP traffic analyzer that can be downloaded from the following location: http://www.fiddlertool.com/. In fiddler you will see the client and server negotiate Kerberos authentication and you will be able to see the client send the Kerberos Service Tickets to the server in the HTTP headers of each request. To validate that Kerberos authentication is working correctly using fiddler perform the following actions:
1.    Download and install Fiddler (www.fiddlertool.com) on the client computer.
2.    Log out of the desktop and log back in to flush any cached connections to the web server and force the browser to negotiate Kerberos authentication and perform the authentication handshake.
3.    Start Fiddler.
4.    Open Internet Explorer and browse to the web application (http://portal in our example).
You should see the requests and responses to the SharePoint Server front-end web in Fiddler.
The first HTTP 401 is the browser attempt to do the GET request without authentication.
In response, the server sends back an "HTTP 401 – unauthorized" and in this response indicates what authentication methods it supports:
In the next request, the client resends the previous request, but this time sends the service ticket for the web application in the headers of the request:
If you select the “Auth” view within the Fiddler inspector window you will also see the Kerberos ticket in the request and the Kerberos response:
If authenticated successfully, the server will send back the requested resource.

No comments:

Post a Comment