Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Hopping Mad with Kerberos

Like Heracles, many an IT Pro has had to wrestle with Kerberos, and for those that don’t have rippling biceps I thought it would be good to give you some tips on doing battle with this many headed beast that is used to protect many a server.

In IT Land Kerberos is a necessary evil to enable users credentials to be passed from server to server without them needing to sign on to each box in turn.  As a Business Intelligence sort of chap I need this so that users can be authenticated on a portal and then be directed from a scorecard to a report which can come from several sources all of which reside on different servers.

I have literally been up all night trying to get Kerberos working and failed because of some certificate issues which I still don’t completely understand.  Kerberos is part of AD and the product guys there all understand and so does any MCSE type IT Pro.  However the people that are affected by it are web admin guys, exchange gurus, SharePoint experts,  DBA’s and so on, and none of the products these guys look after (IIS, SQL Server Exchange etc.) have any tools to manage Kerberos never mind third party applications.

Hercules doesn’t work for Microsoft, but Brian Murphy-Booth does and he has done two things to help you vanquish the beast:

  • He has developed DelegConfig, which runs from a client trying to get to a server and checks for all the common pitfalls. Brian tells me V2 is coming along wiht support for IIS7 and the latest features in Sharepoint.
  • He blogs here.

Hopefully this will appear in a product one day or be on Codeplex, but either way thankyou Brian!