Enabling Kerberos authentication for an Office SharePoint Server 2007 farm deployment

To enable Kerberos authentication for services in Office SharePoint Server 2007, you must create and register Service Principal Names (SPNs) in Active Directory. To create SPNs in an Active Directory domain, you must have domain administrative-level permissions.

Authentication clients 

Clients use these registered SPNs to identify each instance of a service. A Web browser, such as Microsoft Internet Explorer, is the client when you attempt to render a Web page from an Office SharePoint Server 2007 Web application. The Microsoft .NET Framework is the client when Office SharePoint Server 2007 crawls local content sources or makes a call to the Shared Services Provider (SSP) infrastructure. An SSP is a logical grouping of a common set of services and service data that can be provided to Web applications and their associated Web sites. An SSP infrastructure enables the sharing of services across:

  • Server farms
  • Web applications
  • Site collections

The Office Server Web Services Web site is the SSP infrastructure for Office SharePoint Server 2007. The SSP infrastructure exists on any server running Office SharePoint Server 2007 that is deployed using the Complete installation option. Kerberos authentication does not work with the Office Server Web Services Web site unless the Infrastructure Update for Microsoft Office Servers is installed. For information about downloading and installing the Infrastructure Update, see the Updates Resource Center for SharePoint Products and Technologies.

Farm deployment 

To deploy an Office SharePoint Server 2007 server farm using Kerberos authentication, you must install and configure a variety of applications on your computers to support the following functionality:

  • Communication between Office SharePoint Server 2007 and Microsoft SQL Server database software.
  • Access to the SharePoint Central Administration Web application.
  • Access to other Web applications, including a portal site Web application, a My Site Web application, and an SSP Administration site Web application.
  • Access to shared services for the Office SharePoint Server 2007 Web applications in the SSP infrastructure.

When a client (Internet Explorer or the .NET Framework) attempts to access a resource using Kerberos authentication, the client must construct an SPN to be used as part of the Kerberos authentication process. If the client does not construct an SPN that matches the SPN that is registered in Active Directory, Kerberos authentication will fail, usually with an “access denied” error.

There are versions of Internet Explorer that do not construct SPNs with port numbers. If you are using Office SharePoint Server 2007 Web applications that are bound to non-default port numbers in IIS, you might have to direct Internet Explorer to include port numbers in the SPNs that it constructs. In a farm running Office SharePoint Server 2007, the Central Administration Web application is hosted, by default, in an IIS virtual server that is bound to a non-default port.

In a farm running Office SharePoint Server 2007, by default, the .NET Framework does not construct SPNs that contain port numbers. This is why Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports. It is also the reason why Kerberos authentication cannot be correctly configured and made to work for the SSP infrastructure unless the Infrastructure Update for Microsoft Office Servers is installed.

New, custom-format SPN

The Infrastructure Update for Microsoft Office Servers includes a new, custom-format SPN for Kerberos authentication for the SSP infrastructure. This custom-format SPN introduces a new Service Class: MSSP. The custom-format SPN uses the following format: MSSP/<host:port>/<SSP name> . This new custom-format SPN sets a .NET Framework property to direct the .NET Framework to use a specific SPN for a given URI. The .NET Framework is used to make inter-server calls to the Office SharePoint Server 2007 SSP infrastructure Web services.

The SSP infrastructure includes a Search shared service at both the root level and the virtual directory level in IIS. There is also an Excel Calculation Services shared service at the virtual directory level in IIS. After the SSP infrastructure is configured for Kerberos authentication, Kerberos will be used for accessing shared services at both the root level and the virtual directory level. You do not need to register SPNs for root-level Web services. You only need to register SPNs for virtual-directory-level Web services. This is because when joining a computer to a domain, a HOST-class SPN is automatically registered for the computer account in the domain, and the SPN will work for the root-level Web service. However, you do need to register SPNs corresponding to the virtual directories that actually correlate to the SSPs in your farm.

For more information about Kerberos authentication for Office SharePoint Server 2007, see Configure Kerberos authentication (Office SharePoint Server).

Douglas Goodwin, Writer
SharePoint Server UA team