I gave a presentation last night to the Tulsa SharePoint User Group on SharePoint and Kerberos. Here’s the highlights:
1. Use an A record in your DNS for any SharePoint site you are going to use Kerberos with. IE will submit the underlying resource from a CNAME record instead of the URL to Kerberos for authentication, which will not work. Ex. You have a CNAME for test.bob.lan that points at moss.bob.lan. IE will submit moss.bob.lan to kerberos, and if your SPNs are set up correctly, (see below) your kerberos authentication will fail.
2. Use the domain you are in, in other words, if your local domain is bob.lan, use test.bob.lan for your A record, not test.bob.com. This is due to the fact that IE will not submit your credentials to any site not in the Intranet zone automatically. (You would be prompted to enter your username/password. This works fine for people, but web service calls made by other programs might fail.)
3. Use the default ports, as IE will not submit non-default ports to the Kerberos service for SPN checking.
4. Set your spns up like this: SETSPN –A HTTP/test.bob.lan BOBmossgod & SETSPN –A HTTP/test BOBmossgod
5. The computer(s) moss/wss is running on must be trusted for delegation as well as the SPN commands above being set up.
As far as debugging Kerberos errors:
—HKLMSYSTEMCurrentControlSetControlLsaKerberosParametersLogLevel(Dword) = 1
—Also ParametersMaxPacketSize(Dword) = 1 This makes Kerberos use TCP instead of UDP
—WFETCH.exe allows you to see the HTTP_AUTH token
—Ldifde (LDAP Data Interchange Format DE? )
ldifde -f c:allspn.txt -d "DC=envoy,DC=lan" -l serviceprincipalname -r "(serviceprincipalname=*/*)" -p subtree
—w/ Server 2008 SETSPN –X searches for duplicate/colliding spns
—Wireshark – dns || Kerberos || ip.addr==<IP Address of Target machine>
—Klist & KerbTray (Win2k3 Resource kit)
—NetTIME since Kerberos uses the system time to encrypt the TGT, all machines must have well sync’d clocks.
–adsutil GET w3svc/1801x/root/NTAuthenticationProviders For windows 2003, this is the way to confirm that the NTAuthentication on a web site is set right. replace the 1801x with the numeric id of the web site in question.