Configuring a Web Application to Use Kerberos

Kerberos is considered to be a more secure authentication mechanism than NT LAN Manager (NTLM) because Kerberos supports mutual authentication, which means that both the client and server must provide credentials, eliminating the possibility for a man-in-the-middle (MITM) attack. For clients to use Kerberos to authenticate to a service such as Microsoft Office SharePoint Server (MOSS) 2007, the service must have registered a Service Principal Name (SPN). However, if your Web application pools run in the context of Network Service accounts, you don’t need to register an SPN.

You can register an SPN by using setspn.exe, which you can download from http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46. The command syntax is

SETSPN -A http/f.q.d.n
    domainnameusername

where f.q.d.n is the Fully Qualified Domain Name (FQDN) of the server MOSS 2007 is running on and domainnameusername is the name of the user account the Web application pool runs as. You’ll need to run this command on every server in your Web farm. If you have multiple Web application pools running under different user accounts, you’ll need to run the command on each of them.

After you’ve registered the SPN, you need to enable the user accounts used by Web application pools for delegation. To do so, you can use the Microsoft Management Console (MMC) Active Directory Users and Computer snap-in to modify the user accounts in Active Directory (AD). Select a user account, right-click, select Properties from the context-sensitive menu, and click the Delegation tab. Then, select the Trust this user for delegation to any service (Kerberos only) option (shown in Figure A), click Apply, and click OK.

After you've enabled the user accounts, you need to restart Microsoft IIS on each server running MOSS 2007. You can do so by running the command

IISRESET /NOFORCE

on each server.