[SDP 5][D0509B21-17E4-4DF2-95FC-BFDFD8E2A8FF] The SharePoint 2010 Kerberos Configuration Troubleshooter

Article ID: 2732019 - View products that this article applies to.
Expand all | Collapse all

Summary

The Microsoft SharePoint 2010 Kerberos Configuration Troubleshooter manifest detects common Kerberos configurations on an instance of Microsoft SharePoint Server 2010.

In this release, the troubleshooter detects common Kerberos configurations when the SharePoint Service Application Kerberos delegation pattern is being used.

Important Problematic conditions are checked only on the server on which this manifest is executed. To make sure that you have maximum coverage, we recommend that you run this package on each computer in the SharePoint farm. This article describes how this manifest file operates.   

Back to the top | Give Feedback

More Information

This article describes the information that may be collected from a computer when you run this package.   

Information that is collected

Manifest results

Description

File name

This file contains a clean version of the failure and warning conditions that are detected during the execution of the SharePoint 2010 Kerberos Configuration Troubleshooter manifest. The information that is included is as follows:

  • MachineName: Name of the computer for which the information is being collected. (This can be changed to help protect privacy prior to uploading to Microsoft.)
  • Timestamp: Date and time that the data was collected.
  • RuleID: A GUID value that indicates which SETH rule was triggered. (See the rules section later in this table for more information.)
  • InstanceID: A GUID that is used to identify a particular instance of a RuleID that was triggered. (You can have a rule applied multiple times on a computer and have only certain instances trigger a warning. This value will help you isolate that instance.) 

{GUID}_kerberos_O14SP_Failures_mm_dd_yyyy_hhmm_[AM|PM].csv  

 

The actual results of the SharePoint Kerberos manifest. This is what is displayed to the user to indicate the status of each rule that is executed.

ResultReport.xml

This is an internal file that is generated as a byproduct of the execution of the manifest. This file contains no customer data.

Results.xml

This is an xlst transform that formats the results in the ResultReport.xml file. This transform contains no customer data.

Results.xsl

This file contains debug information that may be generated during the execution of the manifest. It also contains timings on all rule that are run. It may contain customer data. However, every attempt was made to minimize customer data.

Kerberos.O.debugreport.xml

This file contains additional debug information for the manifest execution. It may contain customer data. However, every attempt was made to minimize customer data.

Stdout.log

This file contains the configuration information about the instances of Microsoft Excel Services in the farm. Information that is captured includes the following: 

  • Excel Services instances
  • Excel Services application
  • Excel Services application pool
  • Excel Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for Excel Services application pool identities
  • Constrained delegation

%COMPUTERNAME%_cfg_%lang%_O14SP_ExcelServicesInformation.txt

This file contains the configuration information about instances of PerformancePoint Services in the farm. Information that is captured includes the following:
  • PerformancePoint Services instances
  • PerformancePoint Services application
  • PerformancePoint Services application pool
  • PerformancePoint Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for PerformancePoint Services application pool identities
  • Constrained delegation
 %COMPUTERNAME%_cfg_%lang%_O14SP_PerformancePointServicesInformation.txt
This file contains the configuration information about instances of Microsoft SQL Server Reporting Services 2012 in the farm. Information that is captured includes the following :
  • SQL Server Reporting Services 2012 instances
  • SQL Server Reporting Services 2012 application
  • SQL Server Reporting Services 2012 application pool
  • SQL Server Reporting Services 2012 application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for SQL Server Reporting Services 2012  application pool identities
  • Constrained delegation
 %COMPUTERNAME%_cfg_%lang%_O14SP_ReportingServices2012Information.txt
This file contains the configuration information about instances of Microsoft Visio Graphics Services in the farm. Information that is captured includes the following:
  • Visio Graphics Services instances
  • Visio Graphics Services application
  • Visio Graphics Services application pool
  • Visio Graphics Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for Visio Graphics Services application pool identities
  • Constrained delegation
 %COMPUTERNAME%_cfg_%lang%_O14SP_VisioGraphicsServicesInformation.txt
This file Captures the ULS logs for the computer. %COMPUTERNAME%_uls_%LANG%_O14SP_ULSLogs

 

Authentication

Rule ID

Title

Description

55E11AFB-33E1-C0DE-DE05-ABB7E799F8AE Check for KB969083

http://support.microsoft.com/kb/969083

6A0085C3-4673-C0DE-DE05-4C8BC15F9F90 Checking time difference between current server and the SQL server

http://technet.microsoft.com/en-us/library/jj852172(v-ws.10).aspx

 

Claims to Windows Token Services (C2WTS) 

Rule ID

Title

Description

338C6FF8-6078-4D79-839C-E8F14E2AEAA1 Checking whether claims to Windows Token Service (C2WTS) is installed http://msdn.microsoft.com/en-us/library/hh231678.aspx
E04B911F-6384-4F4A-93E8-237E0F52E245 Checking whether claims to Windows Token Service (C2WTS) is started http://msdn.microsoft.com/en-us/library/hh231678.aspx
111DA65B-E401-4DF1-8ECC-B51437979008 Checking whether the dependency of C2WTS service on Cryptsvc is present http://support.microsoft.com/kb/2722087
E1590F5B-7384-496C-98A2-FFAE0CD1A248 Checking whether WSS_WPG group is present in the list of allowed callers of c2wtshost.exe.config file http://msdn.microsoft.com/en-us/library/hh231678.aspx
F97FD65F-A968-4452-B2C4-8B70E29BF423 Local computer account could not access C2WTS  http://support.microsoft.com/kb/2722087
A8222D3F-2C82-4CDF-ABE3-D46934A114C0 Built-in account could not access C2WTS  http://support.microsoft.com/kb/2722087
6B07327F-BD37-490D-8C7E-FD57D9BB4C29 "Log on as a service" right is missing for the service account in C2WTS  http://support.microsoft.com/kb/2722087
DB155B37-2FBF-426B-9E52-AA88274D89DA "Act as part of the operating system" right is missing for the service account in C2WTS http://support.microsoft.com/kb/2722087
6DF5FEF4-0741-43E5-9E52-A3633B824E2F "Impersonate a client after authentication" right is missing for the service account in C2WTS http://support.microsoft.com/kb/2722087
142A5998-C2CC-4C13-9C24-F25DB3498450 Checking whether the C2WTS domain account is the local administrator of the computer http://support.microsoft.com/kb/2722087
DEC84213-E36F-4C33-B68E-58162C1F539A Checking whether Protocol Transitioning is not set to Any Authentication for the Claim to Windows Token Services account http://support.microsoft.com/kb/2722087
30484955-8E2E-4F31-9452-F99DF41A6CAC Checking authentication type on web applications for SharePoint Services http://technet.microsoft.com/en-us/library/gg502594.aspx

Excel Services  

Rule ID

Title

Description

A104DB0F-2272-4850-B322-DBB65870EE1D Checking permissions on web applications content DBs for the Excel Services accounts http://support.microsoft.com/kb/2466519
24881609-BC01-41C1-8A03-1D14DF91F6DB Constrained delegation is not enabled to Excel Services AppPool account http://support.microsoft.com/kb/2466519
B93A843D-E5F7-4510-AD6E-FA06294FDD85 Protocol transitioning is not set to Any Authentication protocol for Excel Services AppPool account http://support.microsoft.com/kb/2466519
F3002FAB-780A-43AA-B53D-DE35C279B9FE Checking whether other computers in the farm have to run the SharePoint Kerberos package for Excel Services http://technet.microsoft.com/en-us/library/gg502594.aspx

PerformancePoint Services 

Rule ID

Title

Description

A7BDF8F2-E074-465D-8D24-298AAFD558D3 Checking permissions on web application content databases for the PerformancePoint Services accounts http://support.microsoft.com/kb/2723073
8FBA384B-F0F7-44E1-BEA3-09AF172F2D41 Constrained delegation is not enabled to PerformancePoint Services AppPool account http://support.microsoft.com/kb/2723073
59395596-7E6D-4AD4-996F-214D351D47E4 Protocol transitioning is not set to Any Authentication protocol for PerformancePoint Services AppPool account http://support.microsoft.com/kb/2723073
C8B02937-BD00-483C-8717-3654532BCE48 Checking whether other computers in the farm have to run the SharePoint Kerberos package for PerformancePoint Services http://technet.microsoft.com/en-us/library/gg502594.aspx

SQL Server Reporting Services 2012 

Rule ID

Title

Description

6754E52C-E7B8-4C56-906B-605E104FBD20 Checking permissions on web application content databases for SQL Server Reporting Services 2012 accounts http://support.microsoft.com/kb/2723587
9AAB1907-77D4-4987-87D6-94D739381A44 Constrained delegation is not enabled to SQL Server Reporting Services AppPool account http://support.microsoft.com/kb/2723587
0AA98785-DD51-4F2C-9918-D2651D668B4D Protocol transitioning is not set to Any Authentication protocol for SQL Server Reporting Services AppPool account http://support.microsoft.com/kb/2723587
3849152B-B1EC-4401-80EC-7704BD5836B5 Checking whether other computers in the farm have to run the SharePoint Kerberos package for SQL Server Reporting Services 2012 http://technet.microsoft.com/en-us/library/gg502594.aspx

Visio Graphics Services 

Rule ID

Title

Description

D3D925CE-A4A2-4786-9EE4-6517F7081248 Checking permissions on web application content databases for Visio Graphics Services 2012 accounts http://support.microsoft.com/kb/2723977
30DC0519-3E34-451D-8A48-F72FF335D137 Constrained delegation is not enabled to Visio Graphics Services AppPool account http://support.microsoft.com/kb/2723977
9B156D41-B5EE-4AA2-B7B2-C38062C4C3F0 Protocol transitioning is not set to Any Authentication protocol for Visio Graphics AppPool account http://support.microsoft.com/kb/2723977
085E304B-D89F-4CDA-9ED3-50F9DF258D51 Checking whether other computers in the farm have to run the SharePoint Kerberos package for Visio Graphics Services http://technet.microsoft.com/en-us/library/gg502594.aspx

More information 

Kerberos has a ticket cache. This means that even after incorrect settings are changed, the delegation does not work until the Kerberos cache is flushed. To flush the ticket cache, you have to either restart the application pool that is delegating the identity or use the KList utility.   

KList 

KList is a command prompt utility that is included in the default installation of Windows Server 2008 and Windows Server 2008 R2. This utility can be used to list and delete Kerberos tickets on a given computer. To run KList, open a command prompt in Windows Server 2008, and then type KList.   

Back to the top | Give Feedback
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
Back to the top | Give Feedback

Properties

Article ID: 2732019 - Last Review: April 30, 2013 - Revision: 11.0
Applies to
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2732019
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top