How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication

Article ID: 953130 - View products that this article applies to.

INTRODUCTION

This article describes how to configure a server that is running Windows Server 2003, Microsoft Office SharePoint Server 2007, and Excel Services for Kerberos authentication (using unconstrained delegation).

The article also requires that, at minimum, the Microsoft Office Server Infrastructure Update from July 2008 has been installed.

Further installation details for this update can be found here:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3811c371-0e83-47c8-976b-0b7f26a3b3c4&displaylang=en

(http://www.microsoft.com/downloads/en/details.aspx?FamilyID=3811c371-0e83-47c8-976b-0b7f26a3b3c4&displaylang=en)

Back to the top | Give Feedback

MORE INFORMATION

Follow these steps in the order in which they are presented to configure the Kerberos protocol on SharePoint Server 2007 and on Excel Services.

Configure SharePoint Server 2007 for Kerberos authentication

Step 1: Set the Service Principal Names (SPNs) for the SharePoint Web Application service accounts

You have to set the Service Principal Name (SPN) for the farm account on the computer that is running SharePoint Server 2007. To do this, you must have the Setspn.exe tool from the Windows Server 2003 Service Pack 1 (SP1) 32-bit Support Tools. For more information about how to obtain the latest version of the setspn.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

970536

(http://support.microsoft.com/kb/970536/ )

Setspn.exe support tool update for Windows Server 2003

After you download and install the Windows Support Tools, follow these steps:

If host headers are used with the SharePoint web applications, then complete this step then proceed to Step 2: Set the Services Principal Names for the Shared Services Provider. If host headers are not being used, skip this step and proceed to Step B.

Set the SPN for the host header by using the web application pool accounts. To do this, type the following commands, and then press ENTER after each one:
setspn.exe -A HTTP/Host_header domain\webapplication_pool_account

For example, if the host header is "sales.contoso.com" and the web application is running as "contoso\app_svc_acct" type the following commands, and press ENTER after each one:
setspn.exe -A HTTP/sales.contoso.com contoso\app_svc_acct
If host headers are NOT used, set the SPN for the SharePoint WebApplication by using the application pool accounts. To do this, type the following commands, and then press ENTER after each one:
setspn.exe -A HTTP/SharePoint_WebApplication:port domain\application_pool_account

setspn.exe -A HTTP/FQDN_of_the_WebApplication:port domain\application_pool_account
For example, for Web Application servers named "mossserver" and the web application is running as "contoso\app_svc_acct" type the following commands, and press ENTER after each one:
setspn.exe -A HTTP/mossserver:80 contoso\app_svc_acct
setspn.exe -A HTTP/mossserver.contoso.com:80 contoso\app_svc_acct
After you set the SPN, verify that the SPN is set correctly on the server. To do this, type the following commands at a command prompt, and press ENTER after each one:
setspn –L Domain\service_account
For example, type one of the following commands, and then press ENTER:
setspn -L contoso\app_svc_acct

If the SPN is configured correctly, the account URL address and the port number will be displayed. At the command prompt, you would see the SPNs set for the service accounts used from Steps 1 or Step 2.

Note Kerberos authentication cannot be configured to work with the SSP infrastructure in Office SharePoint Server 2007 unless the Infrastructure Update for Microsoft Office Servers is installed.

For more information, see the "Configure Kerberos authentication (Office SharePoint Server)" topic on the following Microsoft TechNet Web site:

http://technet.microsoft.com/en-us/library/cc263449.aspx

(http://technet.microsoft.com/en-us/library/cc263449.aspx)

Step 2: Set the Service Principal Names for the Shared Services Provider

You must enable the Kerberos protocol on the Shared Services Provider (SSP). To do this, follow the steps in the "Configure your SSP infrastructure for Kerberos authentication" topic on the following Microsoft TechNet Web site: http://technet.microsoft.com/en-us/library/cc263449.aspx#section14

(http://technet.microsoft.com/en-us/library/cc263449.aspx#section14)

Then, use the STSADM command to enable the Kerberos protocol on the Shared Services Provider (SSP).

To do this, at a command prompt, type the following, and then press ENTER:

STSADM -o SetSharedWebServiceAuthn -negotiate

Step 3: Trust for delegation on the SharePoint service accounts from Steps 1 and 2

To configure a service account to be trusted for (unconstrained) delegation, follow these steps:

Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the navigation pane, click Users.
Right-click the user who you want to configure, and then click Properties.
Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.

Step 4: (Optional) Configure the SharePoint Server 2007 Web site for Kerberos authentication

Configure the SharePoint Server 2007 Web site to use Kerberos authentication only if it is a security requirement for your organization. (This step is not required for Excel Services.) To set your web applications to authenticate using Kerberos, follow these steps:

Click Start, click Control Panel, double-click Administrative Tools, and then double-click SharePoint Central Administration.
Click the Application Management tab, and then click Authentication Providers.
In the Web Application list, select the Web application that you have to update.
Click the zone that you want.
On the Edit Authentication page for IIS Authentication Settings, click Negotiate (Kerberos). When you are prompted for confirmation, click OK.
Click Integrated Windows authentication, click Negotiate (Kerberos), and then click OK.
To apply the change, click Save.

For more information about how to configure Kerberos authentication on the SharePoint Server 2007 Web site, click the following article number to view the article in the Microsoft Knowledge Base:

832769

(http://support.microsoft.com/kb/832769/ )

How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication

Notice

For Windows 2008 Servers with IIS 7.0 or IIS 7.5

If you run Internet Information Services 7.0 on a server that is running SharePoint Server 2007, you must also set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. Perform this step for each SharePoint web application hosting sites where you want to use Excel Services.

The ApplicationHost.config file is located in the following folder:

C:\Windows\System32\Inetsrv\Config

After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following:

<system.webServer>

<security>

         <authentication>

                     <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

         </authentication>

</security>

</system.webServer>

Configure Excel Services for Kerberos authentication

After you have configured SharePoint Server 2007 for Kerberos authentication, you can now configure Excel Services for Kerberos authentication. Follow these steps in the order in which they are presented to configure Excel Services for Kerberos authentication.

Step 1: Configure user permissions in SQL Server or SQL Server Analysis Services

Before Excel Services can access data on behalf of the users requesting a data connection, the users will require at least Read permissions to the data sources.
For information on granting SQL Server database permissions, refer to http://msdn.microsoft.com/en-us/library/aa905164(SQL.80).aspx
(http://msdn.microsoft.com/en-us/library/aa905164(SQL.80).aspx)
For information on granting SQL Analysis Services permissions, refer to http://technet.microsoft.com/en-us/library/ms175451.aspx
(http://technet.microsoft.com/en-us/library/ms175451.aspx)
.

Step 2: Configure SQL Server Analysis Services to use Kerberos authentication

For more information about how to configure SQL Server 2005 Analysis Services to use Kerberos authentication, click the following article number to view the article in the Microsoft Knowledge Base:

917409

(http://support.microsoft.com/kb/917409/ )

How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

Step 3: Configure Excel Services for delegation

To configure Excel Services for delegation, follow these steps (for each Shared Services Provider in the farm):

At a command prompt, type the following, and then press ENTER:
STSADM -o set-ecssecurity -ssp SharedServicesProviderName -accessmodel delegation

For example, if the Shared Services Provide Name is "SharedServices1", then enter:

STSADM -o set-ecssecurity -ssp SharedServices1 -accessmodel delegation
Type the following, and then press ENTER:
STSADM -o execadmsvcjobs

Back to the top | Give Feedback