The Microsoft SharePoint 2010 Kerberos Configuration Troubleshooter manifest detects common Kerberos configurations on an instance of Microsoft SharePoint Server 2010.
In this release, the troubleshooter detects common Kerberos configurations when the SharePoint Service Application Kerberos delegation pattern is being used.
Problematic conditions are checked only on the server on which this manifest is executed. To make sure that you have maximum coverage, we recommend that you run this package on each computer in the SharePoint farm. This article describes how this manifest file operates.
This article describes the information that may be collected from a computer when you run this package.
Information that is collected
This file contains a clean version of the failure and warning conditions that are detected during the execution of the SharePoint 2010 Kerberos Configuration Troubleshooter manifest. The information that is included is as follows:
|The actual results of the SharePoint Kerberos manifest. This is what is displayed to the user to indicate the status of each rule that is executed.|
This is an internal file that is generated as a byproduct of the execution of the manifest. This file contains no customer data.
This is an xlst transform that formats the results in the ResultReport.xml file. This transform contains no customer data.
This file contains debug information that may be generated during the execution of the manifest. It also contains timings on all rule that are run. It may contain customer data. However, every attempt was made to minimize customer data.
This file contains additional debug information for the manifest execution. It may contain customer data. However, every attempt was made to minimize customer data.
This file contains the configuration information about the instances of Microsoft Excel Services in the farm. Information that is captured includes the following:
|This file contains the configuration information about instances of PerformancePoint Services in the farm. Information that is captured includes the following: ||%COMPUTERNAME%_cfg_%lang%_O14SP_PerformancePointServicesInformation.txt|
|This file contains the configuration information about instances of Microsoft SQL Server Reporting Services 2012 in the farm. Information that is captured includes the following : ||%COMPUTERNAME%_cfg_%lang%_O14SP_ReportingServices2012Information.txt|
|This file contains the configuration information about instances of Microsoft Visio Graphics Services in the farm. Information that is captured includes the following: ||%COMPUTERNAME%_cfg_%lang%_O14SP_VisioGraphicsServicesInformation.txt|
|This file Captures the ULS logs for the computer.||%COMPUTERNAME%_uls_%LANG%_O14SP_ULSLogs|
|This file contains configuration information about Kerberos Web Applications.||%COMPUTERNAME%_uls_%LANG%_O14SP_KerberosWebAppReport|
Check for KB969083
Checking time difference between current server and the SQL server
Check Kerberos Web Apps for authPersistNonNTLM
Check Kerberos Web Apps for authPersistSingleRequest
Check for Kernel Mode Authentication on Web Apps
Check for anonymous authentication on Kerberos Web Applications
Check if MaxTokenSize registry entry is a DWord
Claims to Windows Token Services (C2WTS)
|338C6FF8-6078-4D79-839C-E8F14E2AEAA1||Checking whether claims to Windows Token Service (C2WTS) is installed||http://msdn.microsoft.com/en-us/library/hh231678.aspx|
|E04B911F-6384-4F4A-93E8-237E0F52E245||Checking whether claims to Windows Token Service (C2WTS) is started||http://msdn.microsoft.com/en-us/library/hh231678.aspx|
|111DA65B-E401-4DF1-8ECC-B51437979008||Checking whether the dependency of C2WTS service on Cryptsvc is present||http://support.microsoft.com/kb/2722087|
|E1590F5B-7384-496C-98A2-FFAE0CD1A248||Checking whether WSS_WPG group is present in the list of allowed callers of c2wtshost.exe.config file||http://msdn.microsoft.com/en-us/library/hh231678.aspx|
|F97FD65F-A968-4452-B2C4-8B70E29BF423||Local computer account could not access C2WTS||http://support.microsoft.com/kb/2722087|
|A8222D3F-2C82-4CDF-ABE3-D46934A114C0||Built-in account could not access C2WTS||http://support.microsoft.com/kb/2722087|
|6B07327F-BD37-490D-8C7E-FD57D9BB4C29||"Log on as a service" right is missing for the service account in C2WTS||http://support.microsoft.com/kb/2722087|
|DB155B37-2FBF-426B-9E52-AA88274D89DA||"Act as part of the operating system" right is missing for the service account in C2WTS||http://support.microsoft.com/kb/2722087|
|6DF5FEF4-0741-43E5-9E52-A3633B824E2F||"Impersonate a client after authentication" right is missing for the service account in C2WTS||http://support.microsoft.com/kb/2722087|
|142A5998-C2CC-4C13-9C24-F25DB3498450||Checking whether the C2WTS domain account is the local administrator of the computer||http://support.microsoft.com/kb/2722087|
|DEC84213-E36F-4C33-B68E-58162C1F539A||Checking whether Protocol Transitioning is not set to Any Authentication for the Claim to Windows Token Services account||http://support.microsoft.com/kb/2722087|
|30484955-8E2E-4F31-9452-F99DF41A6CAC||Checking authentication type on web applications for SharePoint Services||http://technet.microsoft.com/en-us/library/gg502594.aspx|
Check for delegation on Kerberos Web Applications
Check for Windows 2000 domain function level
Check SQL Service Account for delegation
|A104DB0F-2272-4850-B322-DBB65870EE1D||Checking permissions on web applications content DBs for the Excel Services accounts||http://support.microsoft.com/kb/2466519|
|24881609-BC01-41C1-8A03-1D14DF91F6DB||Constrained delegation is not enabled to Excel Services AppPool account||http://support.microsoft.com/kb/2466519|
|B93A843D-E5F7-4510-AD6E-FA06294FDD85||Protocol transitioning is not set to Any Authentication protocol for Excel Services AppPool account||http://support.microsoft.com/kb/2466519|
|F3002FAB-780A-43AA-B53D-DE35C279B9FE||Checking whether other computers in the farm have to run the SharePoint Kerberos package for Excel Services||http://technet.microsoft.com/en-us/library/gg502594.aspx|
|A7BDF8F2-E074-465D-8D24-298AAFD558D3||Checking permissions on web application content databases for the PerformancePoint Services accounts||http://support.microsoft.com/kb/2723073|
|8FBA384B-F0F7-44E1-BEA3-09AF172F2D41||Constrained delegation is not enabled to PerformancePoint Services AppPool account||http://support.microsoft.com/kb/2723073|
|59395596-7E6D-4AD4-996F-214D351D47E4||Protocol transitioning is not set to Any Authentication protocol for PerformancePoint Services AppPool account||http://support.microsoft.com/kb/2723073|
|C8B02937-BD00-483C-8717-3654532BCE48||Checking whether other computers in the farm have to run the SharePoint Kerberos package for PerformancePoint Services||http://technet.microsoft.com/en-us/library/gg502594.aspx|
Check permissions on web application content DB for the PowerPivot account
Constrained delegation is not enabled to PerformancePoint Services AppPool account
Protocol transitioning is not set to Any Authentication protocol for PerformancePoint Services AppPool account
SQL Server Reporting Services 2012
|6754E52C-E7B8-4C56-906B-605E104FBD20||Checking permissions on web application content databases for SQL Server Reporting Services 2012 accounts||http://support.microsoft.com/kb/2723587|
|9AAB1907-77D4-4987-87D6-94D739381A44||Constrained delegation is not enabled to SQL Server Reporting Services AppPool account||http://support.microsoft.com/kb/2723587|
|0AA98785-DD51-4F2C-9918-D2651D668B4D||Protocol transitioning is not set to Any Authentication protocol for SQL Server Reporting Services AppPool account||http://support.microsoft.com/kb/2723587|
|3849152B-B1EC-4401-80EC-7704BD5836B5||Checking whether other computers in the farm have to run the SharePoint Kerberos package for SQL Server Reporting Services 2012||http://technet.microsoft.com/en-us/library/gg502594.aspx|
Visio Graphics Services
|D3D925CE-A4A2-4786-9EE4-6517F7081248||Checking permissions on web application content databases for Visio Graphics Services 2012 accounts||http://support.microsoft.com/kb/2723977|
|30DC0519-3E34-451D-8A48-F72FF335D137||Constrained delegation is not enabled to Visio Graphics Services AppPool account||http://support.microsoft.com/kb/2723977|
|9B156D41-B5EE-4AA2-B7B2-C38062C4C3F0||Protocol transitioning is not set to Any Authentication protocol for Visio Graphics AppPool account||http://support.microsoft.com/kb/2723977|
|085E304B-D89F-4CDA-9ED3-50F9DF258D51||Checking whether other computers in the farm have to run the SharePoint Kerberos package for Visio Graphics Services||http://technet.microsoft.com/en-us/library/gg502594.aspx|
A SPN was found on a DNS alias
Check for HTTPS SPNs
Check for SPNS on Kerberos Web Apps
Check for duplicate SPNs
Kerberos has a ticket cache. This means that even after incorrect settings are changed, the delegation does not work until the Kerberos cache is flushed. To flush the ticket cache, you have to either restart the application pool that is delegating the identity or use the KList utility.
KList is a command prompt utility that is included in the default installation of Windows Server 2008 and Windows Server 2008 R2. This utility can be used to list and delete Kerberos tickets on a given computer. To run KList, open a command prompt in Windows Server 2008, and then type KList.
Article ID: 2732019 - Last Review: Aug 7, 2014 - Revision: 1