You are currently offline, waiting for your internet to reconnect

[SDP 5][D0509B21-17E4-4DF2-95FC-BFDFD8E2A8FF] The SharePoint 2010 Kerberos Configuration Troubleshooter

Summary

The Microsoft SharePoint 2010 Kerberos Configuration Troubleshooter manifest detects common Kerberos configurations on an instance of Microsoft SharePoint Server 2010.

In this release, the troubleshooter detects common Kerberos configurations when the SharePoint Service Application Kerberos delegation pattern is being used.

Important

Problematic conditions are checked only on the server on which this manifest is executed. To make sure that you have maximum coverage, we recommend that you run this package on each computer in the SharePoint farm. This article describes how this manifest file operates.   

More Information

This article describes the information that may be collected from a computer when you run this package.   

Information that is collected

Manifest results

Description

File name

This file contains a clean version of the failure and warning conditions that are detected during the execution of the SharePoint 2010 Kerberos Configuration Troubleshooter manifest. The information that is included is as follows:

  • MachineName: Name of the computer for which the information is being collected. (This can be changed to help protect privacy prior to uploading to Microsoft.)
  • Timestamp: Date and time that the data was collected.
  • RuleID: A GUID value that indicates which SETH rule was triggered. (See the rules section later in this table for more information.)
  • InstanceID: A GUID that is used to identify a particular instance of a RuleID that was triggered. (You can have a rule applied multiple times on a computer and have only certain instances trigger a warning. This value will help you isolate that instance.) 

{GUID}_kerberos_O14SP_Failures_mm_dd_yyyy_hhmm_[AM|PM].csv  

 

The actual results of the SharePoint Kerberos manifest. This is what is displayed to the user to indicate the status of each rule that is executed.

ResultReport.xml

This is an internal file that is generated as a byproduct of the execution of the manifest. This file contains no customer data.

Results.xml

This is an xlst transform that formats the results in the ResultReport.xml file. This transform contains no customer data.

Results.xsl

This file contains debug information that may be generated during the execution of the manifest. It also contains timings on all rule that are run. It may contain customer data. However, every attempt was made to minimize customer data.

Kerberos.O.debugreport.xml

This file contains additional debug information for the manifest execution. It may contain customer data. However, every attempt was made to minimize customer data.

Stdout.log

This file contains the configuration information about the instances of Microsoft Excel Services in the farm. Information that is captured includes the following: 

  • Excel Services instances
  • Excel Services application
  • Excel Services application pool
  • Excel Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for Excel Services application pool identities
  • Constrained delegation

%COMPUTERNAME%_cfg_%lang%_O14SP_ExcelServicesInformation.txt

This file contains the configuration information about instances of PerformancePoint Services in the farm. Information that is captured includes the following:
  • PerformancePoint Services instances
  • PerformancePoint Services application
  • PerformancePoint Services application pool
  • PerformancePoint Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for PerformancePoint Services application pool identities
  • Constrained delegation
%COMPUTERNAME%_cfg_%lang%_O14SP_PerformancePointServicesInformation.txt
This file contains the configuration information about instances of Microsoft SQL Server Reporting Services 2012 in the farm. Information that is captured includes the following :
  • SQL Server Reporting Services 2012 instances
  • SQL Server Reporting Services 2012 application
  • SQL Server Reporting Services 2012 application pool
  • SQL Server Reporting Services 2012 application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for SQL Server Reporting Services 2012  application pool identities
  • Constrained delegation
%COMPUTERNAME%_cfg_%lang%_O14SP_ReportingServices2012Information.txt
This file contains the configuration information about instances of Microsoft Visio Graphics Services in the farm. Information that is captured includes the following:
  • Visio Graphics Services instances
  • Visio Graphics Services application
  • Visio Graphics Services application pool
  • Visio Graphics Services application pool identities
  • Trusted file locations
  • Data connection libraries
  • Kerberos delegation setting for Visio Graphics Services application pool identities
  • Constrained delegation
%COMPUTERNAME%_cfg_%lang%_O14SP_VisioGraphicsServicesInformation.txt
This file Captures the ULS logs for the computer.%COMPUTERNAME%_uls_%LANG%_O14SP_ULSLogs
This file contains configuration information about Kerberos Web Applications. %COMPUTERNAME%_uls_%LANG%_O14SP_KerberosWebAppReport

 

Authentication

Rule ID

Title

Description

55E11AFB-33E1-C0DE-DE05-ABB7E799F8AE

Check for KB969083

http://support.microsoft.com/kb/969083

6A0085C3-4673-C0DE-DE05-4C8BC15F9F90

Checking time difference between current server and the SQL server

http://technet.microsoft.com/en-us/library/jj852172(v-ws.10).aspx

456E96A9-DD92-4781-9085-2780898D5272

Check Kerberos Web Apps for authPersistNonNTLM

http://support.microsoft.com/kb/954873

9AC00049-6457-46EB-895A-35C4984E1E4A

Check Kerberos Web Apps for authPersistSingleRequest

http://technet.microsoft.com/library/gg502606.aspx

9E7DA950-17B0-44C7-8E3C-2AF5AFE2A1D2

Check for Kernel Mode Authentication on Web Apps

http://technet.microsoft.com/library/gg502602.aspx

 

DB1BF1A0-E043-4AEB-822F-3A8C688EDC7E

Check for anonymous authentication on Kerberos Web Applications

http://technet.microsoft.com/library/cc261698.aspx

6F483682-4611-4646-8F11-8E31CC5E1023

Check if MaxTokenSize registry entry is a DWord

http://support.microsoft.com/kb/938118

 

Claims to Windows Token Services (C2WTS) 

Rule ID

Title

Description

338C6FF8-6078-4D79-839C-E8F14E2AEAA1 Checking whether claims to Windows Token Service (C2WTS) is installedhttp://msdn.microsoft.com/en-us/library/hh231678.aspx
E04B911F-6384-4F4A-93E8-237E0F52E245 Checking whether claims to Windows Token Service (C2WTS) is startedhttp://msdn.microsoft.com/en-us/library/hh231678.aspx
111DA65B-E401-4DF1-8ECC-B51437979008 Checking whether the dependency of C2WTS service on Cryptsvc is presenthttp://support.microsoft.com/kb/2722087
E1590F5B-7384-496C-98A2-FFAE0CD1A248 Checking whether WSS_WPG group is present in the list of allowed callers of c2wtshost.exe.config filehttp://msdn.microsoft.com/en-us/library/hh231678.aspx
F97FD65F-A968-4452-B2C4-8B70E29BF423 Local computer account could not access C2WTS http://support.microsoft.com/kb/2722087
A8222D3F-2C82-4CDF-ABE3-D46934A114C0 Built-in account could not access C2WTS http://support.microsoft.com/kb/2722087
6B07327F-BD37-490D-8C7E-FD57D9BB4C29 "Log on as a service" right is missing for the service account in C2WTS http://support.microsoft.com/kb/2722087
DB155B37-2FBF-426B-9E52-AA88274D89DA "Act as part of the operating system" right is missing for the service account in C2WTShttp://support.microsoft.com/kb/2722087
6DF5FEF4-0741-43E5-9E52-A3633B824E2F "Impersonate a client after authentication" right is missing for the service account in C2WTShttp://support.microsoft.com/kb/2722087
142A5998-C2CC-4C13-9C24-F25DB3498450 Checking whether the C2WTS domain account is the local administrator of the computerhttp://support.microsoft.com/kb/2722087
DEC84213-E36F-4C33-B68E-58162C1F539A Checking whether Protocol Transitioning is not set to Any Authentication for the Claim to Windows Token Services accounthttp://support.microsoft.com/kb/2722087
30484955-8E2E-4F31-9452-F99DF41A6CAC Checking authentication type on web applications for SharePoint Serviceshttp://technet.microsoft.com/en-us/library/gg502594.aspx

Delegation

Rule ID

Title

Description

9A575168-0926-4D6D-AB51-0B3A94E84132

Check for delegation on Kerberos Web Applications

http://support.microsoft.com/kb/907272

5FC61E69-421E-452C-BCE6-DD07F04EDA0F

Check for Windows 2000 domain function level

 

3F024330-C458-4B39-B2D2-9C4ABD1EFCD5

 

Check SQL Service Account for delegation

http://support.microsoft.com/kb/811889

Excel Services  

Rule ID

Title

Description

A104DB0F-2272-4850-B322-DBB65870EE1D Checking permissions on web applications content DBs for the Excel Services accountshttp://support.microsoft.com/kb/2466519
24881609-BC01-41C1-8A03-1D14DF91F6DB Constrained delegation is not enabled to Excel Services AppPool accounthttp://support.microsoft.com/kb/2466519
B93A843D-E5F7-4510-AD6E-FA06294FDD85 Protocol transitioning is not set to Any Authentication protocol for Excel Services AppPool accounthttp://support.microsoft.com/kb/2466519
F3002FAB-780A-43AA-B53D-DE35C279B9FE Checking whether other computers in the farm have to run the SharePoint Kerberos package for Excel Serviceshttp://technet.microsoft.com/en-us/library/gg502594.aspx

PerformancePoint Services 

Rule ID

Title

Description

A7BDF8F2-E074-465D-8D24-298AAFD558D3 Checking permissions on web application content databases for the PerformancePoint Services accountshttp://support.microsoft.com/kb/2723073
8FBA384B-F0F7-44E1-BEA3-09AF172F2D41 Constrained delegation is not enabled to PerformancePoint Services AppPool accounthttp://support.microsoft.com/kb/2723073
59395596-7E6D-4AD4-996F-214D351D47E4 Protocol transitioning is not set to Any Authentication protocol for PerformancePoint Services AppPool accounthttp://support.microsoft.com/kb/2723073
C8B02937-BD00-483C-8717-3654532BCE48 Checking whether other computers in the farm have to run the SharePoint Kerberos package for PerformancePoint Serviceshttp://technet.microsoft.com/en-us/library/gg502594.aspx

PowerPivot Services

Rule ID

Title

Description

C479D93B-13FB-4390-9298-638789C02D3C

Check permissions on web application content DB for the PowerPivot account

http://technet.microsoft.com/library/ee210603.aspx

E3EC3675-B74D-4268-8736-71D62845B882

Constrained delegation is not enabled to PerformancePoint Services AppPool account

http://technet.microsoft.com/library/gg502608.aspx

03E9844F-08DF-489A-88AD-C04D89DB486D

Protocol transitioning is not set to Any Authentication protocol for PerformancePoint Services AppPool account

http://technet.microsoft.com/library/gg502608.aspx

SQL Server Reporting Services 2012 

Rule ID

Title

Description

6754E52C-E7B8-4C56-906B-605E104FBD20 Checking permissions on web application content databases for SQL Server Reporting Services 2012 accountshttp://support.microsoft.com/kb/2723587
9AAB1907-77D4-4987-87D6-94D739381A44 Constrained delegation is not enabled to SQL Server Reporting Services AppPool accounthttp://support.microsoft.com/kb/2723587
0AA98785-DD51-4F2C-9918-D2651D668B4D Protocol transitioning is not set to Any Authentication protocol for SQL Server Reporting Services AppPool accounthttp://support.microsoft.com/kb/2723587
3849152B-B1EC-4401-80EC-7704BD5836B5 Checking whether other computers in the farm have to run the SharePoint Kerberos package for SQL Server Reporting Services 2012 http://technet.microsoft.com/en-us/library/gg502594.aspx

Visio Graphics Services 

Rule ID

Title

Description

D3D925CE-A4A2-4786-9EE4-6517F7081248 Checking permissions on web application content databases for Visio Graphics Services 2012 accountshttp://support.microsoft.com/kb/2723977
30DC0519-3E34-451D-8A48-F72FF335D137 Constrained delegation is not enabled to Visio Graphics Services AppPool accounthttp://support.microsoft.com/kb/2723977
9B156D41-B5EE-4AA2-B7B2-C38062C4C3F0 Protocol transitioning is not set to Any Authentication protocol for Visio Graphics AppPool accounthttp://support.microsoft.com/kb/2723977
085E304B-D89F-4CDA-9ED3-50F9DF258D51 Checking whether other computers in the farm have to run the SharePoint Kerberos package for Visio Graphics Serviceshttp://technet.microsoft.com/en-us/library/gg502594.aspx

 SPN Configuration 

Rule ID

Title

Description

1C1CF6E8-6B71-C0DE-DE06-EB05DE19DB86

A SPN was found on a DNS alias

http://support.microsoft.com/kb/938305

AFE4575E-9AE9-49BB-A68B-776E938D2DA3

Check for HTTPS SPNs

http://support.microsoft.com/kb/929650

C05564F6-CD7B-478D-87E0-D9892A158B58

Check for SPNS on Kerberos Web Apps

http://support.microsoft.com/kb/929650

4D7FA6E4-0CDF-4066-A05C-DC3066F97FAD

Check for duplicate SPNs

http://technet.microsoft.com/library/cc772897(v=WS.10).aspx

 

More information 

Kerberos has a ticket cache. This means that even after incorrect settings are changed, the delegation does not work until the Kerberos cache is flushed. To flush the ticket cache, you have to either restart the application pool that is delegating the identity or use the KList utility.   

KList 

KList is a command prompt utility that is included in the default installation of Windows Server 2008 and Windows Server 2008 R2. This utility can be used to list and delete Kerberos tickets on a given computer. To run KList, open a command prompt in Windows Server 2008, and then type KList.   

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 2732019 - Last Review: 08/07/2014 08:41:00 - Revision: 25.0

Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2010

  • KB2732019
Feedback