SharePoint 2010 on Windows Server 2008 R2 with Kerberos Troubleshooting
re-posted again with additional resource links at the botttom.
Wow. Going through some massive headaches getting kerberos setup in SharePoint 2010 on Windows Server 2008 R2. I was following my old guide from SharePoint 2007 (http://www.bryansgeekspeak.com/2010/01/enabling-kerberos-in-windows-domain-for.html) until I realized all the IIS 7.5 settings are completely different...
The first thing google turned up for me was an blog post that explains a lot of Windows 2008R2 specific gotchas for SharePoint 2010. It goes into detail about how to turn off kernel mode authentication and how to enable IIS delegation using the application pool account credentials.
http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx
With those changes and some SETSPN commands I was able to get successful kerberos logon events to the SharePoint 2010 web front end. A good start. On to the double hop delegation from a SharePoint 2010 web part to Teamworks 6...
When I hit the Teamworks webpart in SharePoint 2010, I got the usual authentication error that tells me kerberos is not working. The Teamworks server is already working in a SharePoint 2007 farm though, so I know the Teamworks piece is good - but I can see with wireshark that only NTLM2 requests are being sent from the SharePoint 2010 WFE to the jboss server - no kerberos traffic at all.
Dec 22, 2010 Update! Limited Success!
In one of my isolated SharePoint 2010 dev farms (an 8 server farm, isolated in its own domain), I was able to get kerberos working with Teamworks after working around the kinit/kerberos encryption issue (see the kinit link in the resources section). I have not had any success in larger, more complex domains. I'm now exploring the MS whitepaper on implementing kerberos (see link in resources section) hoping a solution will leap out at me *crosses fingers!*
LINKS TO KERBEROS RESOURCES
- How to enable Kerberos event logging
- http://www.bryansgeekspeak.com/2010/12/kinit-fails-to-generate-keytab.html - Due to the Windows 2008R2 PDCs no longer supporting older DES encryption types used by Teamworks/jboss, kinit fails to generate keytab file for the Teamworks service account.
- http://www.bryansgeekspeak.com/2010/12/debugging-windows-server-2008r2-event.html for if you find the error in the event logs "Event ID 6037 - The target name used is not valid" on the SharePoint 2010 WFE (possible SPN error)
- Microsoft's Configuring Kerberos authentication for SharePoint 2010 Products (white paper)
- K2 [blackpearl] HF2.01 Distributed Installations (and also SP1) - Even though its specific to K2, its a good reference for farm configuration with kerberos/spns