Microsoft KB Archive/832769

= How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication =

Article ID: 832769

Article Last Modified on 9/26/2007

-

APPLIES TO


 * Microsoft Windows SharePoint Services 3.0
 * Microsoft Windows SharePoint Services 2.0

-



INTRODUCTION
This article contains information about how to configure a Microsoft Windows SharePoint Services virtual server to use Kerberos authentication. Additionally, this article contains information about how to switch from Kerberos authentication back to NTLM authentication.

Note Version 3 of Microsoft Windows SharePoint Services for Microsoft Office 2007 uses NTLM authentication by default. Kerberos is still supported.



MORE INFORMATION
Starting with Microsoft Windows SharePoint Services 2.0 Service Pack 2 (SP2), you can create the SharePoint Central Administration virtual server or extend a content virtual server to use with either Kerberos authentication or NTLM authentication. You no longer have to directly modify the IIS metabase.

Microsoft Windows Integrated Authentication supports the following two protocols that provide challenge/response authentication:
 * NTLM

The NTLM protocol is a secure protocol that is based on encrypting user names and passwords before sending the user names and passwords over the network. NTLM authentication is required in networks where the server receives requests from clients that do not support Kerberos authentication.
 * Kerberos

The Kerberos protocol is based on ticketing. In this scheme, a user must first provide a valid user name and password to an authentication server. Then, the authentication server grants the user a ticket. The ticket can be used on the network to request other network resources. To use this scheme, both the client and server must have a trusted connection to the domain Key Distribution Center (KDC). Additionally, both the client and server must be compatible with the Active Directory directory service.

Note Most of the time, you should choose NTLM authentication. If you do not have a specific need for Kerberos authentication or if you cannot configure the service principal name (SPN), choose NTLM authentication. If you choose Kerberos authentication and cannot configure the SPN, only server administrators will be able to authenticate to the SharePoint site.

Both Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 contain a built-in functionality to switch back to NTLM authentication or configure the authentication settings. NTLM authentication is the preferred method. To configure NTLM authentication on the Web application, use one of the following methods:  Configure NTLM authentication on the Web application from SharePoint 3.0 Central Administration.  Click Start, Administrative Tools, and then double-click SharePoint Central Administration. Click the Application Management tab, and then click Authentication Providers. In the Web Application list, select the Web application that you have to update. Click the Zone that you want. On the Edit Authentication page for the IIS Authentication Settings, Integrated Windows authentication, click NTLM. To apply the change, click OK.</li></ol> </li> Configure NTLM authentication on the Web application from the Stsadm.exe command line utility. <ol> At a command prompt, change the directory to the following:



</li> Run the following command:

stsadm -o authentication -url http://urlofthewebapplication -type windows -exclusivelyusentlm

Note To see other options for the operation, run the following command:

stsadm -help authentication

</li></ol> </li></ul>

Configure Windows SharePoint Services 2.0 to use Kerberos authentication or NTLM authentication
Starting with Windows SharePoint Services 2.0 Service Pack 2 (SP2), you can use the SharePoint user interface or commands at a command prompt to configure the SharePoint Central Administration virtual server and content virtual servers. You configure the SharePoint Central Administration virtual server when you create the SharePoint Central Administration, and you configure the content virtual servers when you extend the content virtual server. When you create the SharePoint Central Administration virtual server or extend a new virtual server, there is a new Security Configuration section where you can specify whether you want to use NTLM authentication or Kerberos authentication. To review all the administrative settings for configuring the authentication settings, see the Windows SharePoint Services Administrator's Guide. To see the Windows SharePoint Services Administrator's Guide, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=a637eff6-8224-4b19-a6a4-3e33fa13d230&DisplayLang=en

If you are running SharePoint virtual servers that were extended or created in versions of Windows SharePoint Services 2.0 that are earlier than Windows SharePoint Services 2.0 SP2, and if you have to configure the virtual servers for Kerberos authentication, you must manually configure Kerberos authentication for the virtual server if it is required.

To use a script to enable Kerberos authentication on the virtual server, follow these steps: <ol> On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.</li> Change to the Inetpub\Adminscripts folder.</li> Type the following command, and then press ENTER:

cd :\inetpub\adminscripts

Note In this command,  is the drive where Microsoft Windows is installed.</li> Type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders

Note In this command,  is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.</li> To enable Kerberos authentication on the virtual server, type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders &quot;Negotiate,NTLM&quot;

Note In this command,  is the virtual server ID number.</li> Restart IIS. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type cmd in the Open box, and then click OK.</li> At the command prompt, type iisreset, and then press ENTER</li> Type exit, and then press ENTER to close the Command Prompt window.</li></ol> </li></ol>

If you chose Kerberos authentication when you created the SharePoint Central Administration or content virtual servers, but you have to switch back to NTLM authentication, you can use a script to enable NTLM authentication on the virtual server.

To use a script to enable NTLM authentication on the virtual server, follow these steps: <ol> On the server that is running IIS, click Start, click Run, type cmd in the Open box, and then click OK.</li> Change to the Inetpub\Adminscripts folder.</li> Type the following command, and then press ENTER:

cd :\inetpub\adminscripts

Note In this command,  is the drive where Windows is installed.</li> Type the following command, and then press ENTER:

cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders

Note In this command,  is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.</li> <li>To enable NTLM authentication on the virtual server, type the following command, and then press ENTER:

cscript adsutil.vbs set w3svc/##/root/NTAuthenticationProviders &quot;NTLM&quot;

Note In this command,  is the virtual server ID number.</li> <li>Restart IIS. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, click Run, type cmd in the Open box, and then click OK.</li> <li>At the command prompt, type iisreset, and then press ENTER.</li> <li>Type exit, and then press ENTER to close the Command Prompt window.</li></ol> </li></ol>

Configure a service principal name for the domain user account
If the application pool identity for the Windows SharePoint Services 2.0 site is configured to use a built-in security principal (such as NT Authority\Network Service or NT Authority\Local System), you do not have to perform this step. The built-in accounts are automatically configured to work with Kerberos authentication.

If you use a remote Microsoft SQL Server 2000 server and you want to use NT Authority\Network Service as the domain account, you have to add the \ $ entry and configure it with Database Creators and Security Administrators permissions. By doing so, Windows SharePoint Services 2.0 can connect to the remote SQL Server computer to create the configuration and content databases.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure an SPN for the domain user account, follow these steps: <ol> <li>Download and install the Setspn.exe command-line tool. To do this, visit one of the following Microsoft Web sites.

For Microsoft Windows 2000 Server:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&amp;DisplayLang=en

For Microsoft Windows Server 2003:

892777 Windows Server 2003 Service Pack 1 Support Tools

</li> <li>Use the Setspn.exe tool to add an SPN for the domain account. To do this, type the following line at the command prompt, and then press ENTER, where  is the fully qualified domain name (FQDN) of the server,   is the name of the domain, and   is the name of the domain user account:

setspn -A HTTP/ServerName Domain\UserName

</li></ol>

Configure trust for delegation for Web parts
To configure the IIS server to be trusted for delegation, follow these steps:
 * 1) Start Active Directory Users and Computers.
 * 2) In the left pane, click Computers.
 * 3) In the right pane, right-click the name of the IIS server, and then click Properties.
 * 4) Click the General tab, click to select the Trust computer for delegation check box, and then click OK.
 * 5) Quit Active Directory Users and Computers.

If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation before you can use Kerberos authentication. To configure the domain account to be trusted for delegation, follow these steps:
 * 1) On the domain controller, start Active Directory Users and Computers.
 * 2) In the left pane, click Users.
 * 3) In the right pane, right-click the name of the user account, and then click Properties.
 * 4) Click the Account tab, under Account Options, click to select the Account is trusted for delegation check box, and then click OK.
 * 5) Quit Active Directory Users and Computers.

If the application pool identity is a domain user account, you must configure an SPN for that account. To configure a SPN for the domain user account, follow these steps: <ol> <li>Download and install the Setspn.exe command-line tool. To do so, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&amp;DisplayLang=en

</li> <li> Use the Setspn.exe tool to add an SPN for the domain account. To do so, type the following line at the command prompt, and then press ENTER, where  is the fully qualified domain name (FQDN) of the server,   is the name of the domain, and   is the name of the domain user account: Setspn -A HTTP/ServerName Domain\UserName </li></ol>

<div class="references_section">