Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


December 2007

Use Kerberos to Secure MOSS 2007

Which Kerberos authentication features you need and how to configure them
From the December 2007 Edition
of Windows IT Pro
Rick Sneddon
Ethan Wilansky
Feature
InstantDoc #97376
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Testing and Troubleshooting Kerberos, 10 Important Kerberos Facts

You can also include a port value if you want to limit the SPN to a specific port or you are using non-standard ports for a particular Web application. For example, if your central administration site is hosted on port 35000, you might want to include this specification in your SPN registrations for the SharePoint Central Administration site. To offer a more detailed example, if you host Central Administration on a computer named CA01 in the fabrikam .com domain on port 35000, your SPNs for this site would be HTTP/CA01.fabrikam.com:35000 and HTTP/CA01:35000.

Finally, the name part of the SPN is rarely used except for services that are replicated. You can safely omit the name part of an SPN for your MOSS-related SPN registrations.

In terms of AD, the SPNs are values automatically written to the servicePrincipalName multivalued attribute of a computer account when it’s registered in an AD domain. For example, workstation01 in the fabrikam.com domain will have the following two SPNs automatically registered: HOST/WORKSTATION01 and HOST/workstation01.fabrikam.com. Servers registered in the domain will also have the HOST SPN entries and are likely to have some symbolic class as well, such as SMTPSVC. Because of this automatic registration, your AD client can use Kerberos authentication to authenticate you to a domain. In addition, the NT AUTHORITY\NETWORK SERVICE (aka Network Service) acts as the computer on the network and therefore inherits the SPN settings of the computer.

You might ask then, if Network Service has an SPN on it already, why bother having to set the SPN if an IIS application pool can use this account for its identity? To that we would say, great question! Microsoft recommends that you use an AD user account for each application pool supporting a MOSS Web application. Although we don’t have specific information about this, we believe Microsoft discourages the use of Network Service for this purpose because it would require that you assign several permissions to this ubiquitous and typically low-privilege account. Therefore, when you assign a user account to an Application Pool’s identity that will provide Kerberos authentication, you must then assign an SPN to that account. During the authentication handshake between the client browser and the Web application, IIS uses the SPN to retrieve a Kerberos ticket from the KDC and a session key on behalf of the logged-on user.

Setting SPNs
With the aptly named setspn command-line tool that’s part of Windows Server 2003 SP1 and later (and included as a support tool for Windows 2000 Server), you can perform SPN create, read, update, and delete operations. The create operation is referred to as registering an SPN. Figure 2 shows the registration process.

Because registering an SPN is a securitysensitive operation, you must have administrative permissions in the domain to create, update or delete an SPN. Any authenticated user can read SPNs created for a user account or computer. Being able to read an SPN is important, especially if you work in an organization where you don’t have administrative permission in the domain to set it yourself, so you can check for configuration accuracy and troubleshoot errors.

In the example of a host named corpweb and corpweb.fabrikam.com, if the application user account assigned to the MOSS Application Pool identity is fabrikam\PortalAppPool, the following SetSPN commands prepare the account for Kerberos authentication:

setspn -A HTTP/corpweb fabrikam\
PortalAppPool
setspn -A HTTP/corpweb.fabrikam .
com fabrikam\PortalAppPool

The first command sets the HTTP class and the NetBIOS name of the Web server on the fabrikam\PortalAppPool user account. The second command sets the HTTP class and fully qualified host name (DNS name) for the portal on the same user account. After registering the user account with the required SPNs, running the following command:

setspn -L portalapppol
returns the following output:

Registered ServicePrincipalNames for CN=
PORTALAPPPOOL,OU=SVCACCOUNTS,
DC=FABRIKAM,DC=COM:
HTTP/corpweb
HTTP/corpweb.fabrikam.com

The -L parameter shows the distinguished name of the PortalAppPool account and the SPNs registered on that account. Note the command parameter syntax suggests that you can run setspn commands only against computer names. However, it also works for user accounts, as the previous example demonstrates.

Continued on Page 3

   Previous  1  [2]  3  4  5  Next 


Reader Comments
Kudos for Ethan for addressing a problem that we encounter all to often in the field. During a MOSS deployment yesterday, I asked the IT dept. if they knew how Kerberos was working in their WAN and if they had tested their SPNs with the SetSPN tool. I received the "Deer in the Head lights" response. Thanks for addressing this issue. This is one Sharepoint article I will share with my clients and encourage them to subscribe to Windows IT Pro Today.

SCG December 18, 2007 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path To Learn More About Authentication
"Scrutinizing Windows Authentication"

"Guard Your Data with Kerberos"


To Learn More About Configuring Excel Services to Use Kerberos
"Configuring Kerberos for SharePoint 2007: Part 2 - Excel Services and SQL Analysis Services"

"Error in communicating with Excel Calculation Services"


To Learn More About Configuring Kerberos for MOSS/WSS
"Configuring Kerberos for SharePoint 2007: Part 1 - Base Configuration for SharePoint"

"How to configure Windows SharePoint Services to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication"

"Plan for administrative and service accounts (Office SharePoint Server)"


To Learn More About Kerberos
"Kerberos: The Network Authentication Protocol"

"Using Basic authentication to generate Kerberos tokens"

"Kerberos authentication for load balanced Web sites"

"Kerberos Technical Supplement for Windows"

"Using negotiate authentication (GSSAPI Kerberos) with Firefox"


To Learn More About Protocol Transition and Constrained Delegation
"How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0"

"Kerberos Protocol Transition and Constrained Delegation"


To Learn More About the TLS/SSL Authentication Protocol
"What is TLS/SSL?"


To Learn More About Troubleshooting Kerberos
"Troubleshooting Kerberos Errors"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...

Where is Microsoft NetMeeting in Windows XP?

...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Top 10 Email Security Challenges and Solutions

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing