ESP SharePoint and Kerberos

Scope

This article will outline some additional configurations that are possibly required when load balancing a SharePoint site with Edge Security Pack (ESP), and Server Side Authentication set to Kerberos Constrained Delegation (KCD). 

Configuration 

This article will not be covering the initial ESP Client Side Configuration or the KCD Server Side Configuration. Please see the following links for information regarding the implementation of this part of the configuration.

SharePoint Virtual Services

ESP

KCD

 

1. Enable Kerberos on SharePoint

Log into your SharePoint Admin Portal. Go to Manage Web Applications > SharePoint Site > Authentication Providers

 

Under Edit Authentication set Integrated Windows authentication to Negotiate (Kerberos)

2. Enable Kernel Mode Authentication

When the LoadMaster requests a Kerberos ticket it will do so using the Fully Qualified Domain Name (FQDN) of the Real Server. 

The Kerberos server or Domain Controller, will encrypt the ticket using the credentials of the Real Server. This can cause issues when connecting to your SharePoint Site resulting in a 401 Authentication popup.

A simple solution to this behavior is to enable Kernel Mode Authentication on the IIS Server. 

IIS Manager > SharePoint > Authentication > Windows Integrated Authentication > Advanced Settings >  Enable Kernel Mode Authentication.

 

3. SPN Service Account

In some scenarios it won't be possible to enable Kernel Mode Authentication. Some examples being when SharePoint has some back end servers that need to connect directly to SharePoint, or there are internal clients connecting directly to SharePoint. In these cases Kernel Mode Authentication will need to be disabled. 

If this is the case, the Kerberos server will need to encrypt the KCD ticket using the SharePoint Service Account.

The SharePoint Service Account can be found under IIS Manager > Application Pools > SharePoint Site or in the SharePoint Admin Portal under Security > Configure Service Accounts.

Once the SharePoint Service Account has been retrieved, open the command line on your Domain Controller and run the following command:

SetSPN -s HTTP/IIS_SERVER_FQDN  domain\SharePoint Service Account

 

 

 

 

 

 

 

 

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments