Ok, so setting up keberos for MOSS on Windows Server 2008 and SQL 2008 is somewhat different from how you would set it up in earlier versions. This post lists the “gotcha” you should be aware of rather than step by step instructions on how to configure everything (if you set up Kerberos before you will know what to do). The Windows Server 2008 portion is from the brilliant mind behind harbar.net :)
SQL Server 2008:
If you are following the least privileged method for your MOSS accounts you will need to give your MOSS Install account the new “setupadmin” permission on the relevant SQL Server 2008 Database – you don't want to know what I went through to discover this!
Windows Server 2008:
Taken from (harbar.net): One of the security changes in IIS 7.0 is that Windows Authentication is performed by default in the kernel. This is a good thing! It eases the configuration required for Kerberos and improves performance significantly.
Because HTTP.sys is handling the authentication, it is by default done under the LocalSystem account regardless of the application pool identity. This means that the creation of an SPN is unnecessary because default SPNs are created when the server is joined to the domain. You can of course change the app pool identity without having to register a SPN, and the app pool account doesn't need to be a domain account.
However, it trips up SharePoint as even on a single server SharePoint is currently considered a web farm (should use a domain account). Therefore you need to use the application pool identity for authentication.
The recommended way of doing this:
- Configure the useAppPoolCredentials attribute in system.webServer/security/authentication/Windows-Authentication configuration section to true. For example:
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />