SharePoint User Group UK

Hello all,

I am quite new to SharePoint, hope there are some nice people out there can help me on this one.

I have setup WSS 3.0 using Kerberos - for testing purposes, I have sql server and sharepoint in one single server.

I installed WSS 3.0 successfully and can access the administration page on the browser on its server. URL is http://server01:60 - I chose kerberos as the authentication option.

I also performed the following items.

1) Create an active directory account domain\spsrv
2) Get the domain admin to set the server machine (named server01) to be trusted and delegated.
3) Get the domain admin to set the account domain\spsrv to be trusted and delegated
4) Get the domain admin to add SPN values to the account domain\sprv so it has HTTP/server01, HTTP/server01:70, HTTP/server01:60
5) The IIS application pool is using domain\spsrv account.

I create a new portal (site collection) using port 70, http://server01:70/site/team using kerberos as auth. When try to access this newly created site, it keeps giving me a username and password prompt - which I used admin account, entered correctly and it STILL prompt me.


Is there anything I am missing? Or am I doing it right?

Also my other question is, does the account domain\spsrv has be to interactive logon?

Thank You in advance.

Hi,

Is the person accessing the site been added as a user or site administrator?

For a quick test, add that user via Central Admin -> Application Management -> Application Security -> Policy for Web Application.

Add the current user there and then access the site again and see if that works.

Thanks for your answer, unfortunately, it still keep prompting me to enter the username and password even if I enter the it correctly. (I am access the newly created web app on the client machine).

My feeling is that there were some step missing when configuring the sharepoint using kerberos.

Any ideas?

Thanks,

Also just a quick question,

Does this allow when you have the same SPN values for different accounts?

eg
domain/pooluser1 (HTTP/server01, HTTP/server01:70, HTTP/server01.abc.com:70)
domain/pooluser2 (HTTP/server01, HTTP/server01:71, HTTP/server01.abc.com:71)

will this cause any conflicts given the ports are different?

and do the poolusers need to have an interactive logins?

Hi

Did you get this sorted?  Were you testing on the server or remotely?

---

Director, Intelligent Decisioning Ltd
http://www.id-live.com

Is there a reason you are using non stamdard ports for user facing sites? Kerberos and non standard ports are a world of pain, especially for IE 6 users, yes there is a patch but do you really roll that out accross  your entire estate?

Even if you get it working you will find that search will fail as it will want port 80 or 443to crawl.

http://blogs.msdn.com/joelo/archive/2008/01/10/crawling-and-kerberos-the-saga-continues.aspx

Use host headers and setup Alias' in DNS and your life and that of your end users will become a lot easier, even if you are doing local testing modify your hosts file, its a lot easier than random port numbers

Mike

Hi,

The issue is the non default ports that you are using for server01:70 and server01:60. IE malforms the Kerberos request when access sites on non default ports.

Switch off Kerb for non default port web sites and remove the non default port entries from AD.

I have found that using DNS (with A records) and assigning multiple IPs to the SharePoint server, one for each web app is the most reliable.

That way you can have sharepoint.domain.com -> main sharepoint site, admin.domain.com -> central admin, mysite.domain.com -> my sites and ssp.domain.com to your ssp admin site.

The other tool that I have found really useful in diagnosing Kerberos issues is Brian-Murphy-Booth's tool http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

Good luck

Regards

Simon

 

---

iThink SharePoint (http://ithinksharepoint.blogspot.com)