Wednesday, June 25, 2008

MOSS and Kerberos on Windows Server 2008 - a gotcha

I've been through the Kerberos mill repeated times--getting the SPNs lined up, making sure the computer and service accounts are trusted for delegation, making sure the times on the servers are within 15 minutes, etc. But I couldn't make Kerberos authentication work on my MOSS web applications on a Windows Server 2008 server.

I opened a ticket on this with Microsoft and discovered that IIS 7.0 has kernel mode authentication turned on by default. MOSS has a problem with this and it will completely break Kerberos for those web applications. To turn this off:

In Server Manager, select the web application for which you want to fix Kerberos authentication:



Select its Authentication tool:



Now choose Advanced Settings:



Finally, make sure the "Enable Kernel-mode authentication" checkbox is UNCHECKED:



Apply your changes and you should be good to go. It is not necessary to reset IIS or bounce the application pool to make it take effect. Don't forget that you still have to configure the web in MOSS Central Administration to use Kerberos (Negotiate) authentication instead of NTLM in addition to all the other normal domain-based Kerberos setup steps. Cheers.

** UPDATE 24 Mar 2009 **
Apparently the kernel mode authentication setting also breaks NTLM authentication on WS 2008, so this is not specific to making Kerberos work.

No comments:

Post a Comment