Kerberos for SharePoint on Server 2008 with IIS 7

UPDATE: Spence posted a great comment pointing out some issues with this post. Richard then restored our Community Server DB to a point in time before the post, so it’s been wiped. Post again, Spence, please, as I didn’t get chance to copy the text of the comment, I’m afraid.

I’ve not been doing so well with blog posts lately. I have more than one currently in process but unposted, and I just can’t seem to get the time to finish them – so apologies, CSW, for not getting the article I promised up yet, but I am working on it.

However, I needed to write up the work I did on our SharePoint at the end of last week, which I thought warranted being made available to a wider audience, so this a quick but hopefully helpful post.

Kerberos, Service Principal Names and Application Pool Identities

I’ve been migrating our SharePoint farm from Server 2003 to Server 2008, and because we now also use Microsoft CRM and a few other systems that require it, I’ve been configuring kerberos.

In theory, this should be simple: We always create service accounts in the AD for each web application to run as, so each of those accounts needs the correct SPN’s creating to match the web site.

For example, if our internal domain is mycorp.com and our SharePoint site is Portal running as the portalapp account, then I would register the SPNs of http/portal.mycorp.com and http/portal against the portalapp account using either adsiedit or setspn. I then make sure that the account is trusted for delegation, which I can do through the delegation tab in the account properties dialog in Active Directory Users and Computers. I also make sure that the servers running SharePoint are trusted for delegation to any service in the same way. UPDATE: Spence pointed out that this is completely unnecessary, see the comments, below.

Once I’ve done all that, I can enable Kerberos on the SharePoint web application through Central Administration. If you’ve never done that, the Authentication Providers option is in the Application Security section (usually the right hand column) in Application Management. Make sure you have the correct web application selected and choose the zone you want to configure (if you haven’t extended your web application, that’ll be default). In the Edit Authentication page, simply tick Integrated Windows Authentication and toggle the radio button beneath to Negotiate (Kerberos). Apply the changes, and we’re done.

Or so you’d think…

To be fair, with Server 2003, that should be it. With Server 2008, however, things just didn’t seem to be working properly for me. So I consulted the Oracle (on a side note, I’m trying a new Oracle lately…).

Kernel-mode authentication. Great idea, shame about the configuration

It turns out the IIS 7 has changed the way it deals with authentication, in that it now executes authentication-related processes in kernel mode for security and performance. That’s all well and good, but it also transpires that because of that, it uses the Local System account for this, and that’s where we hit a snag: I’ve created the SPN’s on the wrong account – I would need to create them on the machine account for the hosting server. Except that won’t work if we’re using more than one server in our farm to host the web applications, because I can only set the SPN against a single account.

It turns out that there is a solution to this. Frustratingly, however, it can’t be done through IIS Manager (or at least, I couldn’t see a way – perhaps Andy Westgarth and the IIS boys can help me here?). Once again we need to edit the applicationHost.config file, just like we did for the bindings, previously:

  1. Finding the right section for this can be tricky. You’re looking for the <location> section for your site, which then has a <system.webServer> section within it. I search on the site name (for example, our web site in IIS is SharePoint – Portal) because the line should look something like:
    <location path=”SharePoint – Portal”>
  2. Scroll down until you find the <security> section. In there you should see an <authentication> section and beneath that, <windowsAuthentication>. It will probably say:
    <windowsAuthentication enabled="true">
  3. Edit that line to read:
    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

You’ll need to do an IISReset after that, or at least I did.

Am I the only person that thinks this should be a setting in the GUI somewhere – it’s such a fundamental issue if you’re using any kind of farm-based system (such as SharePoint or CRM) that I can’t believe it’s so hidden.

UPDATE: Spence also pointed out that appcmd lets you configure this. I’ll post more when I’ve learned how to do it myself.

Appcmd syntax and a hotfix

After Spence posted his comments I did more digging. The syntax for appcmd to make the change I describe above is:
appcmd set config “SharePoint – Portal” /section:windowsAuthentication /useAppPoolCredentials:true /commmit:MACHINE/WEBROOT/APPHOST
where you need to replace the stuff in quotes with the name of your site. You can get a list using appcmd:
appcmd list site

I also found a note about a hotfix related to this issue. If you see your server suffering from blue screens after configuring kerberos (I haven’t… yet) then this might help.

Finally, Spence posted a link to a set of useful slides covering just this topic – thanks Spence, I bet those were three great sessions. Hopefully I’ve now corrected the errors you pointed out and this post is back to being helpful!

Configuring IIS Bindings to include host headers with https on Windows Server 2008 (for SharePoint)

NOTE: We use a wildcard SSL certificate which makes our life much easier when dealing with multiple hostnames. I have not tested this approach with multiple SSL certificates for specific sites.

We’ve been reconfiguring our SharePoint 2007 farm over the past couple of days and it’s now hosted on Windows Server 2008 and using NLB (network load balancing). The load balancer has been configured with a single public IP address and all our previous DNS CNAME registrations have been replaced with hostname A registrations pointing at the address. With our previous configuration we had multiple IP addresses on the server, one for each web application. Each IIS web site was then configured with a host header and ip address to allow for secure traffic over HTTPS.

With our new configuration, I didn’t want to specify an IP address on the web site. Handily, IIS 7 makes that scenario possible (and even relatively straightforward). The only snag is that you can’t configure the necessary bindings through the IIS Manager GUI. You can do it through an xml config file, however:

  1. Look in c:\windows\system32\inetsrv\config and edit the applicationHost.config file. Make sure you take a backup first!
  2. Find the <sites> section in the file. In there you will find a <site> element for each IIS web site. Each of those has a <bindings> element with each port/protocol binding listed. Our main site looked like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:” />
    </bindings>

    and we changed it to look like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:myhost.mydomain.com” />
    </bindings>
  3. Repeat for each web application. If you have more than one web application on the same IP address using either http or https you need to configure a host header or you’ll have problems.
  4. Execute an iisreset.

We now have all our content web applications, the SSP and the central administration web sites all running on a single IP address, many on the same port and using SSL.

As I said at the start of this post, we use a wildcard certificate which makes my initial IIS configuration easier. I haven’t tried multiple certificates, and I’m interested to know if that works or not.

Incoming Email with SharePoint on Windows Server 2008

I’ve been meaning to write this up for a while, simply because it’s not quite as straightforward as with Server 2005.

To configure incoming email on SharePoint when running on Server 2008 you’ll need to run through the following steps:

  1. Install the SMTP feature
    Open Server Manager. Click on Features in the left hand column then click add features in the right hand pane. Tick the SMTP Server check box and click install.
  2. Configure the SMTP Service in IIS Manager (version 7)
    Start Internet Information Services (IIS) Manager from Administration tools in the Start Menu. Once open, click the name of the web server to bring up the options in the centre panel. In the centre panel, right-click SMTP E-mail and select Open Feature from the menu.
    Click the option to ‘store e-mail in pickup directory’ and set the path to be c:\inetpub\mailroot\Drop (that’s the default).
  3. Configure the SMTP Service in ISS Manager (version 7)
    Start Internet Information Services (IIS) 6.0 Manager from Administration tools in the Start Menu. Expand the server to show the SMTP service. In the ‘domains’ section, add any email domain aliases you need in there. Configure the other SMTP service settings just like you did with Server 2005.

Tech Ed EMEA IT: Day 3 – Server 2008 R2

We were in early today, looking forward to a session on SharePoint with Bill Engolish. Sadly, that was cancelled so Andy and I sat in on the Server 2008 R2 overview session presented by Iain McDonald. That was very interesing, and we learned a bit more about BranchCache. It doesn’t look like it will replace WAN accelerators like Riverbved, because it doesn’t appear to function at their low level. However, it does a similar thing at the file level. The client requests a file from the remote server, which instead replies with hashes. The client PC the requests those hashes from the local cache, improving performance. The cache itself is built on request so does not need to be pre-populated (which is good). I think WAN accelerators have nothing to fear from this, but for smaller organisations or ones which aren’t able to put the accelerators in (perhaps their servers are hosted, for example) BranchCache looks like a very promising technology.

Something I saw and got excited about is DHCP failover. We don’t suffer much with DHCP outage, but because the only way to sync up two DHCP servers is to export and import it’s very hard to do resilient services. DHCP failover should solve that, and it looks good.

Also, more on the >net on server core front. The key ‘takeaway’ is that it is a subset of .Net 2, .Net 3 (WCF and WF, not WPF) and .Net3.5 (WF additions and Linq). That makes sense – why include elements related to the GUI. However, subset obviously means compatibility pitfalls and I am still very interested to see where this goes.

We spoke to a few guys on the IIS stand yesterday about SharePoint on IIS7. I need to talk to the SharePoint guys about the same thing. The IIS chaps were optimistic that what I wanted to do would work, but there had been no effort put into testing of the scenario as yet. As far as I am concerned, at the very least I want to be able to run my WFE servers as server core for security reasons. I’d really like to be able to deploy the app server roles to core as well, which falls in line with a single-purpose server, virtualised strategy.

I’m writing this as I wait for the MED-V session to start. The brief intro to this given during the Windows 7 session made it sound exciting and I really hope to come away from this feeling energised. Whilst it’s been a solid conference so far, there’s not been much to give me a buzz – perhaps this is it. I’ll take notes and try to post my thoughts later.

Community Launch Events

A big thanks to everybody who came to the Server 2008 launch event last week. Andy and myself had a great time presenting to such an enthusiastic crowd. In the end we ran long because of the amount of dialogue around the new features of Server 2008 and I hope everyone went away having got something useful.

Now I need to reduce the two hours of material down to a perky 45 minutes for delivery at the VBug-hosted launch event on April 30th. Richard is there too, and Iain is also speaking, making up the triumvirate. It’s my first non-Black Marble community event and I’m quite looking forward to it.