Configure a SharePoint SPN and enable Kerberos
During this task you will configure a SharePoint specific Service Principle Name (SPN).and configure SharePoint as an Access Gateway Kerberos application.
Ensure that SharePoint is using a defined service account and not the Active Directory administrator account.
The Active directory administrator account should not be used for configuration.
In this page we use the following:
On a machine in the specified domain set Service Principle Name.
Setspn must be executed by a user with Active Directory Domain Admin rights.
The command can be run any computer in the domain and doesn’t require being logged into a Domain Controller.CopySetspn general form
setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin
-U Specify that <SPN> is a user account.
-S <SPN> Adds the specified SPN for the computer, after verifying that no duplicates exist.CopySet SPN example
setspn -U -S HTTP/sharepoint.atko.biz MYDOMAIN\spadmin
- Connect to the SharePoint Central Administration service and login as SharePoint Admin.
- Go to Central Administration > Manage Web Applications.
- Select the proper SharePoint web application instance, typically SharePoint - 80.
- In the Ribbon click Authentication.
- Select the proper Zone - typically Default.
- Scroll to the Claims Authentication and Types section.
- Select Negotiate (Kerberos).
- Click Save.
After clicking Save, the SharePoint application we be reprovisioned on all SharePoint servers hosting the application.
This will cause a brief disruption in service.
After completion, ensure users can still access the SharePoint instance.