Configure a SharePoint SPN and enable Kerberos

During this task you will configure a SharePoint specific Service Principle Name (SPN).and configure SharePoint as an Access Gateway Kerberos application.

Ensure that SharePoint is using a defined service account and not the Active Directory administrator account.
The Active directory administrator account should not be used for configuration.

In this page we use the following:

Description Example
Sharepoint FQDN
Service account MYDOMAIN\spadmin
  1. On a machine in the specified domain set Service Principle Name.

    Setspn must be executed by a user with Active Directory Domain Admin rights.
    The command can be run any computer in the domain and doesn’t require being logged into a Domain Controller.

    Setspn general form
    setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin


    -U Specify that <SPN> is a user account.

    -S <SPN> Adds the specified SPN for the computer, after verifying that no duplicates exist.

    Set SPN example
    setspn -U -S HTTP/ MYDOMAIN\spadmin
  2. Connect to the SharePoint Central Administration service and login as SharePoint Admin.
  3. Go to Central Administration > Manage Web Applications.
    Image of the SparePoint console where Central Administration > Manage wen application is selected.
  4. Select the proper SharePoint web application instance, typically SharePoint - 80.
  5. In the Ribbon click Authentication.
  6. Select the proper Zone - typically Default.
  7. Scroll to the Claims Authentication and Types section.
  8. Select Negotiate (Kerberos).
  9. Click Save.
Important Note

After clicking Save, the SharePoint application we be reprovisioned on all SharePoint servers hosting the application.
This will cause a brief disruption in service.

After completion, ensure users can still access the SharePoint instance.