Configure a SharePoint SPN and enable Kerberos

Configure a SharePoint Service Principle Name (SPN) and configure SharePoint as an Access Gateway Kerberos application.

SharePoint must use a defined service account, not the Active Directory administrator account, which shouldn't be used for configuration..

The following example uses sharepoint.atko.biz as the SharePoint FQDN and MYDOMAIN\spadmin as the service account.

  1. Set the Service Principle Name on a machine. The following command must be run by a user with Active Directory Domain Admin rights. It can be run on any computer in the domain and it doesn't require being logged in to a Domain Controller.

    Copy
    General setspn command to set the SPN for a machine
    setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin

    Where:

    -U: Specifies that <SPN> is a user account.

    -S <SPN>: Adds the specified SPN for the computer, after verifying that no duplicates exist.

    Copy
    Example setspn command
    setspn -U -S HTTP/sharepoint.atko.biz MYDOMAIN\spadmin
  2. Connect to the SharePoint Central Administration service and login as SharePoint Admin.
  3. Go to Central Administration > Manage web applications.
  4. Select the proper SharePoint web application instance, typically SharePoint - 80.
  5. In the Ribbon click Authentication.
  6. Select the proper Zone - typically Default.
  7. Scroll to the Claims Authentication and Types section.
  8. Select Negotiate (Kerberos).
  9. Click Save.

The SharePoint application is reprovisioned on all SharePoint servers hosting the application. This causes a brief disruption in service.

Ensure that users can still access the SharePoint instance after service resumes.