Configure a SharePoint SPN and enable Kerberos

Configure a SharePoint Service Principle Name (SPN) and configure SharePoint as an Access Gateway Kerberos application.

SharePoint must use a defined service account, not the Active Directory administrator account, which shouldn't be used for configuration.

The following example uses as the SharePoint FQDN and MYDOMAIN\spadmin as the service account.

  1. Set the SPN on a machine. The following command must be run by a user with Active Directory Domain Admin rights. It can be run on any computer in the domain and it doesn't require being logged in to a Domain Controller.

    General setspn command to set the SPN for a machine
    setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin
    • -U specifies that <SPN> is a user account.
    • -S <SPN> adds the specified SPN for the computer, after verifying that no duplicates exist.
    Example setspn command
    setspn -U -S HTTP/ MYDOMAIN\spadmin
  2. Connect to the SharePoint Central Administration service and sign in as SharePoint Admin.
  3. Go to Central Administration > Manage web applications.
  4. Select the SharePoint web application instance, typically SharePoint - 80.
  5. Click Authentication.
  6. Select the Zone, typically Default.
  7. Scroll to the Claims Authentication and Types section.
  8. Select Negotiate (Kerberos).
  9. Click Save.

The SharePoint application is reprovisioned on all SharePoint servers hosting the application. This causes a brief disruption in service.

Verify that users can still access the SharePoint instance after service resumes.