Configure a SharePoint SPN and enable Kerberos
Configure a SharePoint Service Principle Name (SPN) and configure SharePoint as an Access Gateway Kerberos application.
SharePoint must use a defined service account, not the Active Directory administrator account, which shouldn't be used for configuration.
The following example uses sharepoint.atko.biz as the SharePoint FQDN and MYDOMAIN\spadmin as the service account.
-
Set the SPN on a machine. The following command must be run by a user with Active Directory Domain Admin rights. It can be run on any computer in the domain and it doesn't require being logged in to a Domain Controller.
setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin-
-Uspecifies that<SPN>is a user account. -
-S <SPN>adds the specified SPN for the computer, after verifying that no duplicates exist.
setspn -U -S HTTP/sharepoint.atko.biz MYDOMAIN\spadmin -
- Connect to the SharePoint Central Administration service and sign in as SharePoint Admin.
- Go to .
- Select the SharePoint web application instance, typically
SharePoint - 80. - Click Authentication.
- Select the Zone, typically Default.
- Scroll to the Claims Authentication and Types section.
- Select Negotiate (Kerberos).
- Click Save.
The SharePoint application is reprovisioned on all SharePoint servers hosting the application. This causes a brief disruption in service.
Verify that users can still access the SharePoint instance after service resumes.
Next steps