SharePoint 2010 and Kerberos configuration

Before starting Kerberos configuration with your SharePoint 2010 environment I recommend reviewing the following articles:

http://download.microsoft.com/download/B/B/F/BBF0C6F3-6E36-4979-8C43-DE165AD7AE34/SP2010%20Kerberos%20Guide.docx Configure Kerberos Authentication for SharePoint 2010 Products

http://technet.microsoft.com/en-us/library/gg502602(v=office.14).aspx Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

http://support.microsoft.com/kb/2722087 How to configure Claim to Windows Token Services in SharePoint 2010 with Kerberos Authentication

http://msdn.microsoft.com/en-us/library/hh231678.aspx Claims to Windows Token Service (C2WTS)

Remarks:

  1. In order to start Claims to Windows Token Service use SharePoint Central Administration and not Windows Services (Central admin -> System Settings -> Manage services on server)
    service
  2. For changing the C2WTS service account use SharePoint Central Administration and not Windows Services (Central Admin -> Security -> Configure service accounts )
    accounts

  3. Before crawling a web application that is configured with Kerberos check the following article:

    http://technet.microsoft.com/en-us/library/cc298559(v=office.12).aspx Configure Kerberos-authenticated sites for crawling

Solution 1: Create a Web application that uses Kerberos for authentication in the Default zone and configure it to use a standard port(TCP port 80 (HTTP) and SSL port 443 (HTTPS).). This is the preferred solution because users that authenticate by using Kerberos do not need to specify a port number in the URL of their sites. If you cannot deploy this solution, use Solution 2.
Solution 2: Create a Web application that uses NTLM authentication and then extend the Web application to use Kerberos authentication in the second zone. In this way, the crawler can crawl the content in the default zone by using NTLM authentication. Deploy this solution if you cannot use Kerberos authentication on a standard port.

Thank you for reading this post.