I recently had a colleague ask me about Kerberos authentication in SharePoint. They were attempting to get around the infamous NTLM double-hop issue. Below is the list of resources which I use when getting Kerberos working in SharePoint.
- Word Document with step by step instructions on how to setup Kerberos in SharePoint and SQL
- System Tray Utility that displays your current Kerberos tickets. It helps to make sure that you are actually logging in using Kerberos and not ntlm.
- This website is a good test tool for making sure your Kerberos is setup correctly. I turned off my SharePoint site and pointed the same url to this for a while to test and determine any Kerberos issues I was having.
- Some other instructions located here: http://blogs.technet.com/b/askds/archive/2008/11/25/fun-with-the-kerberos-delegation-web-site.aspx
- This proxy based packet sniffer is absolutely fantastic for troubleshooting authentication and other SharePoint/website issues. It will also decrypt HTTPS traffic if you enable it in the settings and add the cert.
- If fiddler2 isn’t showing you everything this low level packet sniffer will show you everything but it NOT decrypt HTTPS traffic.
It may be included in the documentation above but if you are publishing SharePoint externally through your firewall you will need to open a few ports on your firewall to point to your AD domain controllers.
Also, with SharePoint 2013, claims based authentication is the preferred authentication mechanism. SP 2013 does include a nice authentication system called windows claims which will work with NTLM and Kerberos but if you are running any custom code in SharePoint, you might need to change it to work correctly with claims auth.