Kerberos Flow

Posted by Joseph McGurkin on 10/1/2013

Security Requirements

Kerberos is the most secure Integrated Windows authentication protocol and supports advanced security features including Advanced Encryption Standard (AES) encryption and mutual authentication. The main advantage of Kerberos over NTLM or forms-based authentication is the ability for a user’s identity to securely traverse multiple servers without requiring a re-key of the user’s credentials. This concept is referred to as single sign-on: login once to access everything. A secondary advantage is speed. Authenticating connections with Kerberos tokens is considerably faster than other methods.

Kerberos Advantages

  1. Most secure
  2. Enables delegation
  3. Open protocol
  4. Least amount of network traffic

Kerberos Disadvantages

  1. Extra configuration steps are required on the Central Administration server and in the domain’s DNS, see the section Kerberos Implementation for details. NTLM can be implemented and later switched over to Kerberos. This would be advantageous if there are possible delays in the Kerberos prerequisites.
  2. Final URL’s must be determined before Kerberos can be implemented on the SharePoint site.

Kerberos Flow

The diagram below depicts a typical Kerberos flow.

Kerberos Flow Diagram

  1. User navigates to http://www.site.com without a ticket
  2. User is automatically redirected to KDC for a ticket.
  3. User authenticates with KDC/AD
  4. KDC issues a ticket for use on web application and automatically redirects user back to application
  5. User now has access to site
  6. Ticket is reused via delegation to access backend services without new communications with KDC or AD

Kerberos Implementation

This section describes the steps required to implement Kerberos on a SharePoint site. It assumes the steps will be implemented by someone with DNS, load balancing and SharePoint experience.

  1. For this example, the site will have an internal URL of portal.domain.com and the service account used in the SharePoint application pool for the IIS web will be corp\svc-sp2010-webpool-d
  2. Create a load balanced IP for the web front end servers
  3. Open DNS snap in
  4. Create a host (A) record for the load balanced IP address with the fully qualified domain name
  5. On the Central Administration server, create an SPN for corp\svc-sp2010-webpool-d for portal.domain.com by executing the following command:

    setspn –s HTTP/portal.domain.com "corp\svc-sp2010-webpool-d"
  6. Grant delegation privileges to the service account (needed only once per account)

    1. Open Active Directory Users and Computers snap in
    2. Open the properties window for corp\svc-sp2010-webpool-d
    3. Click the Delegation tab
    4. Select “Trust this computer for delegation to any service (Kerberos only)”
  7. Create the SharePoint application using a host header of portal.domain.com
  8. Testing Kerberos
  9. On a client machine, launch a command window

    1. Execute the following to clear existing Kerberos tickets:

      klist purge
    2. Browse to portal.domain.com
    3. Execute the following to view new Kerberos tickets:

      klist
    4. Validate that the cached tickets count is greater than 0

Converting to Kerberos

  1. Perform steps 1 – 6 in the section Kerberos Implementation
  2. Go to SharePoint Central Administration -> Manage Web Applications
  3. Select the desired web application
  4. In the ribbon, click Authentication Providers
  5. Click the zone
  6. Scroll down to Integrated Windows Authentication
  7. Change NTLM to Kerberos
  8. Click Save
  9. Do an IIS reset
  10. Test Kerberos by performing step 8 in the section Kerberos Implementation