Objective: Configure SharePoint with Kerberos Constrained Delegation
Configure SharePoint Web Application
Go to Central Administration > Web Applications > Select your web application > Click on Authentication Providers > Click on Default Zone
Set the Integrated Windows authentication to Negotiate (Kerberos)
Configure Alternate Access Mappings
Add an Internal URL in the Default Zone. This is optional whee the purpose is to map the Application Proxy to an internal URL which is not internet routable. In this case, the internal URL is http://spfarm-sp.contoso.com
Kerberos Constrained Delegation
“Kerberos constrained delegation restricts the services to which the specified server can act on the behalf of a user”
Service Principal Name
A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN
Find the service account running the web application pool for your site.
Central Administration > Security
contoso\sp_farm is the service account.
setspn -l http/rksp.eastus.cloudapp.azure.com contoso\sp_farm
setspn -l sp_farm
Login as administrator to the Active Directory Domain Controller server.
Click Users or Computers…
Find the service account contoso\sp_farm
Select and click OK
Since my farm topology has SQL Server DB on another virtual machine, we need to repeat these steps
setspn -S http/SPFARM-SQL.contoso.com contoso\sqlservice setspn -S http/SPFARM-SQL contoso\sqlservice setspn -L contoso\sqlservice
To verify go to a domain-joined computer that is a non-SharePoint server, in my case, I just logged into the AD server.
- Go to SharePoint site URL and login
- In command prompt, run klist command
- Verify there is a cached ticket with HTTP/rksp.eastus.cloudapp.azure.com