Blog Series:
- Azure AD Application Proxy with a Claims Aware Web App – Part 1
- Azure AD Application Proxy with a Claims Aware Web App – Part 2
- Azure AD Application Proxy with a Claims Aware Web App – Part 3
- Azure AD Application Proxy with a Claims Aware Web App – Part 4
- Azure AD Application Proxy with a Claims Aware Web App – Part 5
- Azure AD Application Proxy with a Claims Aware Web App – Part 6
Objective: Configure SharePoint with Kerberos Constrained Delegation
Configure SharePoint Web Application
Go to Central Administration > Web Applications > Select your web application > Click on Authentication Providers > Click on Default Zone
Set the Integrated Windows authentication to Negotiate (Kerberos)
Configure Alternate Access Mappings
Add an Internal URL in the Default Zone. This is optional whee the purpose is to map the Application Proxy to an internal URL which is not internet routable. In this case, the internal URL is http://spfarm-sp.contoso.com
Kerberos Configuration
Kerberos Constrained Delegation
“Kerberos constrained delegation restricts the services to which the specified server can act on the behalf of a user”
https://technet.microsoft.com/en-us/library/jj553400%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
Service Principal Name
A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN
Find the service account running the web application pool for your site.
Central Administration > Security
contoso\sp_farm is the service account.
SetSPN command
setspn -l http/rksp.eastus.cloudapp.azure.com contoso\sp_farm
setspn -l sp_farm
Login as administrator to the Active Directory Domain Controller server.
Click Users or Computers…
Find the service account contoso\sp_farm
Select and click OK
Since my farm topology has SQL Server DB on another virtual machine, we need to repeat these steps
setspn -S http/SPFARM-SQL.contoso.com contoso\sqlservice setspn -S http/SPFARM-SQL contoso\sqlservice setspn -L contoso\sqlservice
To verify go to a domain-joined computer that is a non-SharePoint server, in my case, I just logged into the AD server.
- Go to SharePoint site URL and login
- In command prompt, run klist command
- Verify there is a cached ticket with HTTP/rksp.eastus.cloudapp.azure.com
Roy Kim on Azure and Microsoft 365 
Pingback: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 3 – Roy Kim on SharePoint, Azure, BI, Office 365
Pingback: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 1 – Roy Kim on SharePoint, Azure, BI, Office 365
Pingback: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 4 – Roy Kim on SharePoint, Azure, BI, Office 365
Pingback: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 5 – Roy Kim on SharePoint, Azure, BI, Office 365
Pingback: Azure AD Azure Application Proxy with SharePoint Server 2013/2016 Blog Part 6 – Roy Kim on SharePoint, Azure, BI, Office 365