Implement Kerberos authentication in SharePoint 2013

We are building a new SharePoint 2013 environment with Kerberos authentication. I have been looking for a Microsoft provided document which can be considerd for planning this implementation. I am new to Kerberos and so far understood that, I
need to involve a Domain admin along with SharePoint admin to implement this. However I need to provide clear cut steps to both the parties.
Also as this is a development environment we are building, do I need to plan for a hostname, public IP etc ?  
Thanks, Bivsworld

There is a lot of information here:
http://technet.microsoft.com/en-us/library/ee806870(v=office.15).aspx
Most of it boils down to simply this:
Register the SPN to the user account running the service, e.g. the user running the SQL Server service would have the SQL SPN registered:
setspn -A MSSQLSvc/sqlserver.company.com:1433 domain\s-sqlserveruser
setspn -A MSSQLSvc/sqlserver:1433 domain\s-sqlserveruser
For a SharePoint Web Application (regardless if it is SSL or not):
setspn -A HTTP/webAppUrl.company.com domain\s-webapppooluser
And so on. It becomes more complex if you need to implement delegation, or if you have users in multiple domains, or cross forest (as constrained delegation does not work cross-domain, and no type of delegation works cross-forest). In addition, Kerberos
does not work across the Internet (as clients cannot contact the KDC to get a Kerberos ticket).
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Similar Messages

  • Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

    I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
    Given below are the steps of installation and configuration.
    Installation till basic authentication:
    The installation has been done in a
    single server.
    Installed SQL Server 2012 (Developer version).
    Selected only the following features:
    Database Engine Services
    Analysis Services
    Reporting Services – SharePoint
    Reporting Services Add-in for SharePoint Products
    Management Tools – Basic
    - Management Tools - Complete
      2. Installed SQL Server 2012 SP1.
      3. Installed SQL Server 2012 SP2.
      4. Installed SharePoint Foundation 2013.
      5. Created web application (without Kerberos; we did not even create the SPNs).
          The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
    account.
      6. Created Site Collection.
      7. Verified that Reporting Services is not installed.
      8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
      9. Verified that Reporting Services is installed.
     10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
      11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
      12. Created a Site.
      13. Created a Data Connection library with “Report Data Source” content type.
      14. Created a Report Model library with “Report Builder Model” content type.
      15. Created a Report library with “Report Builder Report” content type.
      16. Uploaded an SMDL to the Report Model library.
      17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
      18. Able to create and save a report using Report Builder.
    Hence, basic authentication is working and SSRS is able to connect to Oracle database.
    Next we have to configure Kerberos settings between SharePoint and SQL Server.
    Implementation of Kerberos authentication
    In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
    and RSWindowsKerberos.
     2.  Set up the following SPNs.
                   a) SQL Server Database Engine service (sqlDbSrv2):
                    setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                    setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
                 In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
    b) Account: SharePoint Setup Admin account (spAdmin2)
         setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                    setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                    In the Delegation tab of the account, selected "Trust this user for delegation to any  service
    (Kerberos only)".
    c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                       setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                       setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                       In the Delegation tab of the account, selected "Trust this user for delegation to any service
    (Kerberos only)".
      3. Configure the Web Application to use “Negotiate (Kerberos)”.
      4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
         The Event Viewer logged the login process for the SharePoint Administration account as
    Negotiate and not Kerberos.
      5. Implemented Kerberos for Oracle database and client.
         Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
      6. Turn on Windows Firewall.
      7. While testing the site's data connection using Kerberos settings, got the error
    “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
          Note: The Data Connection for basic authentication still worked.
      8. Created a Claims to Windows Token Service account (spC2WTS2).
      9. Started the Claims to Windows Token Service.
     10. Registered the Claims to Windows Token Service account as a Managed Account.
     11. Changed the Claims To Windows Token Service to use the above managed account.
     12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
          Note: The Reporting Services service account is also a part of the WSS_WPG local group.
     13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
     14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
     15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
          When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
    added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
     16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
     17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
          Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
     18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
          For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
    any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
          Note: The Reporting Service account already had an HTTP SPN.
     19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
           For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
           The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
    authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
     20. Restarted the SharePoint server.
     21. Tested the data connection with the Kerberos settings again.
           Got the error
    “ORA-12638: Credential retrieval failed”.
    Can anyone tell me what is wrong with this setup?

    http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
    Problem4: ORA-12638: Credential retrieval failed
    Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
    Do check 
    http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
    If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

  • How many types of authentications in sharepoint and how to implement those authentication in sharepoint?

    Hi All,
    How many types of authentications in sharepoint and how to implement those authentication in sharepoint?
    can any one explain the above things with examples?
    Thanks in Advance!

    In addition to
    A Sai Gunaranjan you can also check this URL for Sharepoint 2010:
    http://technet.microsoft.com/en-us/library/cc288475(v=office.14).aspx
    http://www.codeproject.com/Tips/382312/SharePoint-2010-Form-Based-Authentication
    ***If my post is answer for your query please mark as answer***
    ***If my answer is helpful please vote***

  • Clientside authentication in sharepoint 2013 using spservices

    Hi,
    Can anyone give me solution for Clientside authentication  in sharepoint 2013 using spservices 

    Hi Dennis,
    I want to check credentials
    for user dynamically  in Client object Model or spservices.I know that we can pass username and password through Network credentials using Client object Model,but i passed statically(username,password).
    Do have any solution regarding this.
    Please provide me  any links or solution for this problem.

  • Form Based Authentication in SharePoint 2013: Getting The remote server returned an error: (500) Internal Server Error

    Hi
     I configured forms based authentication mode in Sharepoint 2013 site. When i tried to log in with windows authentication prompt it throws the following error
    The remote server returned an error: (500) Internal Server Error
    [WebException: The remote server returned an error: (500) Internal Server Error.] System.Net.HttpWebRequest.GetResponse() +8548300 System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +111 [ProtocolException:
    The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first
    1024 bytes of the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    How to fix this issue?
    Regards,
    Siva

    Did you create a new web application or modify an existing web application?
    I would start by checking the ULS logs, maybe there is an incorrect setting within one of the web.config files, or SQL permissions.
    Also, as suggested above, check application pools are running.
    This blog post is a great guide for setting up FBA, check it through to make sure you haven't missed any steps:
    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

  • Forms based authentication in sharepoint 2013 using custom membership provider

    I am developing  FBA  for SP2013 using custom membership provider using the following link 
    http://benredl.wordpress.com/2012/10/03/creating-forms-based-authentication-and-user-profiles-in-sharepoint-2013-using-custom-membership-and-role-providers-and-a-custom-user-profile-synchronization-utility/
    the feature i am trying to develop is that the user is created using a homegrown asp.net  application which uses sql server 
    and then When that user goes to SP2013 he should be able to login with the username and password created using the homegrown asp.net application 
    my questions are following 
    If I follow the article in the link should i be taking the assembly(dll) and deploying it to GAC or will VS2013 automatically do it
    Do I have to implement  FindUserByEmail and FindUserByName methods ?
    if the connectionstring for an asp.net application is in the web.config file  where would the connection for the sqlserver go if this application is for SharePoint 
    TIA

    Hi TIA,
    try this it contains the code for you and it is ready
    http://sharepoint2013fba.codeplex.com/
    Kind Regards, John Naguib Technical Consultant/Architect MCITP, MCPD, MCTS, MCT, TOGAF 9 Foundation

  • Migrate User from Classic mode to Forms Authentication in SharePoint 2013

    Hi All,
    I have upgraded a SharePoint 2010 classic mode site to SharePoint 2013 claims authentication. I have executed the command MgrateUser($true) and the user account is updated to Claims mode and I am able to login to the site.
    Now I have extended the site to use forms authentication against Active Directory. How do I update the accounts to Form Authentcation mode using Powershell, is there any command available.
    Thanks & Regards
    pankaj

    Okay, I would suggest instead to use Web Application Proxy and ADFS 3.0 (using an NTLM connection to SharePoint). This way you get your forms experience for those users who require it (or all, your choice) and you do not have to change anything with SharePoint.
    More info here: http://thesharepointfarm.com/2014/02/sharepoint-and-the-web-application-proxy-role/
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • How to implement news ticker in sharepoint 2013?

    Hi All,
    Please give me some guidance to implement news ticker webpart in sharepoint 2013.
    Thanks in advance.
    Phani kumar

    Take a look at this post. 
    http://www.sharepointnadeem.com/2011/09/news-ticker-webpart.html
    It was originally written for SP 2010. But the steps should be same for SP 2013.
    Blog | SharePoint Learnings CodePlex Tools |
    Export Version History To Excel |
    Autocomplete Lookup Field

  • Windows Authentication in sharepoint 2013

    Hi,
    I am trying to connect to a sharepoint site list and doing some operations on list Items. I did it successfully using the following code snippet. but by hard coding my userId and Password. Is there any way to achieve the same thing with out hard coding ?
    I mean getting my windows credentials and pass them to sharepoint. 
                   string url = "https://siteurl";
                    using (ClientContext clientContext = new ClientContext(url))
                        SecureString passWord = new SecureString();
                        string userName = "[email protected]";
                        string passWord2 = "xxxxxxxx";
                        foreach (char c in passWord2.ToCharArray()) passWord.AppendChar(c);
                       clientContext.Credentials = new SharePointOnlineCredentials(userName, passWord);
                        CredentialCache obj = new CredentialCache();
                        var ob=obj.GetCredential(new Uri(url), "User");
                        Web web = clientContext.Web;
                        Microsoft.SharePoint.Client.List list = clientContext.Web.Lists.GetByTitle("List");
                        clientContext.Load(list.Fields);
                        clientContext.ExecuteQuery();
                        foreach (Microsoft.SharePoint.Client.Field field in list.Fields)
                            Console.WriteLine(field.InternalName);
                catch (Exception e)
                    Console.WriteLine("Caught Exception....");
    for the above code its working fine.  Looking for another which uses my windows credential for updating/deleting the list.
    I tried using System.Net.CredentialCache.DefaultNetworkCredentials.
    But It returning a null object.
    Any help would be a great help. 
    MANIKANTA

    http://www.mavention.com/blog/inconvenient-excel-rest-services-anonymous-users
    singSystem;
    using System.Collections.Generic;
    using System.IO;
    using System.Net;
    using System.Runtime.InteropServices;
    using System.Security;
    using System.Web;
    using Microsoft.BusinessData.Infrastructure.SecureStore;
    using Microsoft.Office.SecureStoreService.Server;
    using Microsoft.SharePoint;
    namespace Mavention.AnonymousExcelRestServices {
        [Guid("51dfb6a4-1460-4641-9727-fc1ce0e7c742")]
        public class
    Chart : IHttpHandler {
            string
    worksheet;
            string
    chart;
            string
    multiplyBy;
            CookieContainer cookies;
            CredentialCache credentialCache;
            #region IHttpHandler Members
            public
    bool IsReusable {
                get
    { return false; }
            public
    void ProcessRequest(HttpContext context) {
                Authenticate(context);
            #endregion
            private
    void Authenticate(HttpContext context) {
                cookies =
    new CookieContainer();
                string
    url = String.Format("{0}/_layouts/viewlsts.aspx",
                    SPContext.Current.Site.Url.TrimEnd('/'));
                HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
                request.Method =
    "GET";
                request.Accept =
                request.CookieContainer = cookies;
                string
    username = null;
                string
    domain = null;
                string
    password = null;
                GetCredentials(out
    username, out domain, out
    password);
                credentialCache =
    new CredentialCache();
                credentialCache.Add(new
    Uri(SPContext.Current.Site.Url), "NTLM", new
    NetworkCredential(username, password, domain));
                request.Credentials = credentialCache;
                request.GetResponse();
                LoadChartImage();
            private
    void LoadChartImage() {
                InitiateVariables(HttpContext.Current);
                string
    url = String.Format("{0}/_vti_bin/ExcelRest.aspx/{1}/Model/Charts('{2}'){3}",
                    SPContext.Current.Site.Url.TrimEnd('/'),
                    worksheet,
                    chart,
                    !String.IsNullOrEmpty(multiplyBy) ? String.Format("?Ranges('MultiplyBy')={0}", multiplyBy) : String.Empty);
                HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url);
                request.Method =
    "GET";
                request.CookieContainer = cookies;
                request.Credentials = credentialCache;
                byte[] buffer =
    null;
                byte[] file =
    null;
                using
    (HttpWebResponse chartResponse = (HttpWebResponse)request.GetResponse()) {
                    using
    (BinaryReader br = new BinaryReader(chartResponse.GetResponseStream())) {
                        using
    (MemoryStream ms = new MemoryStream()) {
                            buffer = br.ReadBytes(1024);
                            while
    (buffer.Length > 0) {
                                ms.Write(buffer, 0, buffer.Length);
                                buffer = br.ReadBytes(1024);
                            file =
    new byte[(int)ms.Length];
                            ms.Position = 0;
                            ms.Read(file, 0, file.Length);
                            ms.Close();
                            br.Close();
                    chartResponse.Close();
                HttpContext.Current.Response.ContentType =
    "image/png";
                HttpContext.Current.Response.BinaryWrite(file);
            private
    void InitiateVariables(HttpContext context) {
                worksheet = context.Request.QueryString["w"];
                chart = context.Request.QueryString["c"];
                multiplyBy = context.Request.QueryString["m"];
            private
    static void GetCredentials(out
    string username, out string
    domain, out string password) {
                username =
    "waldek";
                domain =
    "win2008";
                password =
    "pass@word1";
    Or
    http://sharepoint.stackexchange.com/questions/21947/how-to-fix-credential-issue
    If you're going to specify the password, I believe it has to be a secure string:
    $WS.Credentials = [System.Net.NetworkCredential]::("USERNAME", (ConvertTo-SecureString "PASSWORD" -AsPlainText -force))
    If you're specifying a domain, I believe it needs to be as a parameter, not as a fully qualified username:
    $WS.Credentials = [System.Net.NetworkCredential]::("USERNAME", (ConvertTo-SecureString "PASSWORD" -AsPlainText -force), "DOMAIN")
    See MSDN:
    http://msdn.microsoft.com/en-us/library/system.net.networkcredential.aspx
    If this helped you resolve your issue, please mark it Answered

  • Forms Authentication in Sharepoint 2013, _vti_bin/authentication.asmx error

    I'm getting this error when using CSOM in a FBA web application that is configured agains't a custom FBA provider. I'm getting this error when site is configured for Forms, if a disable forms with windows auth I can get web url. Probably would be a configuration
    error if anyone can helpme...
    I'm getting the error when Forms is configured: Server was unable to process request. ---> Could not retrieve the IIS Settings. Parameter name: context
    Here is my CSOM code:
    using (ClientContext context = new ClientContext("http://10.34.116.35:41443"))
    context.AuthenticationMode = ClientAuthenticationMode.FormsAuthentication;
    context.FormsAuthenticationLoginInfo = new FormsAuthenticationLoginInfo("carles", "test");
    Web web = context.Web;
    context.Load(web);
    MessageBox.Show(web.Url);
    context.Dispose();
    Thanks

    Solved,  internally CSOM calls authentication.asmx webservice if FormsAuthentication is set ... this webservice was throwing the exception... testing the web service in the server login worked against my membership... has to be a silly thing and YES
    it was simply calling the api replacing the ip of the server with the host of the web application. Hope helps someone in the future. 

  • Kerberos authentication prompting for credentials in Sharepoint 2013

    Hello all,
    I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
    Following the steps located in
    http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
    credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
    site? Here’s my situation:
    Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
    using Kerberos.
    However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
    As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
    I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
    Thanks
    Bill

    Thanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
    Thanks again,
    Bill

  • Authentication Method in Sharepoint 2013

    Hello ,
    I have migrate SharePoint 2010 site to SharePoint 2013 using DB Attach method. Content DB was 100 % mount with error.  I have ignore all the errors . 
    But When Open SharePoint 2013 Site ,It is throwing access denied error . 
    Just wanted to know , before upgrading Content DB Is it required to upgrade Service Applications ? 
    How can I upgrade Service Application ??  

    Did you migrate your users from Classic mode to Claims mode?
    Migrate from classic-mode to claims-based authentication in SharePoint 2013
    You would also like to check the following thread with similar issue.
    Error:
    Access Denied on an upgraded content database from 2010 to sharepoint 2013 - claims based auth misery
    Amit

  • ISSUE Sharepoint 2013 databases for reporting services on the second server SQL 2012

    Hello,
    I have server A: Operating system windows 2012 standard, SQL server 2012 standard
    instance: Sharepoint contains data for sharepint
    instance: Reporting should be contain databases for reporting
    Server B:
    Windows server 2012 standard contains installation Sharepoint 2013
    Sharepoint works (without reporting services), it is OK - databases are located on server A:
    My issue is:
    When I have installed reporting services on server B, I have already installed SQL server 2012 on server B, it works.
    I am able to create report in report builder adn place it in to sharepoint.
    But I would like to use only one full SQL machine on server A:
    When I reconfigure repoting settings on server A in central administration - manage service aplications,
    On the SQL server A in instance reporting , there is automatically created databases. It is no problem.
    But the first difference is, when I want to manage service aplication for reporting  in
    Provision Subscriptions and Alerts, there is information
    SQL Server Agent state cannot be determined
    When I want to create report in report builder, I have issue:
    server A-7380mw016\reporting it means server A with full SQL server:
    The Test of connection was successful
    Then I have clicked test connection
    I have recieved this screen with fail: Logon faild for user NT Authority\anonymous logon
    My account belongs to SQL admin on server A (A-7380mw016\reporting) I do not know it is not possible to create report, when it is possible to test connection in the first step and in the second step, there is problem...
    Please, can somebody help me?

    Hi,
    Since you are getting an Anonymous Logon error, it appears there may be a problem passing your credentials to the SQL Server Agent Service. This would indicate a Kerberos issue. See this thread for details:
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/46b7c773-6a77-435d-b471-cb9a6ec41c43/has-anyone-else-upgraded-reporting-services-to-denali-2012
    Microsoft Virtual Academy: Breakthrough Insights using SQL Server 2012 : Analysis Services and Credible, Consistent data (Module 2) - Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with Microsoft SQL Server 2012
    http://technet.microsoft.com/en-us/video/Video/hh858469
    Tips from the video:
    We are connecting to Reporting services using Kerberos when using Reporting Services in SharePoint integrated mode
    For the account using reporting services, we just need a dummy SPN. We go to Attribute editor tab in AD for RS account. And then we will be enabled with Delegation tab.
    In Delegation tab. I we are using claims to windows token, we need to use "Trust this user for delegation to specified services only"
    There you have 2 options: "Use Kerberos only": It means I only want to delegate in the situation where the service that is doing the delegation actually has the Kerberos ticket to start with
    "Use any authentication protocol" When we need protocol transition (like from NTLM to claims for intra farm communication)
    We need to delegate this to SQL server.
    Please check out these articles as well:
    How to configure SQL Reporting Services in SharePoint Server for Kerberos authentication
    http://support.microsoft.com/kb/2723587
    Configure Kerberos authentication (Office SharePoint Server)
    http://blogs.technet.com/b/mbiswas/archive/2009/07/10/configure-kerberos-authentication-office-sharepoint-server.aspx
    Thanks.
    Tracy Cai
    TechNet Community Support

  • Classic mode web application in SharePoint 2013 Error occurs

    while creating Classic web applicatiuon using powershell commands following error occure
    PS C:\Users\centraluser> New-SPWebApplication -Name "SharePoint - 100" -Applicat
    ionPool "SharePoint100" -AuthenticationMethod "NTLM" -ApplicationPoolAccount (Ge
    t-SPManagedAccount "wse\centraluser") -Port 100 -URL "http://w8-sp13-en"
    WARNING: The Windows Classic authentication method is deprecated in this
    release and the default behavior of this cmdlet, which creates Windows Classic
    based web application, is obsolete. It is recommended to use Claims
    authentication methods. You can create a web application that uses Claims
    authentication method by specifying the AuthenticationProvider parameter set in
     this cmdlet. Refer to the http://go.microsoft.com/fwlink/?LinkId=234549 site
    for more information. Please note that the default behavior of this cmdlet is
    expected to change in the future release to create a Claims authentication
    based web application instead of a Windows Classic based web application.
    log4net:ERROR XmlConfigurator: ConfigureFromXml called with null 'element' param
    eter
    log4net:ERROR XmlConfigurator: Failed to find configuration section 'log4net' in
     the application's .config file. Check your .config file for the <log4net> and <
    configSections> elements. The configuration section should look like: <section n
    ame="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler,log4net" /
    >
    New-SPWebApplication : Object reference not set to an instance of an object.
    At line:1 char:1
    + New-SPWebApplication -Name "SharePoint - 100" -ApplicationPool
    "SharePoint100" - ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~
        + CategoryInfo          : InvalidData: (Microsoft.Share...PWebApplication:
       SPCmdletNewSPWebApplication) [New-SPWebApplication], NullReferenceExceptio
      n
        + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPWeb
       Application
    PS C:\Users\centraluser>

    use of classic mode authentication, also known as Windows classic authentication, is discouraged in SharePoint 2013 according to
    MSDN.
    Office Web Apps can be used only by SharePoint 2013 web applications that use claims-based authentication. Office Web Apps rendering and editing will not work on
    SharePoint 2013 web applications that use classic mode authentication. If you migrate SharePoint 2010 web applications that use classic mode authentication to SharePoint 2013, you must migrate them to claims-based authentication to allow them to work with
    Office Web Apps. For more information, see Use Office
    Web Apps with SharePoint 2013.
    I would suggest to create claims based web application. Any specific reason you are looking for Classic mode?
    Raghavendra Shanbhag | Blog: www.SharePointColumn.com
    Please click "Propose As Answer " if a post solves your problem or "Vote As Helpful" if a post has been useful to you.
    Disclaimer: This posting is provided "AS IS" with no warranties.

  • Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.

    Dear All,
    Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
    Number of forests: 2
    1. First is with name of domain1.local
    2. Second is with name of domain2.local
    Trust Level: One Way trust from domain1 and domain2.
    CRM Farm Details:
    1.  1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
    2.  1 SQL Server (CRMSQL-01.domain1.local)
    3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
    4. CRM site url: http://mscrminternal.domain.local/MSORG1
    *I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
    But once I tried to access for users of domain2. I am getting following error.
    HTTP Error 401 - Unathorized: Access denied.
    *If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
    I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
    Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
    Regards
    Gyan
    GYAN SHUKLA

    Hi Gyan,
    I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
    Then your last reply should be marked as answer.
    If this issue still persists, pelase feel free to let us know.
    Best Regards,
    Amy 

Maybe you are looking for

  • Battery and heating problem

    Hi, recently my macbook has been heating up fast. Real fast, within 5 minutes of starting up my macbook, i can hear the fan running at high speed. And my battery life has significantly been shorten as well. At full charge, it can last me to a maximum

  • Amount of Playlists

    Hi: I know there is a max. number of menus(99), slides per slideshow(99), ... allowed. Which is the max. num. of playlists allowed in Encore? Where i can find this information about the limits for creating a DVD in Encore? Thanks!

  • Alternatives to Canvas?

    Hi there, Apparently canvas controls takes up a lot of memory and has a lot of functionality that is usually not needed just to layout components. Are there any alternatives to Canvasses? Like a light-weight version of it? If you layout your componen

  • IMessages doesnt work on Mountain Lion

    hi guys ive been trying for ages now to connect to IMessages via jabber to my facebook account but i keep getting this msg "chat.facebook.com: Sorry, your account isn't available | Your account is temporarily unavailable. Regain access by logging int

  • Premier Elements 1.0 patch?

    Okay, I know that this is a question on a very outdated version of Elements, but due to running an Athlon XP processor I'm locked in at v1.0.  Anyway, I haven't used it for awhile but recentley needed to install it again.  Does anyone know if there a