My SharePoint web applications are set to use Negotiate (Kerberos), so I am assuming you have been through the process of setting up Kerberos authentication.
A great guide linked here by the way.
We have strict change control for production farms so I have only faced this in two staging farms where less stringent change management has meant configuration changes have been made and 'broken' Kerberos authentication.
But this could easily happen in a less tightly controlled production environment, which unfortunately I have too much experience with in the past!
The symptoms could be in many forms, depending how you are interacting with SharePoint.
I was trying to activate some features on a site and was receiving an error in PowerShell:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'
I then tried to browse the site in internet explorer and was prompted for my credentials, which would not be accepted.
There was no failing back to NTLM so I was stuck at this point.
To enable the Kerberos events in event viewer you will need to check you have the below registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value:
LogLevel
Value Type:
REG_DWORD
Value Data:
0x1
If the entry does not exist, create it.
Check the event viewer under system events you should begin to see Kerberos events when trying to authenticate to the problematic site.
Now I could see it was clearly a Kerberos authentication issue and checking the SPNs is the first logical step.
Check the application pool account running the web application, lets say as an example it is: domain\MattTestAccount
For Kerberos to work this account should have SPNs assigned to it.
in command prompt:
setspn -l domain\MattTestAccount
You should then see all SPNs for that service account listed.
If the SPN for your web application is not displayed you have found the issue, and this was the the problem in my case.
How could this have happened when it was previously working?
In my instance, at some point the application pool account running the IIS site had been changed, maybe to make the app pool accounts consistent, maybe to have individual accounts per web app, there are a multitude of reasons but the important thing is you have found the root cause of the issue.
Now you need to set assign the SPN to the correct service account and your Kerberos authentication issue will be resolved.
Guidance on setting SPNs and all other required configuration is in the guide linked at the start of this post.
Thanks for reading,
Matt
No comments:
Post a Comment