Subscribe to Windows IT Pro
November 28, 2007 12:00 AM

Use Kerberos to Secure MOSS 2007

Which Kerberos authentication features you need and how to configure them
Ethan Wilansky, Rick Sneddon
Windows IT Pro
InstantDoc ID #97376
Rating: (4)

Configuring protocol transition is straightforward. In Figure 3, beneath the Trust this user for delegation to specified services only option are two radio buttons that let you select either Use Kerberos only or Use any authentication protocol. If you select Use Kerberos only, then constrained delegation will work only with inbound Kerberos authentication of the user. Selecting Use any authentication protocol, which Figure 3 shows, lets you use protocol transition so that the middle-tier application (MOSS, in this case) changes the incoming authentication to Kerberos from some other authentication protocol, such as Basic authentication or NTLM.

For the service to obtain an impersonation token, its service account must have the “act as part of the operating system” privilege. If it doesn’t, the service will get only an identification token.

Getting an impersonation token is essential if your goal is to allow both protocol transition and delegation. However, the impersonation token does expose your system to attacks where a user logs on as the application pool account to compromise a system. Therefore, use this feature with caution.

An identity token, however, is usually adequate if all you need is to allow protocol transition. See Web Figure 2 to get a picture of what it takes to support protocol transition. The Learning Path that appears with this article online directs you to more resources about protocol transition and Kerberos. After you configure Kerberos, you’ll need to check out the Web sidebar “Testing and Troubleshooting Kerberos,” InstantDoc ID 97378, to ensure you’ve done it correctly.

Get to Know the Three-Headed Watchdog
As you can see, Kerberos authentication in a MOSS environment is a significant and sometimes challenging topic. Small wonder that it’s named for the three-headed dog in Greek mythology that guarded the gates of the underworld. But, with a little research, perseverance, and some testing in your lab environment, you’ll soon gain experience with the threeheaded dog and hopefully let it loose on your MOSS portal. We recommend you try it!

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • CURT
    5 years ago
    Dec 18, 2007

    Kudos for Ethan for addressing a problem that we encounter all to often in the field. During a MOSS deployment yesterday, I asked the IT dept. if they knew how Kerberos was working in their WAN and if they had tested their SPNs with the SetSPN tool. I received the "Deer in the Head lights" response. Thanks for addressing this issue. This is one Sharepoint article I will share with my clients and encourage them to subscribe to Windows IT Pro Today.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.