How to configure SharePoint 2010 with Kerberos authentication?
Before start configuring SharePoint 2010 with Kerberos, it’s better to understand what is Kerberos authentication and how it can help SharePoint.
About Kerberos authentication
Kerberos is a secure protocol that supports ticketing authentication. A Kerberos authentication server grants a ticket in response to a client computer authentication request, if the request contains valid user credentials and a valid service principal name (SPN). The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must have a trusted connection to the domain Key Distribution Center (KDC). The KDC distributes shared secret keys to enable encryption. The client and server computers must also be able to access Active Directory Domain Services (AD DS). For AD DS, the forest root domain is the center of Kerberos authentication referrals.
To deploy a server farm running Microsoft SharePoint Server 2010 using Kerberos authentication, you must install and configure a variety of applications on your computers. This article describes an example server farm running SharePoint Server 2010 and provides guidance for deploying and configuring the farm to use Kerberos authentication to support the following functionality:
- Communication between SharePoint Server 2010 and Microsoft SQL Server database software.
- Access to the SharePoint Central Administration Web application.
- Access to other Web applications, including a portal site Web application and a My Site Web application.
Step by step instruction how how to configure SharePoint 2010 with Kerberos Authentication
Source: Configuring SharePoint 2010 with Kerberos Authentication
Follow the steps below to be absolutely sure of the account responsible for running the site that will support kerberos authentication. If SharePoint has already been configured verify your application pool account is, in fact, running the IIS application pool that supports the website where Kerberos is enabled
Open the web application that will support Kerberos and make a note of the application pool that supports this web application (note that you may have more than one web application for the same data for such cases as http and https so take care to determine the exact web application)
Make a note of the account that is the identity of this application pool, later this account must be trusted for “Delegation”.
* If the application pool is “Network Service” then Kerberos cannot be configured, the application pool account configured through Central Administration must be a domain account.
Read More from the original post: