Introduction
 
 My team recently configured Kerberos Authentication in SharePoint 2013 web  application. We have captured step by step process of how to configure Kerberos  Authentication in SharePoint 2013. This article will help the SharePoint administrators who want to configure the Kerberos Authentication in their SharePoint web applications.
 
 Creating new web application with Kerberos Authentication
  
  	- Open your Central Administrator site.
- Click on "Manage web application" in "Application Management" section.
 
 ![Kerberos]() 
 
 
- Click on "New" in the top menu.
 
 ![Kerberos]() 
 
 
-  Create new web application in the dialog box.
 
- Specify the name for web application, such as “webapplication name” in IIS web site  	section. 
 
- Specify the type of Authentication to "Negotiate (Kerberos)" in Claims  	Authentication Type section.
 
 ![Kerberos]() 
 
 
- Change the public URL to a specified URL.
 
 Note  - You can use the default name with port number given by SharePoint.  	However, you need to use the port number too during the execution of Service Principal  	Name commands (Section 3).
 
 
- Click OK button to create new web application with Kerberos  	Authentication type.
Name Resolution
 
 DNS
 
 Note - This section is to be executed by Windows Server Administrator for reliable  configuration. 
 This section to be execute ONLY on DNS Server.
  	- Open DNS Management in Administrative Tools on a DNS Server.
 
 ![Kerberos]() 
 
 
-  Expand "Forward Lookup Zones" container.
 
 ![Kerberos]() 
 
 
- Right click on your domain and click on "New Host (A or AAAA)".
 
 ![Kerberos]() 
 
 
- You will see the below screen for entering the new Host details.
 
 ![Kerberos]() 
 
 
- Enter your Host Name - this is the URL of the web application (minus the  	domain part in a FQDN) and type in the IP address of WFE Server-. Check the above screen.
 
 Note
 
 If you have 2 WFE Servers within the same farm, you need to make 2 entries - one for each WFE Server with the same Host Name and with respective WFE’s IP  	address.
 
 
- Click on "Add Host".
- Click on "Done".
- You will see the confirmation dialog box. Click OK to close the dialog  	box.
 
 ![Kerberos]() 
 
 
- Verify that the A Record is created in the right pane with correct Host  	name and IP address.
 
- (optional) Flush the DNS cache. Enter Ipconfig -flushdns
 
 ![Kerberos]() 
 
 
- (optional) In Command Prompt, ping the web application URL and check  	if it’s working fine. If not, then follow the below steps to update in the host  	file.
Service Principal Name (SPN)
 Note 
 
 Run setspn command with your web application’s Application Pool Service Account  – e.g. DomainName/App pool service account. To do so, the Application Pool Service  account must have membership in Domain Administrator or Enterprise  Administrator.
 
 Follow these steps on DNS Server only.
  	- Open command prompt “Run as” Administrator.
- (Optional step) Check if any SPN is registered for Application Pool  	Service Account. 
 
 setspn -L App pool service account
 
 
- (Important command) Register SPN for Host Name on Application Pool Service Account.
 
 setspn -S HTTP/spn host name <space>App pool service account
 
 Note - The HTTP service above is case insensitive. Do not configure service  	principal names with “https” even if the web application uses SSL. If your  	web application has port number (e.g. port number - 1234), then it should be  	after Host name; else SPN will get registered but service ticket won’t get  	generated.
 
 
- (Important command) Now, register SPN for the Full Qualified Domain Name  	(FQDN) also.
 
 setspn -S HTTP/Full qualified domain name <space>App pool service account
 
 Note - If your web application has port number, then it should be after FQDN  	name; else SPN will get registered but service ticket won’t be generated.
 
 
- (Optional step) You can check numbers of service(s) registered for  	Application Pool Service Account.
 
 “-L” option will list all the service(s).
 
 setspn -L<space>App pool service account
 
 If the command ran successfully, you can see the list of services associated  	with the Service Account - App Pool Service Account.
 
 
- (Important command) For DB Server, instead of HTTP service, register  	MSSQLSvc service to register the SPN.
Allow Trust for delegation
 
 Note - Logged user must have membership in Domain Administrator or Enterprise  Administrator to execute the below steps.
  	- Go to Start -> Administrative Tools.
 
 
- Open Active Directory Users and Computers.
 
 
- Expand your Fully Qualified Domain Name on left panel. Click on  	Computers folder. If in case you do not find your Server listed, then right  	click on your Fully Qualified Domain Name and click on Find and search  	Computer Name.
 
 
- Right click on the Server where you need to trust your Server for  	delegating the services.
 
 
- Click on Properties.
 
 
- On the Delegation tab, select "Trust this computer for delegation to any  	service ( Kerberos only) option.
 
 ![Kerberos]() 
 
 
- Click OK
Authentication Provider
 Note - To perform these steps, you must be a member of the SharePoint Farm  Administrators group. 
  	- In the Central Administration, go to Application Management –> Manage  	Web Applications.
 
 
- Select the Web Application - you want to configure, and click on  	Authentication Providers in the WEB APPLICATIONS tab on top ribbon.
 
 ![Kerberos]() 
 
 
-  In the Authentication Providers dialog, click on the zone you want  	to alter. Usually, it's Default zone.
 
 ![Kerberos]() 
 
 
- In the Edit Authentication section, verify that the Claims Authentication  	Type check box for "Enable Windows Authentication and Integrated Windows  	Authentication" is selected and dropdown is selected as Negotiate (Kerberos).
 
 ![Kerberos]() 
 
 
- Click OK to save & close the screen. 
Configure Kerberos in IIS 
 
 To verify the IIS Web Site Authentication settings, follow the below steps in IIS.
  	- Click Start -> Administrative Tools -> Internet Information Services (IIS)  	Manager.
 
 ![Kerberos]() 
 
 
- Click on Server Name- on left panel.
 
 
- Expand Sites folder and locate the web application.
 
 
- Select the web application - and in the middle pane, double click on  	Authentication under IIS section.
 
 ![Kerberos]() 
 
 
- In the Authentication dialog, select Windows Authentication.
 
 ![Kerberos]() 
 
 
- Click on Providers in the right actions pane.
 
 ![Kerberos]() 
 
 
- Verify that Negotiate and NTLM are listed. Note that Negotiate option  	should be on the top.
 
 ![Kerberos]() 
 
 
- Click Cancel and then again in the right actions pane, click on Advanced  	Settings. 
 
 ![Kerberos]() 
 
 
- Verify in the Advanced Settings dialog that Extended Protection is Off  	and that "Enable Kernel-mode" authentication is unchecked.
 
 ![Kerberos]() 
 
 
- Click Cancel.
 
 
- Ignore below warnings.
 
 ![Kerberos]() 
 
 
- Update Site Bindings with Host Name and default Port number 80. If the  	web application’s port number is not default port (i.e. port 80), then we  	need to convert it to port 80; else run SPN commands with non default port  	number. See the section 3.3 & 3.4.
 
  		- Open IIS Manager.
- Click on your web application.
- Click on Bindings… on right most panel.
- Site Binding dialog box will open.
- Click on your respective web application’s host name and click Edit  		button.
- Convert port number from non default port to default port 80.
 
 ![Kerberos]() 
 
 
- Click OK
- Add one more binding for FQDN with host name (see final bindings in the below screen).
 
 
 
- Add bindings for SSL also
 
  		- Open IIS Manager
- Click on your web application
- Click on Bindings… on right most panel
- Site Binding dialog box will open
- Click Add button 
- Convert type drop down to “https”
- Input host name as “host name”
- Select SSL certificate “*.”
- Click OK
 
 
 
- Final bindings should look like the below.
 
 ![Kerberos]() 
 
 
- Open command prompt with administrator rights.
- Do IISRESET in command prompt.
Verify or Assign access to Service Account on SQL Server
  	- Open SQL Server instance on your DB Server .
- Server Name -> Security -> Logins
- Verify if account exists, if not create it.
- After creating user. Right click on user account and click on Properties
- Assign Server Roles as below:-
 
  		- public
- sysadmin
 
Configure Alternate Access Mapping
  	- Open Central Administrator screen
- Application Management -> Web Applications
- Configure Alternate Access Mappings
- Add alternate access mappings. 
Verification of functionality
  	- Klist is an in-built tool on Windows Server 2008 & Windows 7 and above  	to verify if Kerberos is configured properly & to generate Kerberos TGT  	ticket and Service Ticket. 
 
 Note - Please close all IE browsers and follow below steps on Client  	machine.
 
 
- On the client, start command prompt as administrator.
 
 ![Kerberos]() 
 
 
- On command prompt, flush the DNS cache.
 
 Ipconfig -flushdns
 
 
- List all tickets on the system. 
 
 klist
 
 Note - This does not affect any other functionality on the Client or  	Server.
 
 
- Now, we want to clean up this list so that we can see if a new ticket is  	granted to our user when logging on to the SharePoint site 
- Clear the list, type:
 
 klist purge
 
 Note -  This does not affect any other functionality on the Client or Server
 
 
- In the prompt, you will see
 
 Deleting all tickets
 Ticket(s) purged!
 
 ![Kerberos]() 
 
 
- Try again listing all tickets, type: klist in command prompt.
 
 ![Kerberos]() 
 
 This time the list should be empty.
 
 
- With an empty Kerberos ticket list, open up a new Internet Explorer  	session and go to the URL of the Web Application.
 
 Note
 
 You cannot start a browser as a different user, if you do, the  	tickets will not be available to the klist command for the logged on user.
 
 
- Open and refresh your web application URL in IE browser.
 
- Enter valid credentials in login window.
 
- Switch back to the command prompt and again type
 
 klist OR klist<space>get<space>HTTP/URL
 
 
- Now, with Kerberos working, you find Kerberos TGT ticket.
 
- Follow below steps to validate Kerberos authentication. This is good.