Sharepoint 2007 has two authentication protocols it can use internally. NTLM and Kerberos. Default it’s using NTLM since it is more or less plug and play. Kerberos is the more advanced authentication protocol since it allows the credentials be delegated across other trusted servers or services. I’m not going to tell you to always use kerberos, but I am a big fan of the authentication protocol, especially when delegating credentials using an ISA 2006 server. If you want more information about the NTLM limitations and why kerberos is a better protocol you might want to google for double hop.
So I configured my new Sharepoint 2007 farm to use kerberos using Configure Kerberos authentication (Office SharePoint Server) and I ran into some undocumented problems. I got 401 errors when trying to access some Sharepoint urls on the internal network. This was because I configured more than one url binding on an IIS website. Even though i configured both SPN’s on the service account that was running the Sharepoint application, it was not working using IIS 7 and kerberos. Kerberos will only work on one URL in the binding list, which ever you will try to access first. In order to fix this you have to create a new IIS website using the extend web application function in Sharepoint Central Administration. I was not able to figure out if this is an IIS 7 bug or that this is ‘by design’. Configuring multiple SPNs on one service account however, is not a problem.
The second kerberos problem I ran into gave me more trouble to find out what is going wrong. Kerberos constrained delegation from the ISA to the sharepoint site was not working. I was a bit puzzled by this because kerberos logging didn’t have a clear answer. It gave me a Kerberos Pre-Authentication Error. As expected ticking the box on the service account ‘Do not require Kerberos preauthentication’ didn’t gave me a solution.
The problem is that IIS 7 has a new feature called Kernel Mode Authentication. Kernel Mode Authentication uses the SPNs on the computer account, even if the application pool runs on a different service account. This is a problem when you are running a Sharepoint farm with more than one frontend webserver. Since SPNs can only be registered once as you already now.
So even if you are running a Sharepoint Farm on one server, consider it best practise to disable Kernel Mode Authentication, on all sharepoint related websites in IIS that have kerberos authentication enabled, including Office Server Web Services. You can disable Kernel Mode Authentication in the IIS MMC on the website select Authentication -> Windows Integrated Authentication -> Advanced Settings.