Sharepoint 2007 has two authentication protocols it can use internally. NTLM and Kerberos. Default it’s using NTLM since it is more or less plug and play. Kerberos is the more advanced authentication protocol since it allows the credentials be delegated across other trusted servers or services. I’m not going to tell you to always use kerberos, but I am a big fan of the authentication protocol, especially when delegating credentials using an ISA 2006 server. If you want more information about the NTLM limitations and why kerberos is a better protocol you might want to google for double hop.

So I configured my new Sharepoint 2007 farm to use kerberos using Configure Kerberos authentication (Office SharePoint Server) and I ran into some undocumented problems. I got 401 errors when trying to access some Sharepoint urls on the internal network. This was because I configured more than one url binding on an IIS website. Even though i configured both SPN’s on the service account that was running the Sharepoint application, it was not working using IIS 7 and kerberos. Kerberos will only work on one URL in the binding list, which ever you will try to access first. In order to fix this you have to create a new IIS website using the extend web application function in Sharepoint Central Administration. I was not able to figure out if this is an IIS 7 bug or that this is ‘by design’. Configuring multiple SPNs on one service account however, is not a problem.

The second kerberos problem I ran into gave me more trouble to find out what is going wrong. Kerberos constrained delegation from the ISA to the sharepoint site was not working. I was a bit puzzled by this because kerberos logging didn’t have a clear answer. It gave me a Kerberos Pre-Authentication Error. As expected ticking the box on the service account ‘Do not require Kerberos preauthentication’ didn’t gave me a solution.

The problem is that IIS 7 has a new feature called Kernel Mode Authentication. Kernel Mode Authentication uses the SPNs on the computer account, even if the application pool runs on a different service account. This is a problem when you are running a Sharepoint farm with more than one frontend webserver. Since SPNs can only be registered once as you already now.
So even if you are running a Sharepoint Farm on one server, consider it best practise to disable Kernel Mode Authentication, on all sharepoint related websites in IIS that have kerberos authentication enabled, including Office Server Web Services. You can disable Kernel Mode Authentication in the IIS MMC on the website select Authentication -> Windows Integrated Authentication -> Advanced Settings.

When you have a fine Symantec Ghost Solution Suite deployment environment, it could still be a pain to deploy new computers. These are the steps you probably have to do:
Continue reading

So, you have a great Symantec Ghost deployment solution to deploy your standardized sysprep image. On every physical (office) location you have a dedicated Ghost Console because the Ghost Console isn’t build for concurrent multi-user access and it would probably flood your backbone fiber if you only had one Ghost Console.

Continue reading

When you install new computers in your corporate network with Symantec Ghost, choosing the right dos networkcard template could be a pain when you didn’t update your drivers that Ghost use for booting using the virtual partition in dos.  Major networkchip vendors like Broadcom or Intel are releasing every 2 months a new chip model along with a driver update… Continue reading

You may have already read Using the Windows Server 2003 Security Configuration Wizard to Harden the ISA Firewall and now your VPN is broken…
I don’t want to critize DR Shinder a lot, because isaserver.org is a great resource when you want to setup an isa server and you are not so experienced in configuring firewalls….. but this remark frankly stunnished me.. His article about hardening windows 2003 on a ISA 2004 box with Security Configuration Wizard is just full of errors. Continue reading

NOTE: 1.0 relies on MSXML6 I didn’t notice that because I install security Configuration Wizard by default on 2003 server, which contains MSXML6.
The dependency will be fixed in 1.1

SyncUserFolders can automatically create (new) user folders (sets rights, creates shares, and can execute a script on creation). Furthermore, SyncUserFolders can automatically archive user folders when a user is deleted. All at lightning speed… Continue reading

Yet another LogonScript (YaLS) is a situation independent logonscript. Everything is possible without scripting. YaLS processes all the information from active directory related to the user and the logged on computer. This saves the administrator some nasty scripting work and leaves the user with a nice skin and a fast and solid working loginscript. To see the possibilities of this logon script, look at: http://www.logonscript.org/features

When you migrate a Novell Netware client to an Active Directory domain it is always a difficult task to successfully uninstall an older Netware Client version.

Continue reading