Kerberos Success Story

I have finally worked out how to get Kerberos to work in an application that uses:

  • SharePoint 2007
  • WCF
  • SQL Server 2005
The Microsoft implementation of Kerberos seems to have been thrown together as an afterthought.
The key tool is setspn and that is an optional download which is gui-only and has no protection for the user.
The documentation is generally unclear and there is a lot of erroneous information out there. Some of the functionality required is only visible to some of the domian admins – so that if you don’t have this right then you have no way of knowing what to ask for.

Kerberos is what you need to use to solve the “two hop problem”.  This happens when a service that is called by a client needs to impersonate the client to another service.  NTLM will simply fail to authenticate and the call is made as the annonymous user.

The process of getting Kerberos to work is actually quite simple once you understand a few details.
The concept is that you must have a chain of trust running from the server all the way back to the client.

The client needs to be using Kerberos.
The server needs to be using Kerberos.
The identity of the process running on the server needs to be trusted for delegation if it wants to call another server.
You need to set up a SPN for the called server.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s