Configuring Kerberos
When Winshuttle Central and Winshuttle Workflow are hosted on servers that are separate from the Winshuttle SERVER, forms cannot execute a call to a published web service. This is fixed by either 'hard-coding' the credentials to the form or using Kerberos.
These instructions will show you how to configure Kerberos as the authentication protocol for your SharePoint 2010 server that runs Winshuttle CENTRAL, Winshuttle Workflow, and Winshuttle Designer and Winshuttle SERVER services.
For this example, SharePoint, Winshuttle CENTRAL and Winshuttle Workflow are installed on one server (in this example, SPServer) and Winshuttle Server is installed on another server (in this example, WSServer).
Two separate service user accounts are required for SharePoint and Winshuttle Server setup, one for Central and one for Winshuttle Server.
The service user identity for CENTRAL should be in the following groups on the CENTRAL server SPServer.
The service user identity for Winshuttle SERVER should be in the following group on the Winshuttle Server WSServer:
The following checklist provides a brief overview of everything you must do to configure Kerberos in your environment.
Area of Configuration |
Description |
DNS |
Register a DNS Record for WSServer |
Active Directory |
Create a service account for the web applications’ IIS application pool Register Service Principal Names (SPN) for the web applications on the service account created for the web applications’ IIS application pool Configure Kerberos constrained delegation for service accounts |
Configure a SharePoint Server |
Create SharePoint Server managed accounts Create the SharePoint web applications |
IIS Configuration |
Validate that Kerberos authentication is enabled Verify kernel-mode authentication is disabled |
Windows 7 Client |
Ensure web application URLs are in the intranet zone, or a zone configured to automatically authenticate with integrated Windows authentication (instructions not included in this guide, consult your Windows manual if you have questions) |
Firewall Configuration |
Open firewall ports to allow HTTP traffic in on default and non-default ports Ensure clients can connect to Kerberos Ports on the Active Directory (instructions not included in this guide, consult your firewall manufacturer if you have questions) |
Test Browser Authentication |
Optional: If the firewall configuration setting doesn't work, check these settings: Verify that authentication works correctly in the browser Verify logon information on the web server’s security event log |
|
|
|