Step-by-Step Kerberos Configuration Instructions

To configure DNS for the Winshuttle Server:

1. Create a new DNS "WinshuttleSvr" which resolves to WSServer IP.
2. In DNS, create an A record for your Winshuttle site’s IP address (displayed below).

To configure the Active Directory:

1. Create two user accounts to be configured in both machines:
   • SharePoint Service Application Service Accounts: "mydomain\spuser1"
   • Winshuttle Server application Service Accounts: "mydomain\wsuser1"
2. Configure each web application to run in its own IIS application pool with its own security context (application pool identity).

   Web Application	IIS App Pool Identity
   SharePoint with Central	mydomain\spuser1
   Winshuttle Server	mydomain\wsuser1

To configure Service Principal Names (SPNs):

1. For each service account, configure a set of service principal names that map to the DNS host names assigned to each web application.

   DNS Host	IIS App Pool Identity	Server Principal Names
   SPServer.mydomain	mydomain\spuser1	HTTP/SPServer HTTP/SPServer.mydomain
   WinshuttleSyr.mydomain	mydomain\wsuser1	HTTP/WinshuttleSyr HTTP/WinshuttleSyr.mydomain

2. To create the service principal names, execute the following commands:

SetSPN -S HTTP/SPServer mydomain\spuser1

SetSPN -S HTTP/SPServer.mydomain mydomain\spuser1

SetSPN -S HTTP/WinshuttleSvr mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain mydomain\wsuser1

Note: The SetSPN command assumes both services are running on default port. If any application is running on a different port, it must be included in the setspn command. For example, if Winshuttle Server is running on port 8033, the following command should be used to create SPN

SetSPN -S HTTP/WinshuttleSvr mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr:8033 mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain:8033 mydomain\wsuser1

Configure Kerberos constrained delegation for computers and service accounts

Configure user spuser1 for delegation below Services Principal Names

To configure delegation:

1. Open the Active Directory Users and Computer snap-in.
2. For the user spuser1, select Trust this user for delegation to specified services only and Use Kerberos only.
3. Click Add to add the services that the user (service account) will be allowed to delegate to. To select an SPN, look up the object the SPN is applied to. In this example, we are trying to delegate to an HTTP service which means we search for the service account "wsuser1."
4. In the Select Users or Computers dialog box, click Users and Computers, search for the IIS application pool service accounts (in our example mydomain\wsuser1) and then click OK. You will then be prompted to select the services assigned to the objects by service principal name.
5. In the Add Services dialog box click Select All, and then click OK.

   Note: when you return to the delegation dialog you may not automatically see all the SPNs selected. To see all SPNs, select the Expanded check box in the lower left hand corner.

To configure SharePoint Server:

1. Create a web application on SPServer which will be used for Central and Workflow. In this example, we created this application on the default port, as SPN are created considering the default port. The settings are given in the following table.

   Item	Setting
   Setting	http://SPServer Web Application
   Authentication	Classic Mode
   IIS Web Site	Name: SharePoint - Portal - 80 Port: 80
   Security Configuration	Auth Provider: Negotiate Allow Anonymous: No Use Secure Socket Layer: No
   Application Pool	Name: SharePoint - Portal80 Security Account: mydomain\spuser1

2. Create a new site collection for Central and install Workflow on this site.