Help Center>Foundation Help

Applies to:

  • Winshuttle Foundation

Kerberos Configuration

These instructions will show you how to configure Kerberos as the authentication protocol for your SharePoint 2010 server that runs Winshuttle Central, Winshuttle Workflow, and Winshuttle Designer and Winshuttle Server services.

For reference, in the following example SharePoint, Winshuttle Central and Winshuttle Workflow are installed on one server (for example, SPServer) and Winshuttle Server is installed on another server (WSServer).

Configuring DNS for Winshuttle Server:

Back to top
  1. Create a new DNS "WinshuttleSvr" which resolves to WSServer IP.
  2. In DNS, create an A record for your Winshuttle site’s IP address (displayed below).

Configuring Active Directory

Back to top
  1. Create two user accounts to be configured in both machines:
    • SharePoint Service Application Service Accounts: "mydomain\spuser1"
    • Winshuttle Server application Service Accounts: "mydomain\wsuser1"
  2. Configure each web application to run in its own IIS application pool with its own security context (application pool identity).

Web Application

IIS App Pool Identity

SharePoint with Central

mydomain\spuser1

Winshuttle Server

mydomain\wsuser1

Configuring Service Principal Names (SPNs)

For each service account, configure a set of service principal names that map to the DNS host names assigned to each web application.

Important notes:

  • For a Network Load Balanced environment (Software or Hardware), you must set SPNs for the NLB or cluster name instead of the individual server names.
  • The SPN account on the default Port is mandatory even if the application is running on a different port.

DNS Host

IIS App Pool Identity

Server Principal Names

SPServer.mydomain

mydomain\spuser1

HTTP/SPServer

HTTP/SPServer.mydomain

WinshuttleSyr.mydomain

mydomain\wsuser1

HTTP/WinshuttleSvr

HTTP/WinshuttleSvr.mydomain

To create the service principal names, run the following commands:

SetSPN -S HTTP/SPServer mydomain\spuser1

SetSPN -S HTTP/SPServer.mydomain mydomain\spuser1

SetSPN -S HTTP/WinshuttleSvr mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain mydomain\wsuser1

Note: The SetSPN command assumes both services are running on default port. If any application is running on a different port, it must be included in the setspn command. For example, if Winshuttle Server is running on port 8033, the following command should be used to create SPN

SetSPN -S HTTP/WinshuttleSvr mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr:8033 mydomain\wsuser1

SetSPN -S HTTP/WinshuttleSvr.mydomain:8033 mydomain\wsuser1

Configure Kerberos constrained delegation for computers and service accounts

Back to top

Configure user spuser1 for delegation below Services Principal Names

Principal Type

Principal Name

Delegates to Service

User

Spuser1

HTTP/WinshuttleSyr

HTTP/WinshuttleSyr.mydomain

Configuring delegation

  1. Open the Active Directory Users and Computer snap-in.
  2. For the user spuser1, select Trust this user for delegation to specified services only and Use Kerberos only.
  3. Click Add to add the services that the user (service account) will be allowed to delegate to. To select an SPN, look up the object the SPN is applied to. In this example, we are trying to delegate to an HTTP service which means we search for the service account "wsuser1."
  4. In the Select Users or Computers dialog box, click Users and Computers, search for the IIS application pool service accounts (in our example mydomain\wsuser1) and then click OK. You will then be prompted to select the services assigned to the objects by service principal name.
  5. In the Add Services dialog box click Select All, and then click OK.

    Note: when you return to the delegation dialog you may not automatically see all the SPNs selected. To see all SPNs, select the Expanded check box in the lower left hand corner.

Configuring SharePoint Server

Back to top
  1. Create a web application on SPServer which will be used for Central and Workflow. In this example, we created this application on the default port, as SPN are created considering the default port. The settings are given in the following table.

    Item

    Setting

    Setting

    http://SPServer Web Application

    Authentication

    Classic Mode

    IIS Web Site

    Name: SharePoint - Portal - 80

    Port: 80

    Security Configuration

    Auth Provider: Negotiate

    Allow Anonymous: No

    Use Secure Socket Layer: No

    Application Pool

    Name: SharePoint - Portal80

    Security Account: mydomain\spuser1

  2. Create a new site collection for Central and install Workflow on this site.