Help Center>Foundation Help

Applies to:

  • Winshuttle Foundation

Configuring Kerberos—Overview

When Winshuttle Central and Winshuttle Workflow are hosted on servers that are separate from the Winshuttle Server, forms cannot execute a call to a published web service. This is fixed by either 'hard-coding' the credentials to the form or using Kerberos.

On this page

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Back to top

These instructions will show you how to configure Kerberos as the authentication protocol for your SharePoint 2010 server that runs Winshuttle Central, Winshuttle Workflow, and Winshuttle Designer and Winshuttle Server services.

Service users

Back to top

Two separate service user accounts are required for SharePoint and Winshuttle Server setup, one for Winshuttle Workflow/Central and one for Winshuttle Server.

The service user identity for Workflow/Central application pool user should be in the following groups on the Workflow/Central server SharePoint Server.

  • ISS_WPG (IIS_IUsers)

The service user identity for Winshuttle SERVER should be in the following group on the Winshuttle Server WSServer:

  • ISS_WPG (IIS_IUsers)

Configuration checklist

Back to top

The following checklist provides a brief overview of everything you must do to configure Kerberos in your environment.

Area of Configuration



Register a DNS Record for WSServer

Active Directory

Create a service account for the web applications’ IIS application pool

Register Service Principal Names (SPN) for the web applications on the service account created for the web applications’ IIS application pool

Configure Kerberos constrained delegation for service accounts

Configure a SharePoint Server

Create SharePoint Server managed accounts

Create the SharePoint web applications

IIS Configuration

Validate that Kerberos authentication is enabled

Verify kernel-mode authentication is disabled

Windows 7 Client

Ensure web application URLs are in the intranet zone, or a zone configured to automatically authenticate with integrated Windows authentication

(instructions not included in this guide, consult your Windows manual if you have questions)

Firewall Configuration

Open firewall ports to allow HTTP traffic in on default and non-default ports

Ensure clients can connect to Kerberos Ports on the Active Directory

(instructions not included in this guide, consult your firewall manufacturer if you have questions)

Test Browser Authentication

Optional: If the firewall configuration setting doesn't work, check these settings:

Verify that authentication works correctly in the browser

Verify logon information on the web server’s security event log