Configuring Kerberos in SharePoint 2010

When installing SharePoint for the first time, there is an option to use either NTLM or Kerberos.  Kerberos is recommended, but the caveat that they give you is that additional steps need to be taken by an administrator to make it work.

On older server versions (Windows Server 2003 R2, for instance) you could pick Kerberos from the get-go and continue setting everything up as long as you were logged in as an Administrator.  Later on you’d find that nobody else could log in until an administrator set up the SPNs, and at that time you’d be setting them up (typically via command line).

If you’re installing SharePoint 2010 onto Server 2008 R2, though, Central Administration won’t even load until those same SPNs are set up.  This post is intended as a quick walkthrough of how to do it if what I just said made no sense.

In our case (for our test environment) we’re using the domain (does not exist – we just use this sample for class), have gone through the steps to install SharePoint, and have told it to use Kerberos for authentication.  We then tried to load Central Administration and it wouldn’t allow us to log in.

Our next step is to use the ADSI Edit utility, which can be launched by typing adsiedit.msc in the search/run textbox from the start menu.

When that comes up, we need to locate the Administrator Container.

Locating the Administrator Container

As you can see, we had to go to our domain, then choose the Users Container, and found Administrator in there.

At this point we’ll right click on the Administrator container, and choose Properties.  From there, we locate the servicePrincipalName property and edit it.

The servicePrincipalName property that we need to edit.

For our example, the necessary line to add (just for Central Administration) was the http/ line, as our Central Administration Web Application happens to be running on the lucky port 7777.  Note that it takes the form of protocol/fully qualified computer name:port. We also added a line for the computer name on port 80 (by leaving the port off) so that the demo web applications that we create are also accessible.

Values we added to the servicePrincipalName attribute.
At this time it’s enough to “OK” our way out of the utility, saving our changes along the way, and continue to set up the environment in your now more-secure environment.

Virtual Image User and User Profile Creation PowerShell Script Update

For user profiles demos, it’s nice to have some sample profiles in there. For SharePoint 2007 image, we used a script to populate Active Directory users with the proper information and then just do an import to SharePoint. For SharePoint 2010 image, instead of using Active Directory. we are using local user accounts, so the script had to change. Now we take the user profile information from the same CSV file that’s used to create local accounts.

Here is the PowerShell script:

# SharePoint 2010 Workstation create users and user profiles script
# Pilothouse Consulting, Inc.   Feel free to distribute and modify it.

$computer = [ADSI]"WinNT://$env:computername"
$userslist = import-csv users-list.csv | Select username, fullname, firstname, lastname, department, jobtitle, manager, skills, email

foreach($singleuser in $userslist) 
	$user = $computer.Create("user", $singleuser.username)
	$user.FullName = $singleuser.fullname
	$user.Description = "SharePoint sample user"

$site = Get-SPSite "http://abcuniversity"
$serverContext = Get-SPServiceContext $site
$upm = New-Object Microsoft.Office.Server.UserProfiles.UserProfileManager($serverContext)

foreach($singleuser in $userslist) 

$accountName =  "abcuniversity\" + $singleuser.username

    if ($upm.UserExists($accountName))
        $up = $upm.GetUserProfile($accountName)
        $up = $upm.CreateUserProfile($accountName)  
        write-host "user" $accountName "profile created"
    $up["FirstName"].Value = $singleuser.firstname
    $up["LastName"].Value = $singleuser.lastname
    $up["PreferredName"].Value = $singleuser.fullname
    $up["Department"].Value = $singleuser.department
    $up["Title"].Value = $singleuser.jobtitle
    $manager = "abcuniversity\" + $singleuser.manager
    $up["Manager"].Value = $manager
    $up["SPS-Skills"].Value = $singleuser.skills
    write-host "user" $accountName "profile updated"


Here is the CSV file:

davegreen,Dave Green,Dave,Green,Graphic Design,,Professor,bettytwain,Presenting
lucysmith,Lucy Smith,Lucy,Smith,Chemistry,,Professor,martharollings,Researching
bobjohnson,Bob Johnson,Bob,Johnson,Graphic Design,,Student Researcher,davegreen,Researching
davesmith,Dave Smith,Dave,Smith,Graphic Design,,Student Researcher,bobjohnson,Researching
martharollings,Martha Rollings,Martha,Rollings,Chemistry,,Department Head,administrator,Researching
judybright,Judy Bright,Judy,Bright,Chemistry,,Student Researcher,lucysmith,Presenting
tracywright,Tracy Wright,Tracy,Wright,Chemistry,,Student Researcher,lucysmith,Researching
alexbrown,Alex Brown,Alex,Brown,Chemistry,,Professor,martharollings,Presenting
kellybrennan,Kelly Brennan,Kelly,Brennan,Chemistry,,Student Researcher,lucysmith,Researching
georgemason,George Mason,George,Mason,Graphic Design,,Student Researcher,davegreen,Researching
gregwalter,Greg Walter,Greg,Walter,Math,,Student Researcher,lisasimmons,Researching
clairejohnson,Claire Johnson,Claire,Johnson,Math,,Department Head,administrator,Presenting
lisasimmons,Lisa Simmons,Lisa,Simmons,Math,,Professor,jeffbridges,Researching
jonstew,Jon Stew,Jon,Stew,Graphic Design,,Professor,jeffbridges,Researching
bobbush,Bob Bush,Bob,Bush,Math,,Student Researcher,lisasimmons,Presenting
marysimmons,Mary Simmons,Mary,Simmons,Math,,Student Researcher,lisasimmons,Presenting
donnabridges,Donna Bridges,Donna,Bridges,Graphic Design,,Professor,bettytwain,Researching
jeffbridges,Jeff Bridges,Jeff,Bridges,Math,,Department Head,administrator,Researching
jerryboss,Jerry Boss,Jerry,Boss,Graphic Design,,Professor,bettytwain,Presenting
bettytwain,Betty Twain,Betty,Twain,Graphic Design,,Department Head,administrator,Presenting
administrator,SharePoint Admin,SharePoint,Admin,Chemistry,,SharePointer,davegreen,SharePoint

You can modify the scripts for your own demo environment, or if you going through SharePoint Training DVD labs, just run these on the current image. All the future images will sample user profiles.

SharePoint 2010 Works Well In Different Browsers

I regularly access SharePoint 2010 through Chrome, Firefox, Safari and the results are pretty good.   For reading purposes, there are no limitations.   However, when working with document libraries, IE handles editing documents and the others don’t (unless Office Web Apps are installed).   Also, the datasheet and explorer views only work on IE.