When installing SharePoint for the first time, there is an option to use either NTLM or Kerberos.  Kerberos is recommended, but the caveat that they give you is that additional steps need to be taken by an administrator to make it work.

On older server versions (Windows Server 2003 R2, for instance) you could pick Kerberos from the get-go and continue setting everything up as long as you were logged in as an Administrator.  Later on you’d find that nobody else could log in until an administrator set up the SPNs, and at that time you’d be setting them up (typically via command line).

If you’re installing SharePoint 2010 onto Server 2008 R2, though, Central Administration won’t even load until those same SPNs are set up.  This post is intended as a quick walkthrough of how to do it if what I just said made no sense.

In our case (for our test environment) we’re using the domain abcuniversityph.edu (does not exist – we just use this sample for class), have gone through the steps to install SharePoint, and have told it to use Kerberos for authentication.  We then tried to load Central Administration and it wouldn’t allow us to log in.

Our next step is to use the ADSI Edit utility, which can be launched by typing adsiedit.msc in the search/run textbox from the start menu.

When that comes up, we need to locate the Administrator Container.

Locating the Administrator Container

As you can see, we had to go to our domain, then choose the Users Container, and found Administrator in there.

At this point we’ll right click on the Administrator container, and choose Properties.  From there, we locate the servicePrincipalName property and edit it.

The servicePrincipalName property that we need to edit.

For our example, the necessary line to add (just for Central Administration) was the http/abcuniversity.abcuniversity.edu:7777 line, as our Central Administration Web Application happens to be running on the lucky port 7777.  Note that it takes the form of protocol/fully qualified computer name:port. We also added a line for the computer name on port 80 (by leaving the port off) so that the demo web applications that we create are also accessible.

Values we added to the servicePrincipalName attribute.
At this time it’s enough to “OK” our way out of the utility, saving our changes along the way, and continue to set up the environment in your now more-secure environment.