You may recognize the three headed dog pictured above as the guard dog of Hades from Ancient Greek Mythology. The dog’s name is Kerberos in Greek.
A different kind of kerberos may be guarding your computer. Some facts about Kerberos from other web sites:
"Windows 2000 and later use Kerberos as their default authentication method." (kerberos in wikipedia)
"Kerberos is currently the most secure authentication mechanism supported by AD."(1 of 10 Facts About Kerberos from Office and SharePoint Pro)
The Two Hop Problem
What you might not know is that a three headed dog guarding your SharePoint farm can be a good thing. In particular, some scenarious require authentication to be passed from one server to another. Passing authentication this way is commonly referred to as the two hop problem. The two hop problem can be illustrated by thinking of an ID swipe badge. When you are given a swipe badge, you can enter a door in one building, exit and then enter another building using the same badge. With the Kerberos, think of the buildings as being servers. Using a feature called Kerberos delegation, one server issues a authentication token. This token is your virtual swipe badge. The toekn allows user authentication to pass from one server to the next. Just as a badge allows you to pass from one building to another. In the badge example, it’s a physical token that authenticates you as a person. In the Kerberos example, your authentication token only exists in software.
Kerberos and the SharePoint Infrastructure Update
July 2008 saw the release of an update to SharePoint 2007 that Microsoft is calling the Infrastructure Update. After reading the following note and discussing it with my friend and fellow SharePoint Architect Jeff Deverter, I was inspired to write this post. The MOSS Deployment Guide on TechNet Kerberos section was recently updated with this friendly note:
"Without the installation of the Infrastructure Update for Microsoft Office Servers, Kerberos authentication cannot be correctly configured for Office SharePoint Server 2007."
To me, this was a rather alarming statement, having already deployed a MOSS farm depending on Kerberos authentication. But it does explain a lot. In one farm installation, I was able to get Business Data Catalog Constrained Kerberos Delegation to work. But not without a lot of effort. So, some pieces of Kerberos Authentication did work even before the first service pack of MOSS and WSS v3. However, Microsoft is now stating that some Kerberos pieces did not work. Here’s a concrete example of one thing that did not work, from the MS SharePoint Documentation Team Blog:
"Search cannot crawl Web applications using Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to non-default ports."
What does this mean to your MOSS Deployment now? If you need one server in your farm to pass user authentication to another server on your domain, it sounds like getting that Infrastructure Update installed on the farm should be a high priority.
For more info
- The Microsoft SharePoint Team Blog post on the Infrastructure Update includes many important details and links.
- Read more about Kerberos delegation in Microsoft’s Technology Center for Kerberos.
- The MOSS Deployment Guide on Technet contains a chapter titled Configure Kerberos authentication which was udpated this August for the Infrastructure Update.
- Enabling Kerberos authentication for an Office SharePoint Server 2007 farm deployment is a relevant post from the MS Documentation Team Blog