Home » .Net FrameworkRSS

Claims won't take Kerberos

So, we want to use Claims authentication and Kerberos when creating web applications in SharePoint 2010. Now this is easy to set up in central admin, but we struggle doing it using powershell:

New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider) -AuthenticationMethod Kerberos

results in CLAIMS using NTLM.

It seems like -AuthenticationProvider (New-SPAuthenticationProvider) is forcing NTLM, and -AuthenticationMethod Kerberos is not taken into consideration. And the New-SPAuthenticationProvider does not have an -AuthenticationMethod parameter, so how can we get Claims with Kerberos?

Any tips appreciated!

 

4 Answers Found

 

Answer 1

Have you checked this: http://technet.microsoft.com/en-us/library/ee806887.aspx

Liam

 

Answer 2

We have been able to reproduce this internally.  If anything more comes up on this I will respond on this thread.
 

Answer 3

Great, thanks Fred. For now we are changing to Kerberos manually after the deployment scripts are done.
 

Answer 4

One of our SEE's found a workaround for this. Create an instance of SPAuthenticationProvider, set property DisableKerberos to false and pass this instance in AuthenticationProvider (note that once claims/kerbero you cannot come back to NTLM). In the example below we are using your same command with a slight difference:

> $ap = (New-SPAuthenticationProvider)
> $ap | fl


DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : True          <<<< Note that Kerberos is disabled by default
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        :

> $ap.DisableKerberos = $false

> $ap | fl *


DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : False   <<< Now I made sure that Kerberos is enabled
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        : {}

> New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider $ap -AuthenticationMethod Kerberos

In short you can also do something like this in just one line:
> New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider -DisableKerberos:$false) -AuthenticationMethod Kerberos

Please let me know if it works for you. It worked well in our environment.

We will work to make sure we document this information in a KB.

 
 
 
 
 
 

<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Follow us on Twitter