Configure resource based Kerberos constrained delegation
You can configure the
Docs
service with resource based Kerberos constrained delegation (KCD) to allows users to access resources in the same domain and between domains and forests.- Each domain in your environment has one or more Domain Controllers on a computer that is runningWindows2012 or later.
- TheBEMSservice account is a member of the local Administrators group and has the Act as part of the Operating System privilege.
- If you are configuring resource based KCD forMicrosoft SharePoint, make sure thatMicrosoft SharePointserver uses Integrated Windows Authentication – Negotiate (Kerberos) for the authentication provider.
- You identified the file share servers andMicrosoft SharePointservers that theDocsservice requires access to.
- On the Domain Controller or another computer in your environment, openWindows PowerShell(run as administrator) and set up delegation.
- Import the ServerManager module. TypeImport-Module ServerManager. PressEnter.
- Install theMicrosoft Active Directorymodule forWindows PowerShelland theMicrosoft Active DirectoryServices. TypeAdd-WindowsFeature RSAT-AD-PowerShell. PressEnter.
- Import theMicrosoft Active Directorymodule. Typeimport-module activedirectory. PressEnter.
- Find the application pool identity for theMicrosoft SharePointservers in your environment. The application pool identity is located in theMicrosoft Internet Information Services(IIS) Manager, on theApplication Poolsscreen.
- If theMicrosoft SharePointweb application is running on a non-default port (the default ports are 80 and 443) or is not running under the network service, create SPNs. Complete one or more of the following tasks:If you have multipleMicrosoft SharePointweb applications, you must create an SPN for each web application that is available in the scenarios below.TaskStepsCreate SPNs for aMicrosoft SharePointweb application running on a non-default port and as a specific user
- Typesetspn -S HTTP/<. PressSharepoint server name>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint app user>Enter.
- Where <Sharepoint server name> is the name of the computer hosting theMicrosoft SharePointweb application.
- Where <Sharepoint app port> is the port number of theMicrosoft SharePointweb application server.
- Where <Sharepoint domain> is the domain where theMicrosoft SharePointweb application server is located. For example, www.example.com.
- Where <Sharepoint app user> is the user or service account that is listed in the Identity column in step 2. If the service is set to run as a user, the identity column displays <web application server name>/<username>. If the service is set to run as a network, you will see Network service.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint app user>Enter.
- WhereSharepoint server FQDNis the FQDN of the computer hosting theMicrosoft SharePointweb application server.
Create SPNs for aMicrosoft SharePointweb application running on a default port (80 or 443) and as a specific user- Typesetspn -S HTTP/<. PressSharepoint server name> <Sharepoint domain>\<Sharepoint app user>Enter.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN> <Sharepoint domain>\<Sharepoint app user>Enter.
Create SPNs for aMicrosoft SharePointweb application running on a non-default port and under a network service- Typesetspn -S HTTP/<. PressSharepoint server name>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint server name>Enter.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint server name>Enter.
- Add the delegation to each file share server in your environment.TaskStepsAdd the delegation for one computer hostingBEMS.
- Type$gems1 = Get-ADComputer -Identity <. PressGEMS-SERVER-NAME>Enter.
- TypeSet-ADComputer <1. PressFile server name> -PrincipalsAllowedToDelegateToAccount $gemsEnter.
Add the delegation for multiple computers hostingBEMS.- Type$gems1 = Get-ADComputer -Identity <. PressGEMS-SERVER1-NAME>Enter.
- Type$gems2 = Get-ADComputer -Identity <. PressGEMS-SERVER2-NAME>Enter.For each additonalBEMS, increment the $gems#by one.
- TypeSet-ADComputer <. PressFile server name> -PrincipalsAllowedToDelegateToAccount $gems1,$gems2Enter.For each additionalBEMS, add a comma and $gems#incrementing the # by one.
- If you configure the delegation for file share servers in a DFS configuration, add delegations to the name server and the file server. For domain based DFS, this requires adding delegations for all of the Domain Controllers in the domain. TypeSet-ADComputer <. PressDC-SERVER-NAME> -PrincipalsAllowedToDelegateToAccount $gems1Enter.
- Where <DC-SERVER-NAME> is the name of the computer hosting the domain controller.
- Where $gems1 is created in step 4 above.
- Add delegation to theMicrosoft SharePointservers in your environment. Complete one of the following actions:
- If the application pool identity forMicrosoft SharePointapplication is Network Service, typeGet-ADComputer <.Sharepoint server name> -Properties PrincipalsAllowedToDelegateToAccount
- If the application pool identity forMicrosoft SharePointapplication is a specific domain user, typeGet-ADUser <.Sharepoint app user> -Properties PrincipalsAllowedToDelegateToAccountWhereSharepoint app useris the user name that is listed in the Identity column in step 2.
- PressEnter.