Configure resource based Kerberos constrained delegation
Kerberos
constrained delegationYou can configure the
Docs
service with resource-based Kerberos constrained delegation (KCD) to allows users to access resources in the same domain and between domains and forests.- Verify that each domain in your environment has one or more Domain Controllers on a computer that is running an operating system that supportsBEMS. For more information, see the BEMS compatibility Matrix.
- Verify that the account that is used to administerKerberosis a member of the local Administrators group and has the Act as part of the Operating System privilege.
- If you configure resource-based KCD forMicrosoft SharePoint, verify that theMicrosoft SharePointserver uses Integrated Windows Authentication – Negotiate (Kerberos) for the authentication provider.
- Identify the file share servers andMicrosoft SharePointservers that theDocsservice requires access to.
- On the Domain Controller or another computer in your environment, runWindows PowerShellas an administrator and set up delegation.
- To import the ServerManager module, typeImport-Module ServerManager. PressEnter.
- To install theMicrosoft Active Directorymodule forWindows PowerShelland theMicrosoft Active DirectoryServices, typeAdd-WindowsFeature RSAT-AD-PowerShell. PressEnter.
- To import theMicrosoft Active Directorymodule, typeimport-module activedirectory. PressEnter.
- InMicrosoft Internet Information ServicesManager, on theApplication Poolsscreen, record the application pool identity for theMicrosoft SharePointservers in your environment.
- If theMicrosoft SharePointweb application is running on a non-default port (the default ports are 80 and 443) or is not running under the network service, create SPNs. Complete one or more of the following tasks:If you have multipleMicrosoft SharePointweb applications, you must create an SPN for each web application that is available in the scenarios below.TaskStepsCreate SPNs for aMicrosoft SharePointweb application running on a non-default port and as a specific user.
- Typesetspn -S HTTP/<. PressSharepoint server name>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint app user>Enter.
- Where <Sharepoint server name> is the name of the computer hosting theMicrosoft SharePointweb application.
- Where <Sharepoint app port> is the port number of theMicrosoft SharePointweb application server.
- Where <Sharepoint domain> is the domain where theMicrosoft SharePointweb application server is located. For example, www.example.com.
- Where <Sharepoint app user> is the user or service account that is listed in the Identity column in step 2. If the service is set to run as a user, the identity column displays <web application server name>/<username>. If the service is set to run as a network, you will see Network service.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint app user>Enter.WhereSharepoint server FQDNis the FQDN of the computer hosting theMicrosoft SharePointweb application server.
Create SPNs for aMicrosoft SharePointweb application running on a default port (80 or 443) and as a specific user.- Typesetspn -S HTTP/<. PressSharepoint server name> <Sharepoint domain>\<Sharepoint app user>Enter.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN> <Sharepoint domain>\<Sharepoint app user>Enter.
Create SPNs for aMicrosoft SharePointweb application running on a non-default port and under a network service.- Typesetspn -S HTTP/<. PressSharepoint server name>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint server name>Enter.
- Typesetspn -S HTTP/<. PressSharepoint server FQDN>:<Sharepoint app port> <Sharepoint domain>\<Sharepoint server name>Enter.
- Add the delegation to each file share server in your environment.TaskStepsAdd the delegation for one computer hostingBEMS.
- Type$gems1 = Get-ADComputer -Identity <. PressGEMS-SERVER-NAME>Enter.
- TypeSet-ADComputer <1. PressFile server name> -PrincipalsAllowedToDelegateToAccount $gemsEnter.
Add the delegation for multiple computers hostingBEMS.- Type$gems1 = Get-ADComputer -Identity <. PressGEMS-SERVER1-NAME>Enter.
- Type$gems2 = Get-ADComputer -Identity <. PressGEMS-SERVER2-NAME>Enter.For each additonalBEMS, increment the $gems#by one.
- TypeSet-ADComputer <. PressFile server name> -PrincipalsAllowedToDelegateToAccount $gems1,$gems2Enter.For each additionalBEMS, add a comma and $gems#incrementing the # by one.
- If you configure the delegation for file share servers in a DFS configuration, add delegations to the name server and the file server. For domain-based DFS, this requires adding delegations for all of the Domain Controllers in the domain. TypeSet-ADComputer <. PressDC-SERVER-NAME> -PrincipalsAllowedToDelegateToAccount $gems1Enter.
- Where <DC-SERVER-NAME> is the name of the computer hosting the domain controller.
- Where $gems1 is created in step 4 above.
- Add delegation to theMicrosoft SharePointservers in your environment. Complete one of the following actions:
- If the application pool identity forMicrosoft SharePointapplication is Network Service, typeGet-ADComputer <.Sharepoint server name> -Properties PrincipalsAllowedToDelegateToAccount
- If the application pool identity forMicrosoft SharePointapplication is a specific domain user, typeGet-ADUser <.Sharepoint app user> -Properties PrincipalsAllowedToDelegateToAccountWhere <Sharepoint app user> is the user name that is listed in the Identity column in step 2.
- PressEnter.
- To verify the delegation is configured correctly, on the Domain controller or another computer in your environment, runWindows PowerShellas an administrator and run one of the following commands:
- If the delegation was set on the server name, typeGet-ADComputer <.server_name> -Properties PrincipalsAllowedToDelegateToAccount
- If the delegation was set on the username, typeGet-ADUser <.user_name> -Properties PrincipalsAllowedToDelegateToAccount
- To remove the delegation, on the Domain controller or another computer in your environment, runWindows PowerShellas an administrator and run one of the following commands:
- To remove the delegation from a server, typeSet-ADComputer <.server_name> -PrincipalsAllowedToDelegateToAccount $nullIf you have multiple file share orMicrosoft SharePointservers in your environment, complete this step for each server.
- To remove the delegation from a user, typeSet-ADUser <.user_name> -PrincipalsAllowedToDelegateToAccount $nullIf you use different usernames for theMicrosoft SharePointand file share servers, complete this step for each username.