Skip Navigation

Configure resource based
Kerberos
constrained delegation

You can configure the
Docs
service with resource based Kerberos constrained delegation (KCD) to allows users to access resources in the same domain and between domains and forests.
  • Each domain in your environment has one or more Domain Controllers on a computer that is running an operating system that supports
    BEMS
    . For more information, see the BEMS compatibility Matrix.
  • The account that is used to administer
    Kerberos
    is a member of the local Administrators group and has the Act as part of the Operating System privilege.
  • If you configure resource based KCD for
    Microsoft SharePoint
    , make sure that the
    Microsoft SharePoint
    server uses Integrated Windows Authentication – Negotiate (
    Kerberos
    ) for the authentication provider.
  • You identified the file share servers and
    Microsoft SharePoint
    servers that the
    Docs
    service requires access to.
  1. On the Domain Controller or another computer in your environment, open
    Windows PowerShell
    (run as administrator) and set up delegation.
    1. Import the ServerManager module. Type
      Import-Module ServerManager
      . Press
      Enter
      .
    2. Install the
      Microsoft Active Directory
      module for
      Windows PowerShell
      and the
      Microsoft Active Directory
      Services. Type
      Add-WindowsFeature RSAT-AD-PowerShell
      . Press
      Enter
      .
    3. Import the
      Microsoft Active Directory
      module. Type
      import-module activedirectory
      . Press
      Enter
      .
  2. Find the application pool identity for the
    Microsoft SharePoint
    servers in your environment. The application pool identity is located in the
    Microsoft Internet Information Services
    (IIS) Manager, on the
    Application Pools
    screen.
  3. If the
    Microsoft SharePoint
    web application is running on a non-default port (the default ports are 80 and 443) or is not running under the network service, create SPNs. Complete one or more of the following tasks:
    If you have multiple
    Microsoft SharePoint
    web applications, you must create an SPN for each web application that is available in the scenarios below.
    Task
    Steps
    Create SPNs for a
    Microsoft SharePoint
    web application running on a non-default port and as a specific user
    1. Type
      setspn -S HTTP/<
      Sharepoint server name
      >:<
      Sharepoint app port
      > <
      Sharepoint domain
      >\<
      Sharepoint app user
      >
      . Press
      Enter
      .
      • Where <
        Sharepoint server name
        > is the name of the computer hosting the
        Microsoft SharePoint
        web application.
      • Where <
        Sharepoint app port
        > is the port number of the
        Microsoft SharePoint
        web application server.
      • Where <
        Sharepoint domain
        > is the domain where the
        Microsoft SharePoint
        web application server is located. For example, www.example.com.
      • Where <
        Sharepoint app user
        > is the user or service account that is listed in the Identity column in step 2. If the service is set to run as a user, the identity column displays <
        web application server name
        >/<
        username
        >. If the service is set to run as a network, you will see Network service.
    2. Type
      setspn -S HTTP/<
      Sharepoint server FQDN
      >:<
      Sharepoint app port
      > <
      Sharepoint domain
      >\<
      Sharepoint app user
      >
      . Press
      Enter
      .
      Where
      Sharepoint server FQDN
      is the FQDN of the computer hosting the
      Microsoft SharePoint
      web application server.
    Create SPNs for a
    Microsoft SharePoint
    web application running on a default port (80 or 443) and as a specific user
    1. Type
      setspn -S HTTP/<
      Sharepoint server name
      > <
      Sharepoint domain
      >\<
      Sharepoint app user
      >
      . Press
      Enter
      .
    2. Type
      setspn -S HTTP/<
      Sharepoint server FQDN
      > <
      Sharepoint domain
      >\<
      Sharepoint app user
      >
      . Press
      Enter
      .
    Create SPNs for a
    Microsoft SharePoint
    web application running on a non-default port and under a network service
    1. Type
      setspn -S HTTP/<
      Sharepoint server name
      >:<
      Sharepoint app port
      > <
      Sharepoint domain
      >\<
      Sharepoint server name
      >
      . Press
      Enter
      .
    2. Type
      setspn -S HTTP/<
      Sharepoint server FQDN
      >:<
      Sharepoint app port
      > <
      Sharepoint domain
      >\<
      Sharepoint server name
      >
      . Press
      Enter
      .
  4. Add the delegation to each file share server in your environment.
    Task
    Steps
    Add the delegation for one computer hosting
    BEMS
    .
    1. Type
      $gems1 = Get-ADComputer -Identity <
      GEMS-SERVER-NAME
      >
      . Press
      Enter
      .
    2. Type
      Set-ADComputer <
      File server name
      > -PrincipalsAllowedToDelegateToAccount $gems
      1. Press
      Enter
      .
    Add the delegation for multiple computers hosting
    BEMS
    .
    1. Type
      $gems1 = Get-ADComputer -Identity <
      GEMS-SERVER1-NAME
      >
      . Press
      Enter
      .
    2. Type
      $gems2 = Get-ADComputer -Identity <
      GEMS-SERVER2-NAME
      >
      . Press
      Enter
      .
      For each additonal
      BEMS
      , increment the $gems
      #
      by one.
    3. Type
      Set-ADComputer <
      File server name
      > -PrincipalsAllowedToDelegateToAccount $gems1,$gems2
      . Press
      Enter
      .
      For each additional
      BEMS
      , add a comma and $gems
      #
      incrementing the # by one.
  5. If you configure the delegation for file share servers in a DFS configuration, add delegations to the name server and the file server. For domain based DFS, this requires adding delegations for all of the Domain Controllers in the domain. Type
    Set-ADComputer <
    DC-SERVER-NAME
    > -PrincipalsAllowedToDelegateToAccount $gems1
    . Press
    Enter
    .
    • Where <
      DC-SERVER-NAME
      > is the name of the computer hosting the domain controller.
    • Where $gems1 is created in step 4 above.
  6. Add delegation to the
    Microsoft SharePoint
    servers in your environment. Complete one of the following actions:
    • If the application pool identity for
      Microsoft SharePoint
      application is Network Service, type
      Get-ADComputer <
      Sharepoint server name
      > -Properties PrincipalsAllowedToDelegateToAccount
      .
    • If the application pool identity for
      Microsoft SharePoint
      application is a specific domain user, type
      Get-ADUser <
      Sharepoint app user
      > -Properties PrincipalsAllowedToDelegateToAccount
      .
      Where
      Sharepoint app user
      is the user name that is listed in the Identity column in step 2.
  7. Press
    Enter
    .