Welcome to K2 Underground Sign In | Join | Help

Kerberos and your MOSS setup

Setting up the K2 MOSS components on your MOSS server is typically an easy task as the install is mostly non-dependant on other components (i.e. Workspace, Reports or Host Server).  However, it can be difficult to troubleshoot if you didn't setup the base requirements needed for the install.

Here's my checklist of things to do before you run the installer.

  1. MOSS needs to be installed as a complete install (if it is a standalone server).  Reason being...
  2. You need to install and configure a Shared Service Provider (SSP).  If you did not do a full install, you won't be able to configure the SSP as the SSP needs an index server.
  3. Create up the default site collection.
  4. Make sure all sites are using Kerberos for authentication.  This can be configured when creating the sites or from the central admin page under authentication providers (post configuration).
  5. Step 4 is just one part of enabling Kerberos.  You need to configure the service accounts for the app pool.
  6. You need to give the app pool account proper IIS rights.  This can be done using the aspnet_regiis -ga command.
  7. Configure the IIS sites to use Kerberos.  You can use the command from C:\inetpub\AdminScripts
    • cscript adsutil.vbs set w3svc/<IIS site ID>/NTAuthenticationProviders "Negotiate,NTLM"
  8. Configure the service account to be trusted for delegation to the HTTP SPN for the workspace runtime services and the 2 K2 SPNs for the K2 Host Server and K2 SmartObject Server.  Obviously, you also need to add the SPNs as well before you can do this.

Ok that sounds relatively simple but it can be messy if you are doing this for the first time.  You have to figure out whether you are configuring the SSP on a new site using a different port or host header.  You need to create new app pools.  You need to start up the search services required to configure the SSP, etc.  I think you get the idea.

Also on post-installation, you have some stuff to do.  In a nutshell:

  1. Deploy the K2 worklist webpart package.  If needed, populate the web part gallery for new site collections.  Once this is done, you can add the webpart to your MOSS pages.
  2. Go to central admin page under the K2 admin tab, activate the K2 features that you need.
  3. Same page, you can also add the K2 service account to have site admin rights. This is needed if your K2 server needs to create sites, manage documents, etc.

One interesting thing I encountered today was that I had the assumption that configuring Kerberos on the site collection was sufficient to get the K2 worklist webpart to work using Kerberos.  Did everything to the dot and it just refused to work.  Turned on Kerberos logging and I got zero error messages relating to the failed connection (it comes in as anonymous).  So what gives?

After a lot of double checking and thinking, I finally tried configuring the SSP to use Kerberos instead of NTLM.  Rebooted the server and happily the K2 worklist webpart starting connecting correctly using Kerberos.

 So lesson learnt here today, always start off with Kerberos for all MOSS sites (including SSPs) if you are planning to use them with your K2 distributed environment.  I hope the steps I provided helps anybody who is having issues with their own K2 MOSS setup.

Published Saturday, May 10, 2008 5:14 AM by johnny

Comments

# re: Kerberos and your MOSS setup

Tuesday, May 13, 2008 8:05 AM by Darrell

As a matter of interest why do you perform step 7?  It is not required if you start off using kerberos.  The NTAuthenticationProviders key should not exist and is not required as Kerberos will be used by default.

Cheers

Darrell

# re: Kerberos and your MOSS setup

Sunday, May 25, 2008 4:40 PM by pblose

Hey, just wanted to throw in a little warning about using the setspn utility.  Don't use cut and paste into the command window.  The admin that set up the SPNs copied the command from notepad and the SPN had a extra character appended to the end.  This is not viewable in the graphical tool we were using to check the SPN later.  Much time wasted...

# re: Kerberos and your MOSS setup

Monday, May 26, 2008 6:17 PM by johnny

From what I heard from Microsoft is that slipstreamed Win2K3 SP1 or later installations should default to Kerberos for IIS while Win2K3 RTM installations default to NTLM.  

However,from various experiences with numerous customers, the behaviour is quite inconsistent to the point where it is safer to just set it directly to the value you wish to use.  It just takes the guesswork out of it.

I also agree with pblose that copying and pasting setspn and even the adsutil.vbs commands tends to introduce mistakes.  Sometimes the editor transforms the quotes or comma to some other unicode character.  It causes a failure which is quite hard to troubleshoot.

Anonymous comments are disabled