There is a few different configurations that can be done to use kerberos authentication in SharePoint 2010. This article gives step by step directions to get it running using Claims authentication with kerberos negotiated windows integrated authentication.

 First you need to configure DNS. Create an A record for our soon to be created sharepoint web application to use.

we will use dev.sharepoint.local for this example

Next you need to create an active directory service account that we will use to run the application pool of our web application.

we will use svcsp_devservice

Next we need to configure the Service Principal Names (SPN)

You use the setspn command line utility to set the SPN. You need to have permissions in the domain to do this.

All SharePoint web applications, regardless of port number, will use the following SPN format:






For Web applications running on non-default ports (ports other than 80/443) register additional SPNs with port number:

HTTP/<DNS Host Name>:<port>

HTTP/<DNS FQDN>:<port>




so to set the SPN the command would be:

setspn –s HTTP/dev DOMAINsvcsp_devservice

setspn –s HTTP/dev.sharepoint.local DOMAINsvcsp_devservice


Now we have 2 SPN’s registered to the svcsp_devservice account. Next go to Active Directory Users and Computers, search for this account so that delegation can be enabled.

Kerberos Delegation AD settings

Click the “Add” button to add the services the user (service account) will be allowed to delegate to. To select a SPN, you will look up the object the SPN is applied to. In our instance, we are trying to delegate to a HTTP service which means we search for the service account of the IIS application pool that the SPN was assigned to in the previous step.

Click the “Users and Computers…” Button and search for the IIS application pool service accounts, in our example “DOMAINsvcsp_devservice”

Click OK on the next screen you will see a list of registered SPNs click select all and ok. If you now click the expanded clickbox you will see all spn’s that this account is allowed to delegate to. Both HTTP/dev and HTTP/dev.sharepoint.local should be listed.

Configure SharePoint

Configure Managed Service Accounts

Before creating your web applications, configure the services accounts created in the previous steps as managed service accounts in SharePoint Server. Doing so ahead of time will allow you to skip this step when creating the web applications themselves.

1. Navigate to Central Administration and then Security

SharePoint 2010 Central Administration

2. Under General Settings Click Configure managed Accounts

SharePoint 2010 Managed Accounts

3. Click register managed account and add the svcsp_devservice account.

Create Web Application

Browse to Central Administration and navigate to application management->Manage Web Applications. In the toolbar, select “New” and create your web application. Ensure the following is configured:

· Select “Claims Authentication”

· Configure the port and host header for each web application

· Select “Negotiate Kerberos” as the Authentication Provider for windows integrated

· Under application pool, select create new application pool and select the managed account create in the previous step.

Create a Site Collection and then add your Alternate Access Mapping.


When you go to the new site now you should use kerberos to authenticate. So go to the site and then check the security log on the sharepoint server. Look for event 4624 and the logon process should be Kerberos