SharePoint Corner


Configuring Kerberos Authentication on SharePoint 2010

There is a few different configurations that can be done to use kerberos authentication in SharePoint 2010. This article gives step by step directions to get it running using Claims authentication with kerberos negotiated windows integrated authentication.

 First you need to configure DNS. Create an A record for our soon to be created sharepoint web application to use.

we will use dev.sharepoint.local for this example

Next you need to create an active directory service account that we will use to run the application pool of our web application.

we will use svcsp_devservice

Next we need to configure the Service Principal Names (SPN)

You use the setspn command line utility to set the SPN. You need to have permissions in the domain to do this.

All SharePoint web applications, regardless of port number, will use the following SPN format:






For Web applications running on non-default ports (ports other than 80/443) register additional SPNs with port number:

HTTP/<DNS Host Name>:<port>

HTTP/<DNS FQDN>:<port>




so to set the SPN the command would be:

setspn –s HTTP/dev DOMAINsvcsp_devservice

setspn –s HTTP/dev.sharepoint.local DOMAINsvcsp_devservice


Now we have 2 SPN’s registered to the svcsp_devservice account. Next go to Active Directory Users and Computers, search for this account so that delegation can be enabled.

Kerberos Delegation AD settings

Click the “Add” button to add the services the user (service account) will be allowed to delegate to. To select a SPN, you will look up the object the SPN is applied to. In our instance, we are trying to delegate to a HTTP service which means we search for the service account of the IIS application pool that the SPN was assigned to in the previous step.

Click the “Users and Computers…” Button and search for the IIS application pool service accounts, in our example “DOMAINsvcsp_devservice”

Click OK on the next screen you will see a list of registered SPNs click select all and ok. If you now click the expanded clickbox you will see all spn’s that this account is allowed to delegate to. Both HTTP/dev and HTTP/dev.sharepoint.local should be listed.

Configure SharePoint

Configure Managed Service Accounts

Before creating your web applications, configure the services accounts created in the previous steps as managed service accounts in SharePoint Server. Doing so ahead of time will allow you to skip this step when creating the web applications themselves.

1. Navigate to Central Administration and then Security

SharePoint 2010 Central Administration

2. Under General Settings Click Configure managed Accounts

SharePoint 2010 Managed Accounts

3. Click register managed account and add the svcsp_devservice account.

Create Web Application

Browse to Central Administration and navigate to application management->Manage Web Applications. In the toolbar, select “New” and create your web application. Ensure the following is configured:

· Select “Claims Authentication”

· Configure the port and host header for each web application

· Select “Negotiate Kerberos” as the Authentication Provider for windows integrated

· Under application pool, select create new application pool and select the managed account create in the previous step.

Create a Site Collection and then add your Alternate Access Mapping.


When you go to the new site now you should use kerberos to authenticate. So go to the site and then check the security log on the sharepoint server. Look for event 4624 and the logon process should be Kerberos

No Comments

Installing and Configuring User Profile Synchronization Service in SharePoint 2010


User Profile Synchronization seems to be a headache for everybody that tries to set it up. There is a great write up on how to get it working found here  Since the author did such a good job I will not try and duplicate it here. Rather I will summarize the process with the steps and point out a few snags to watch out for (they are mentioned in the link above as well) But then also point out a post implementation problem that I have run into and haven’t seen anywhere how to fix.

To Setup User Profile Synchronization Service in SharePoint 2010 first create the service accounts you will need.

  1. At minimum this will be the account with permission to AD to replicate the changes (ProfSync) and the service account to run the service itself (SPFarm)
  2. Grant the ProfSync account the replicate changes permission in the Active Directory Forest you are looking to sync with.
  3. The SPFarm account is your farm administrative account. unfortunately this will go against best practice (and the SharePoint Health Monitor rules) as it will require you to add it to local administrators group AND it will be used to run the service. You don’t have a choice. While we are at it also grant it the Allow Log On Locally permission.
  4. Create a New User Profile Service Application
  5. Start the User Profile Synchronization Service. This will take 10 minutes or so to start. After it starts if Central Administration is running on the same server reboot (IISRESET is enough but reboot anyway)
  6. Configure connections to actually sync.


The post implementation problem is if you are using a SQL named instance. Profile Synchronization works following the tutorial however if you stop the service after its running or reboot for that matter, it doesn’t start again! It sits in the starting state. This has been addressed in the SharePoint 2010 CU released yesterday unfortunately that was too late to save me all of the trouble figuring it out. The problem is that when the UPS service is stopped it is unprovisioned by design. The problem is that when starting again the service wipes out the value for the SQLInstance key located in the registry. This forces the service to try and connect on the default instance rather than the named instance which obviously isn’t going to work and results in the service not starting. So how do you fix it? Well the patch (I haven’t tested and confirmed yet) should fix it. SharePoint 2010 CU released

The way I got around it was by adding a SQL alias on the server running the synchronization service to point the default instance to the named instance. To do this navigate to system32 folder on the appropriate server and run cliconfig.exe. Once in there click on the alias tab, select ADD, then make sure TCPIP radial is selected and type in servername at the top box and add the instance name to the box on the right hand side.


Save and then try and restart your User Profile Synchronization Service and it will start.

No Comments

SharePoint 2010 Cumulative Update (patches) released!

The first round of Cumulative Updates has been released for SharePoint 2010. They are not packaged into 1 install yet but rather 6 individual packages.

Microsoft SharePoint Foundation 2010:

Microsoft SharePoint Server 2010:

The same patching rules for MOSS 2007 apply for SharePoint 2010. First install SharePoint Foundation Patches, Then any language pack related and finally the Server patches. After all have been installed run the command: psconfig –cmd upgrade -wait –inplace b2b or run the SharePoint configuration wizard gui. Make sure you apply all patches to all servers in the farm.

No Comments

Configure Partitioned Search Service Application With Powershell

SharePoint 2010 has this wonderful new Multi Tenant feature, but when you click new search service application, or run the farm configuration wizard, it doesn’t provision the application in a partitioned mode and therefore cannot utilize this new Multi tenancy features. What’s worse is you can’t go back and change it after the fact either. To make it partitioned (or non-partitioned for that matter) you need to create a new service application and configure everything again.

This post will go through the process of using Windows Powershell to create a new SharePoint Server Search Service Application.

First you create a new application pool and store it in a variable to use in a later script step. You can change “SearchAppPool” to whatever you would like your application pool name to be, and obviously change”DOMAINSearchServiceAccount” to a valid account.

$app = new-spserviceapplicationpool -name SearchAppPool DOMAINSearchServiceAccount

Create the New Search Service Application making sure to use the –Partitioned Switch. Change “SearchServiceApplication” to whatever you would like the Search Service Application to be called.

$searchapp = new-spenterprisesearchserviceapplication -name SearchServiceApplication -Partitioned -applicationpool $app

Create the new search service application proxy. Again change “SearchServiceApplicationProxy” to whatever you would like the proxy to be called.

$proxy = new-spenterprisesearchserviceapplicationproxy -name SearchServiceApplicationProxy  -Partitioned -Uri $searchapp.uri.absoluteURI

Check to make sure that the search service is running

$si = get-spenterprisesearchserviceinstance –local


Provision the search administration application

set-spenterprisesearchadministrationcomponent –searchapplication $searchapp  –searchserviceinstance $si

Create a new crawl topology

$ct = $searchapp | new-spenterprisesearchcrawltopology

Create new crawl store

$csid = $SearchApp.CrawlStores | select id

$CrawlStore = $SearchApp.CrawlStores.item($

Create a new crawl component. Change “ServerName” to the name of your search server

$hname = ServerName

new-spenterprisesearchcrawlcomponent -crawltopology $ct -crawldatabase $Crawlstore -searchserviceinstance $hname

Activate the new crawl component

$ct | set-spenterprisesearchcrawltopology -active

Create a new query topology

$qt = $searchapp | new-spenterprisesearchquerytopology -partitions 1

Create a variable for the query partition

$p1 = ($qt | get-spenterprisesearchindexpartition)

Create a new query component

new-spenterprisesearchquerycomponent -indexpartition $p1 -querytopology $qt -searchserviceinstance $si

Create a variable for the property store database

$PSID = $SearchApp.PropertyStores | Select id

$PropDB = $SearchApp.PropertyStores.Item($

Set the query partition to use the property store database

$p1 | set-spenterprisesearchindexpartition -PropertyDatabase $PropDB

Activate the query topology

$qt | Set-SPEnterpriseSearchQueryTopology -Active

You now have a search service application running in partitioned mode, congrats!

No Comments

What File Server Locations Should Be Excluded From Antivirus Scanning For SharePoint

SharePoint performance is always an important topic and key to user adoption. If your SharePoint sites are running slow or inconsistently your users aren’t going to like it. There are numerous different things that you can do to improve performance of your SharePoint front end web servers, applications servers, and most importantly your SQL servers. The server themselves, I/O disk performance are all big crucial parts to overall performance. One thing that is often overlooked when talking about this topic is antivirus. There are certain directories and file types that should NOT be scanned by your antivirus software. Doing so can cause serious performance degradation as well as potential corruption and/or inconsistencies throughout your farm. Below I have included a list of directories related to SharePoint that should be excluded from antivirus scanning. SQL server has its own set of exceptions I will write about in a future post.

C:Program FilesCommon FilesMicrosoft SharedWeb Service Extensions

C:WindowsMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files

C:WindowsMicrosoft.NETFramework64v2.0.50727Temporary ASP.NET Files

C:Documents and SettingsAll UsersApplication DataMicrosoftSharePointConfig

C:WindowsTempWebTempDirC:Documents and Settingsthe account that the search service is running asLocal SettingsTemp


C:Documents and SettingsServiceAccountLocal SettingsApplication Data

C:Documents and SettingsServiceAccountLocal SettingsTemp

C:Documents and SettingsDefault UserLocal SettingsTemp

C:Program FilesMicrosoft Office Servers12.0Data. (This folder is used for the indexing process. If the Index files are configured to reside in a different folder, you also have to exclude that location.)

C:Program FilesMicrosoft Office Servers12.0Logs

C:Program FilesMicrosoft Office Servers12.0Bin

This applies to all versions of SharePoint. That includes SharePoint Services (WSS 2.0 and WSS 3.0) as well as MOSS and future SharePoint server releases.

No Comments

How to include SharePoint version number in an Office document label

So you thought it would be a great idea to automatically add a label to your office documents with its title and current version number according to SharePoint. But then you realize that you can’t automatically include the version number in a label. You can include the revision number stored in the office document but that isn’t in sync with the SharePoint version number. So what to do.

Well there are a few options. You can manually add the label to each document the first time it is created as an image and it will automatically update from then on. Good luck having all your users actually go through the process for each document though and this would eliminate the need for the Imformation Management Policy in SharePoint effectively making the label useless since it is just as easy to manually update the label info in the document.

Option 2 would be a custom coded solution creating an event handler to check the version number after each change and when it changes update some other text column that can be added to the label by default.

Option 3 is the no code almost out of the box solution to do the trick. You will need SharePoint Designer to create a very simple workflow. There is no coding involved and I’m sure following these instructions anybody will be able to make it work. So lets get to it.

First you need the library that you want to apply the policy to. For that library create a new single line of text column and call it whatever you want. I called mine SPVersion. In the library settings under permissions and management there is an information management policy settings button click it.

(There are many different levels you can apply these settings at the site, library, to particular content type. For this particular exercise we are going to apply it to a particular document library and a specific content type within that library. In order to use in other areas of the site you would have to create the policy again. If you wanted to reuse for multiple libraries you should create it at the site level and not here.)

After clicking on the Information Management policy settings link you should be brought to a screen to specify a policy. Change the radial button selection to define a policy and click OK.

On the next screen fill in the comments box for administrative and policy statements. Then check the box next to Enable Labels.

In the label format box put Document Title: {Title}nDocument Version: {SPVersion}. Changing SPVersion to whatever you called your column created earlier. This will output a label in the format

Document Title: DocTitle

Document Version: 1.0


Using a n creates a new line in your label. You can add whatever other fields you want here as well. Click the refresh button to make sure your label is showing how you intended. Once it is click OK.

Now its time to open up SharePoint Designer and create a new workflow. Open designer and open the site that has your document library. Click File –> New –> Workflow

Give the workflow a name and select to automatically start the workflow when an item is changed. Click next.

Under actions select Set Field in Current Item. Then for field select SPVersion and library select your document library and the Version column. So your action field should read Set SPVersion to Document Library:Version. Then click actions and choose update List Item and then in the line select your document library. Click Finish and you are done.

What this workflow does is after an item is changed it runs automatically and copies whatever is in the SharePoint Version column (which is dynamic and cannot be added into a label) and puts it into your single line of text column (which can be added to a label)

1 Comment