HOWTO: Configure SharePoint 2010 for Kerberos
Here is a great reference for configuring SharePoint 2010 for Kerberos authentication.
Core concepts include:
- Ensuring SQL Server and the WFE/App servers in the farm can communicate with the SQL Server in the farm via Kerberos.
- Create a SPN for the SQL Server and map to the SQL Server service account (i.e., MSSQLSvc/mosssql:1433 and MSSQLSvc/mosssql.mydomain.com:1433)
- Test the connection to SQL Server prior to install of SharePoint 2010 by installing the SQL Server client tools on a WFE/App server and testing the connection
- Verify connection settings in the event log on the SQL Server
- Create SPNs for each web application (i.e., HTTP/kerbportal, and HTTP/kerbportal.mydomain.net) and map to the AD account for the app pool for the web application.
- Ensure the SPNs have the port number in them so IE can construct the SPN for authentication
- Install and set up the farm (Authentication method to the SQL Server = negotiate)
- Visit central administration and view the event log on the central admin machine to ensure that Kerberos was used successfully.
Note that crawlers can only access standard ports (80, 443) via Kerberos.