Set up Enterprise Portal and Role Centers to use Kerberos authentication

If your Microsoft Dynamics AX implementation requires Kerberos authentication, complete the following procedures to configure the Enterprise Portal server for Kerberos authentication.

Edit the connection string for ODC files

Use this procedure to specify Kerberos authentication in the connection string for each ODC file.

  1. View the Enterprise Portal site in a Web browser.

  2. From the Site Actions menu, click Site Settings.

  3. Under Galleries, click Master Pages.

  4. In the left corner of the page, click View All Site Content.

  5. Under Document Libraries, click Data Connections.

  6. Edit the connection string for each ODC file and append the following:

    ;SSPI=Kerberos

Configure Component Services

Use this procedure to configure Component Services on the Enterprise Portal server.

  1. Open Component Services (Start > Administrative Tools > Component Services.)

  2. Locate the IIS WAMREG admin Service (Component Services > Computers > My Computer > DCOM Config > IIS WAMREG admin Service).

  3. Right-click this service and click Properties.

  4. Click the Security tab.

  5. In the Launch and Activation Permissions section, click Edit.

  6. In the Launch Permission dialog box, click Add.

  7. In the Select Users, Computers, or Groups dialog box, enter the domain users account that you specified as the IIS application pool service account, click Check Names, and then click OK.

  8. In the Permissions for <UserName> list, select the Allow check box that is next to Local Activation, and then click OK.

Configure or turn off kernel-mode authentication

If you are using Enterprise Portal on Windows Server 2008, you must either configure IIS 7.0 kernel-mode authentication to work with Kerberos authentication, or you must disable IIS 7.0 kernel-mode authentication. Both options are described here. For more information about kernel-mode authentication, see the IIS 7.0 documentation.

Configure IIS 7.0 kernel-mode authentication to work with Kerberos authentication

Perform the following procedure if you want IIS 7.0 kernel-mode authentication to work with Kerberos authentication. Complete this procedure on the Enterprise Portal server.

  1. Open Windows Explorer and navigate to the following directory: \Windows\System32\inetsrv\config

  2. Locate the applicationHost.config file.

  3. Make a copy of this file for backup purposes.

  4. Open the file in a text editor such as Notepad.

  5. Locate the properties section for your Enterprise Portal site. By default, this section begins at the following tag: <location path="SharePoint - 80">.

  6. In the <security> section, locate the following tag: <windowsAuthentication enabled="true">

  7. Add the following information to the tag:

    <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

  8. Save your changes.

Turn off IIS 7.0 kernel-mode authentication

If you chose not to configure IIS 7.0 kernel-mode authentication to work with Kerberos authentication as described in the following procedure, you must disable kernel-mode authentication. Complete this procedure on the Enterprise Portal server.

  1. In Internet Information Services (IIS) Manager, expand the local computers node, expand Sites, and click the Enterprise Portal Web site.

  2. In the center pane, under IIS, double-click Authentication.

  3. Click Windows Authentication.

  4. In the right pane, under Actions, click Advanced Settings.

  5. Clear the Enable Kernel-mode authentication check box.

  6. Click OK.

Turn on Kerberos authentication in SharePoint

Depending on whether you are using Windows SharePoint Services or Office SharePoint Server, complete one of the following procedures on the Enterprise Portal server.

Turn on Kerberos authentication in Windows SharePoint Services

  1. Click Start > Administrative Tools > SharePoint 3.0 Central Administration.

  2. Click the Application Management tab.

  3. Under Application Security, click Authentication Providers.

  4. Select the Web application you want to configure with Kerberos authentication from the Web Application list.

  5. Under Zone, click Default.

  6. Under IIS Authentication Settings, click Negotiate (Kerberos), and then click Save.

  7. Close SharePoint 3.0 Central Administration.

  8. Click Start > Run.

  9. In the Run dialog box, enter iisrest and then press Enter.

Turn on Kerberos authentication in Office SharePoint Server

  1. Click Start > Administrative Tools > SharePoint Central Administration.

  2. Click the Application Management tab.

  3. Under Application Security, click Authentication Providers.

  4. Select the Web application you want to configure with Kerberos authentication from the Web Application list.

  5. Under Zone, click Default.

  6. Under IIS Authentication Settings, click Negotiate (Kerberos), and then click Save.

  7. Repeat steps 4-6 until you have specified Negotiate (Kerberos) authentication for, at a minimum, the content application and the Shared Service Provider (SSP) application.

  8. Close SharePoint 3.0 Central Administration.

  9. Click Start > Run.

  10. In the Run dialog box, enter iisrest and then press Enter.

Configure a service principal name (SPN) for the Enterprise Portal application pool identity account

A service principal name (SPN) is a unique identifier for a service. Every service that uses Kerberos authentication must have an SPN so that clients can identify the service on the network. (In this context, a service is a program or application that uses credentials to communicate across a network.)

On the Enterprise Portal server, complete the following procedure to create an SPN for the account that is used as the application pool identity of the Enterprise Portal Web site. In the recommended configuration, the Enterprise Portal application pool runs as the .NET Business Connector proxy account.

To create an SPN, you must be a domain administrator. Use the Setspn.exe command-line tool, which is installed by default on computers running Windows Server 2008. If the server is running Windows Server 2003, you can get the tool by downloading Windows Server 2003 Service Pack 1 Support Tools.

  1. Open a command prompt window.

  2. At a command prompt, type the following command and press Enter:

    Setspn.exe -A HTTP/<ServerName> <AccountName >

    For this command, replace <ServerName> with the name of the Enterprise Portal server, and replace <AccountName> with the domain\name used for the application pool identity. For example, the following command uses a fictitious server called EnterprisePortal1 and a fictitious domain called contoso.

    Setspn.exe -A HTTP/EnterprisePortal1 contoso\AccountName

  3. Type the following command and press Enter:

    Setspn.exe -A HTTP/<FQDNServerName> <AccountName>

    For this command, replace <FQDNServerName> with the fully-qualified domain name of the Enterprise Portal server, and replace <AccountName> with the domain\name used for application pool identity. For example, the following command uses a fictitious server called EnterprisePortal1 and a fictitious domain called contoso.

    Setspn.exe -A HTTP/EnterprisePortal1.contoso.corp.contoso.com contoso\AccountName

  4. Repeat this procedure for each Enterprise Portal server.

Enable the Enterprise Portal application pool identity account to be delegated

The Enterprise Portal application pool identity account must be delegated. On the domain server, complete the following procedure to enable this account to be delegated.

  1. In Active Directory Users and Computers, right-click the user account and select Properties.

  2. On the Delegation tab, select the Account is trusted for delegation check box.

  3. Click OK.