It's been a while for me for Kerberos so bear that in mind :) The line here "Once we set the SPN, the auth_schema for farm will be 'Kerberos'" throws me off because it infers that as soon as you do it, you have a Kerberos farm. But when you add the SPN in AD and it makes no difference to SharePoint's behaviour by default. The decision to go Kerberos is based on whether you choose NTLM or Negotiate at the web app. Thus, any other web apps created as NTLM will happily ignore the SPN stuff altogether as its not using Kerberos in the first place.
Regards Paul From: [email protected] [mailto:[email protected]] On Behalf Of Ajay Sent: Monday, 11 February 2013 6:13 AM To: ozMOSS Subject: Re: Sp 2010 - Kerberos Hi Paul, Thanks... Once we set the SPN, the auth_schema for farm will be 'Kerberos' but it will only show for the services (app pool) being used for delegation. >From the guide [ Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c inner join sys.dm_exec_sessions s on c.session_id = s.session_id ] I mean it will not affect to create future web apps in NTLM mode and not affect the Central Admin. Cheers Ajay On Mon, Feb 11, 2013 at 11:05 AM, Paul Culmsee <[email protected]<mailto:[email protected]>> wrote: Hi You need to register the SPN yes, and then you need to delegate to it from any account that might access it. That means the claims to windows token account, service account and web app account. Regards Paul From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ajay Sent: Monday, 11 February 2013 5:56 AM To: ozMOSS Subject: Sp 2010 - Kerberos Hi Guys, I have to set up Kerberos for BI stuff like Excel Services, Performance Point, SSRS and Analysis services I have downloaded the 246 page guide from Microsoft.. which looks good. I have one quick question... do we need to enable Kerberos for Sql Server also? like the following SetSPN -S MSSQLSVC/MySQLCluster.vmlab.local:1433 vmlab\svcSQL I think as Sql Server is not delegating credentials than it does not need to be Kerberos enabled or does it need to be. Cheers Ajay _______________________________________________ ozmoss mailing list [email protected]<mailto:[email protected]> http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
_______________________________________________ ozmoss mailing list [email protected] http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
