Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas. I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out.
As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server. As I created the SPN, I saw something very interesting.
The “Checking domain” piece made me assume that this was actually seeing if the SPN existed. Basically checking to make sure this wouldn’t be a duplicate. Then I decided to validate that assumption.
I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation. I’m going to use that for the test. it is just “my/spn”
So, lets try adding that to another account.
That’s awesome!
I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.
What's New in Kerberos Authentication (Windows 2012/Windows 8)
https://technet.microsoft.com/en-us/library/hh831747.aspx
Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch. With the Windows 2012 version, –A just behaves the same as –S now. Which is good.
Adam W. Saxton | Microsoft Escalation Services
https://twitter.com/awsaxton