We all know how frustrating it is to configure Kerberos in some situations, I want to show you now really nice tool by Brian-murphy-booth that can help you to pass smoothly that part of building new secure environment using Kerberos \ Constrained Delegation, and for SharePoint, yes this tool supports SharePoint as a service type well as other service types for Back-End for checking double hoping, you can see it at the picture below.
I recommend you to read the Welcome page when you open the tool at the first time.
I recommend you to read the Welcome page when you open the tool at the first time.
The DelegConfigTaken from here
Overview
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.
Features
- Supports IIS 6.0 as well as IIS 7.0 (useKernelMode / useAppPoolCredentials) Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP Allows chaining of multiple hops (versus only a single backend) Performs duplicate SPN check against all trusted domains.
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.
Features
- Supports IIS 6.0 as well as IIS 7.0 (useKernelMode / useAppPoolCredentials) Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP Allows chaining of multiple hops (versus only a single backend) Performs duplicate SPN check against all trusted domains.
/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames.
/Set/Delegation.aspx - Allows changing Trust for Delegation settings.
/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
/Report.aspx - Gives a picture of what is right and what is wrong.
/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer.
Requirements
IIS 6.0 or IIS 7.0
ASP.NET 2.0 or higher
I start using it on every IIS\SharePoint servers, just create new site pointing to DelegConfig Folder and make the site as STOP, use it when you want to check Kerberos problem's, My friend (Assaf Lev from Matrix Company) gave this tool a nick name "Kerbi" :-)
As well don't forget that you can use the "setspn.exe -x" to see duplicate SPN's in your domain (just on the new setspn version in Win2K8), Refer to this link (Read It !) for more new features.
If you have new Info to share with me and other viewers just make a comment, thanks and good luck my friends.
As well don't forget that you can use the "setspn.exe -x" to see duplicate SPN's in your domain (just on the new setspn version in Win2K8), Refer to this link (Read It !) for more new features.
If you have new Info to share with me and other viewers just make a comment, thanks and good luck my friends.
No comments:
Post a Comment