Kerberos and IIS7 (SharePoint)

Giganews Newsgroups
Subject: Kerberos and IIS7 (SharePoint)
Date: Wed, 2 Sep 2009

Hello NG,

i have got a strange behavior regarding Kerberos in my SharePoint
environment. I don't know why it works but i am quite shure it should not.
here is my confuguration. i got a DC (windows server 2008) that has also SQL
Server 2008 on it (WSS01. Then additionally i have a Server Server (WSS02)
Express as a Front End Server (WFE). i confugured CNAMEs in DNS (I Know i
should use A records but read on) site01, site02, etc. for the "portal"
sites. i disabled the Kernel Mode Authentication in IIS7 for the relevant Web
Applications. the SharePoint sites all run under a spperate domain account.

now here is the interesting thing. i enable Kerberos on the webapplication
in SharePoint Central Administration. no HTTP SPN Confugured so far. not for
wss02 nor for site01, etc.

i try to connect via a client to the sharepoint site (webapplication) via
site01 . the client asks DNS for the ip of site01 and gets wss02 as A record
back. so the clients tries to access wss02 (HTTP GET) and gets back an
unauthorized. so the client request ticket for wss02 at the KDC.
interestingly the client is getting this ticket from the KDC. remember that i
havent configured the SPN / what account is used for creating the ticket???
then when the client sends the ticket to the server, the server reports an
KRB_AP_ERR_MODIFIED error. perhapes because the server tries to enrypt via
the sites application pool account.

but the story goes an. no i create a new domaun user. no special rights. all
standard. i set the SPN HTTP/wss02 to this user account. i DONT configure it
as an application pool account or something like that. and now: KERBEROS is

i really dont understand this... the webserver should not have access to the
new users credentials (nessessary for decrypting the ticket). so why is it
working? any ideas?

thank you very much for your support.

Best Regards