locked
why do we need kerberos in SharePoint RRS feed

  • Question

  • Hi All,

    I couple of customer sharepoint environment i have noticed that they have used the kerberos. I am wondering what are the scenarios where we should use the kerberos?

    Regards Amit

    
    
    
    
    
    
    
    
    Thursday, April 25, 2013 2:51 AM

Answers

  • Hi,

    I understand that you are not very clear about the utilization of Kerberos in SharePoint.

           1. What is Kerberos:

           Kerberos is an authentication method developed at MIT. The idea behind it is that a third party that is trusted will grant a “ticket” that is utilized to prove the identity of users. Kerberos is the default authentication method used by Windows Servers since Windows 2000. The purpose behind Kerberos is to ensure that the identity of users is secured as well as to protect the network resources that will be accessed by these users. The use of the keys and tickets provides additional security to interactions across the network. The key is used to secure the interactions while the ticket is used to prove the identity.

           2. Why use it in SharePoint:

           SharePoint is a server technology, however, not all data that is utilized in SharePoint lives in SharePoint. You have the capabilities, especially with SharePoint 2010 to access data that is stored in other applications and databases. Accessing this data often requires credentials to be passed across from one server to another server. This is known as a “double-hop.” Another time you see this out of the box is with RSS. Because the RSS feeds within SharePoint can be used to aggregate data from other SharePoint sites, you may want to make use of these, however, often in load balanced situations, you may see the same double-hop issue. There are also some third party tools that may be used to access this data that will also require Kerberos to be implemented.

    You can refer to below posts to get more information about Kerberos in SharePoint:

    http://www.pointgowin.com/seethepoint/Lists/Posts/Post.aspx?List=f0c6b874-5688-43b8-bdd4-a435f2479439&ID=36&Web=ef965a60-f400-453d-b8f5-a2e282d3a117

    http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx

    Thanks,

    Kenon Yin

    Thursday, April 25, 2013 3:22 AM

All replies

  • Hi,

    I understand that you are not very clear about the utilization of Kerberos in SharePoint.

           1. What is Kerberos:

           Kerberos is an authentication method developed at MIT. The idea behind it is that a third party that is trusted will grant a “ticket” that is utilized to prove the identity of users. Kerberos is the default authentication method used by Windows Servers since Windows 2000. The purpose behind Kerberos is to ensure that the identity of users is secured as well as to protect the network resources that will be accessed by these users. The use of the keys and tickets provides additional security to interactions across the network. The key is used to secure the interactions while the ticket is used to prove the identity.

           2. Why use it in SharePoint:

           SharePoint is a server technology, however, not all data that is utilized in SharePoint lives in SharePoint. You have the capabilities, especially with SharePoint 2010 to access data that is stored in other applications and databases. Accessing this data often requires credentials to be passed across from one server to another server. This is known as a “double-hop.” Another time you see this out of the box is with RSS. Because the RSS feeds within SharePoint can be used to aggregate data from other SharePoint sites, you may want to make use of these, however, often in load balanced situations, you may see the same double-hop issue. There are also some third party tools that may be used to access this data that will also require Kerberos to be implemented.

    You can refer to below posts to get more information about Kerberos in SharePoint:

    http://www.pointgowin.com/seethepoint/Lists/Posts/Post.aspx?List=f0c6b874-5688-43b8-bdd4-a435f2479439&ID=36&Web=ef965a60-f400-453d-b8f5-a2e282d3a117

    http://www.harbar.net/archive/2010/03/31/sharepoint-2010-and-kerberos.aspx

    Thanks,

    Kenon Yin

    Thursday, April 25, 2013 3:22 AM
  • Hi Kenon,

    One more question, i suppose it mush be seperate server that authenticate the users. i am wondering do i need purchase the kerberos server licence seperatly.

    Regards Amit

    
    
    Friday, April 26, 2013 2:31 AM
  • Kerberos authentication is typically provided by your AD servers. Specifically by the Active Directory Certificate Service role. If you don't already have the infrastructure to use Kerberos authentication then you should hand this task over to an infrastructure specialist. It's a very big job.

    Friday, April 26, 2013 7:00 AM