Thursday, June 10, 2010

Viewing SharePoint 2010 sites on Windows Server 2008 R2

Running SharePoint 2010 server on a Windows 2008 R2 server seems to be a sensible thing to do.  Well at least I thought that until I tried to locally access SharePoint sites on that server via IE.

You will find that on Windows Server 2008 R2, you will be prompted for authentication three times and the page will fail to load. This is because R2 uses the new SPNEGO2 implementation:

 (You may ask why would you need to access sites locally on the server? - well for things like Visual Studio development for SharePoint you must actually develop and run them on your development SharePoint server)

 The solution to this is to make sure that Web Applications you need to access on a Windows 2008 R2 server are setup with the following:

a) a SPN for each Web Application URL
This consists of using the http url of the Web Application and adding it to the Service Principle Name (SPN) of the AD account that the Web application pool runs as. eg.  with a Web Application called which runs in an IIS AppPool called MySPSites that runs under the security account of mydomain\SPServices.
SETSPN.exe -S HTTP/ mydomain\SPServices
  • (make sure you use an administrative CMD window)
  • (this may take a little while on a large AD as it first checks for any duplicate SPNs and if it doesnt find one then adds it to the account).
and (b) For the URL or (URL plus port number) of the Web Application you wish to access on the Windows 2008 R2 Server, you must set either the Default security Zone, or an extended one to have IIS Authentication set to use Kerberos security.
You can do this either on intially setting up the Web Application with Kerberos, or if you need to use different IIS Authentication types for your Default Zone Web App then, after you have created it, extend it using either a different URL or port number.  You can choose a different security Zone when you extend the Web App, or, unlike SharePoint 2007, you can change the IIS Authentication Settings at any time from the Sharepoint Admin console via -> Central Administration->Security->Specify Authentication Provider.
I had hoped that I would only need to carry out step (a) as eluded to in the article but thus far I havnt managed to avoid step (b)

No comments: