You will find that on Windows Server 2008 R2, you will be prompted for authentication three times and the page will fail to load. This is because R2 uses the new SPNEGO2 implementation:
(You may ask why would you need to access sites locally on the server? - well for things like Visual Studio development for SharePoint you must actually develop and run them on your development SharePoint server)
The solution to this is to make sure that Web Applications you need to access on a Windows 2008 R2 server are setup with the following:
a) a SPN for each Web Application URL
This consists of using the http url of the Web Application and adding it to the Service Principle Name (SPN) of the AD account that the Web application pool runs as. eg. with a Web Application called http://home.company.com which runs in an IIS AppPool called MySPSites that runs under the security account of mydomain\SPServices.
SETSPN.exe -S HTTP/home.company.com mydomain\SPServices
- (make sure you use an administrative CMD window)
- (this may take a little while on a large AD as it first checks for any duplicate SPNs and if it doesnt find one then adds it to the account).
You can do this either on intially setting up the Web Application with Kerberos, or if you need to use different IIS Authentication types for your Default Zone Web App then, after you have created it, extend it using either a different URL or port number. You can choose a different security Zone when you extend the Web App, or, unlike SharePoint 2007, you can change the IIS Authentication Settings at any time from the Sharepoint Admin console via -> Central Administration->Security->Specify Authentication Provider.
I had hoped that I would only need to carry out step (a) as eluded to in the Harbar.net article but thus far I havnt managed to avoid step (b)
References:
No comments:
Post a Comment