I have a SharePoint Foundation 2013 Farm with two front ends, one application server, and one SQL server. A Big IP is used to load balance between the web front ends. I setup Kerberos authentication by creating the SPN:
*In a PowerShell window I created the SPN’s for each web application for both the short name and FQDN.
• setspn –S HTTP/intranet domain-name\webap01
• setspn –S HTTP/intranet.zip.com domain-name\webap01
On the domain controller I then allowed "Trust for delegation"
1. Open Active Directory Users and Computers applet2. View the Properties for your SharePoint servers
3. On the Delegation tab select Trust this computer for delegation to any service
4. Click Ok
Users connect to the intranet and Event Viewer shows that Kerberos authentication has taken place. However I have also noticed under Security in Event Viewer that the SharePoint Servers authenticate/communicate with each other via the web
application service. This authentication happens via NTLM, and doesn't even try to use Kerberos. My question is how do I get the comunnication between servers to use Kerberos?
Here is an example of what I see in the Event Viewer on SPSERVER02:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: domain-name\webap01
Account Name: webap01
Account Domain: Domain
Logon ID: 0x713ab15
Logon GUID: {00000000-0000-0000-0000-0
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: SPSERVER01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
What this is saying is that SPSERVER01 logged into SPSERVER02 with webap01 (service account) using NTLM authentication. Thank you in advance for any help you can provide.
Detroit Red