RSS Viewer web part and authenticated feeds
This blog posting applies to Microsoft Office SharePoint Server 2007.
Changing to Kerberos authentication
1. On the Central Administration page, click Application Management.
2. Under the Application Security section, click Authentication Providers.
3. Click the Default provider, and change Integrated Widows authentication to Negotiate (Kerberos)
If SharePoint and the databases it uses are hosted on the same server, this is the only change required to enable RSS Viewer functionality to RSS feeds hosted by SharePoint.
If the SharePoint databases are hosted by a different server than is hosting SharePoint, further configuration is required to enable Kerberos delegation. This is the recommended scenario for farm deployments. To enable Kerberos delegation for a SharePoint web application, the account used for its application pool identity must be configured as “trusted for delegation” and have an SPN registered (see below). If using Network Services for the AppPool identity, then this applies to the machine account. Otherwise, it applies to the domain account configured for the AppPool identity. The machine account of the database server must also have an SPN registered, although it is not necessary for it to be trusted for delegation. The end-user accounts require neither an SPN nor “trusted for delegation.”
In an AD environment whose Domain Functional Level is set to Windows Server 2003, this level of trust can be focused using Constrained Delegation. This ensures that the delegation trust is only permitted between the SharePoint WFE servers and the correct database server.
The MSDN article Security Briefs: Credentials and Delegation discusses several topics regarding SPNs and Kerberos delegation that are appropriate for this scenario, including use of the SETSPN and KERBTRAY tools, the "trusted for delegation" attribute, and how to configure Kerberos constrained delegation.
SPN
RSS Viewer web part authentication requirements
In B2, configuring the RSS Viewer web part to display an RSS feed from a MOSS site nearly always worked without difficulty. In B2TR, you may encounter a stubborn error “The RSS webpart does not support authenticated feeds” when trying to display an RSS feed from a MOSS site. The authentication behavior has changed, to match the original design that was not implemented properly in B2. RSS Viewer will now only work with Authenticated feeds (default for MOSS) when the MOSS server is setup with Kerberos authentication. Technical details: In B2, the machine account was used to access the feed; since this account is part of “All Authenticated Users” most feeds just worked. However, use of the machine account was considered to pose a security vulnerability. In B2TR, this was fixed to connect to feeds as anonymous, then delegation support was explicitly added by having ASP.Net negotiate the authentication mechanism.
Comments
Anonymous
December 14, 2006
hello, if i enable anonymous access to my moss 2007 site, the receiver of rss feed from my site shouldn't have this authentication issue, correct? thanx...aAnonymous
March 22, 2007
Undoubtedly, RSS feeds are one of the coolest things about WSS v3. One solution I can see is, as a MOSSAnonymous
April 27, 2007
Do you have to be on AD 2003 to get the RSS Viewer to work with SharePoint List? We are on AD 2000 and cannot get internal RSS feeds to work.Anonymous
January 27, 2008
Corps: Si vous avez déjà tenté d'utiliser les flux RSS générés par SharePoint pour les listes etAnonymous
April 18, 2008
Trying to setup RSS feeds from a SharePoint feed might result in the error message "The RSS webpartAnonymous
December 23, 2008
RSS Viewer Web Part - Forbidden ErrorAnonymous
March 01, 2009
One of the shortcomings of the RSS Viewer web part is that it can only be bound one feed. In this walkthrough,