Configure Kerberos-authenticated sites for crawling
Applies To: Office SharePoint Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2008-08-25
In this article:
Solution prerequisites
Overview steps for Solution 1
Deploy Solution 1(Configure a new Web site to use Kerberos)
Overview steps for Solution 2
Deploy Solution 2(Configure an existing Web site to use Kerberos)
Kerberos authentication provides increased security over NTLM, which is the default authentication mechanism for Microsoft Office SharePoint Server 2007 Web applications. However, be aware that the index component of the index server, which is sometimes called the crawler, cannot crawl sites that Kerberos authenticates if those sites are configured to use non-standard ports. Non-standard ports are any port number except TCP port 80 (HTTP) and SSL port 443 (HTTPS).
The polling order for Web application zones affects crawling. The crawler always begins by polling the Default zone. If this zone uses Kerberos authentication but does not use either TCP port 80 or SSL port 443, the crawler will not attempt to authenticate by using the next zone in the polling order and none of the content of the Web application will be crawled. This means that the content will not be indexed or returned in results of search queries. For more information about how polling order works with the crawler, see the "Plan authentication for crawling content" section in Plan authentication methods (Office SharePoint Server).
This article applies to both stand-alone and server farm Office SharePoint Server 2007 deployments. This article provides one solution for crawling sites that use Kerberos authentication in the default zone and one solution for crawling sites that use NTLM in the default zone and Kerberos authentication in another zone. No matter which solution you use, end users who access Web applications that use Kerberos for authentication will be able to get results of search queries. The solutions are:
Solution 1: Create a Web application that uses Kerberos for authentication in the Default zone and configure it to use a standard port. This is the preferred solution because users that authenticate by using Kerberos do not need to specify a port number in the URL of their sites. If you cannot deploy this solution, use Solution 2.
Solution 2: Create a Web application that uses NTLM authentication and then extend the Web application to use Kerberos authentication in the second zone. In this way, the crawler can crawl the content in the default zone by using NTLM authentication. Deploy this solution if you cannot use Kerberos authentication on a standard port.
Solution prerequisites
The procedures included in these solutions require the following types of administrators:
Domain Name System (DNS) administrator
Server administrator
Search service administrator
Farm administrator
Internet Information Services (IIS) administrator
Other requirements include:
Software configuration as described in Configure Kerberos authentication (Office SharePoint Server).
Active Directory domain controller running Windows Server 2003 with the latest service pack and the latest updates applied from the Windows Update site (https://go.microsoft.com/fwlink/?LinkID=101614).
The Setspn.exe tool, which is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Server 2003 Support Tools, double-click SUPPTOOLS.MSI in the Support\Tools folder on the Windows Server 2003 CD. The Setspn.exe tool is also included with the Microsoft Windows 2000 Resource Kit tools. To obtain this tool, visit the Windows 2000 Resource Kit Tool : Setspn.exe site (https://go.microsoft.com/fwlink/?LinkId=28103).
These solutions assume the following:
Your server farm is already configured and running.
The Office SharePoint Server Search service (oSearch) is running and all configuration settings that are required to crawl content have been implemented. For more information, see Plan to crawl content (Office SharePoint Server) and Getting your content crawled (Office SharePoint Server 2007).
You have domain administrator-level permissions so that you can create a Service Principal Name (SPN).
You have the information necessary to create an SPN. For more information, see Configure Kerberos authentication (Office SharePoint Server).
(Solution 1 only) You do not have another Web application that is using the same standard TCP port number (either TCP 80 or SSL port 443) and hostname.
Overview steps for Solution 1
Create a Web application that uses Kerberos authentication.
Assign either port 80 or port 443 to the new Web application.
Create SPNs in Active Directory.
Confirm that browsing to the Web application is successful.
Ensure that the crawler has been granted the read permission-level or higher on the Web application.
Confirm correct search crawling behavior.
Confirm that search queries return accurate results.
Publish the URL to your end users.
Deploy Solution 1
Create a Web application that uses Kerberos authentication
Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
Click the Application Management tab.
On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application.
On the Create or Extend Web Application page, click Create a new Web application.
On the Create New Web Application page, in the IIS Web Site section, accept the default setting, Create a new IIS web site, and then type a name for the Web site in the Description box.
In the Port box, type 80 or 443. If you use port 443, you must also select Use SSL.
Specify an IIS host header for the Web site.
For more information about configuring SSL for a Web site using an IIS host header, see Configuring SSL Host Headers (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=111285).
In the Security Configuration section, select Negotiate (Kerberos).
In the Application Pool section, accept the default setting, Create new application pool, and specify the security account for the new application pool.
Click OK.
Restart IIS.
To restart IIS, at a command prompt, type the following command, and then press ENTER:
Iisreset /restart /noforce
Close the command prompt.
Update DNS/WINS to resolve the IIS host header to the IP address of the Web front-end server.
Create SPNs in Active Directory
Use the Setspn.exe tool from the Windows Server 2003 Support Tools to create two SPNs for the Web application configured for Kerberos authentication. One SPN should use the NetBIOS name of the Web application and the other SPN should use the DNS fully qualified domain name (FQDN) of the Web application. Use the following syntax:
**Setspn.exe -A HTTP/**ServerName AdDomain/UserName
where HTTP is the Service Class; ServerName is either the NetBIOS name or the FQDN; AdDomain is the Active Directory domain; and UserName is the identity of the Web application's application pool.
The following examples show what the SPNs would look like if the host header that you configured for a Web application is server1.contoso.com.
NetBIOS SPN: HTTP/server1
FQDN SPN: HTTP/server1.contoso.com
Confirm that browsing to the Web application by using Kerberos authentication is successful
Log on to a computer that is in the same domain as your server farm. Ensure that the computer is not a front-end Web server in your farm.
Important
Do not verify correct Kerberos authentication behavior directly on one of the computers that is hosting the Web sites using Kerberos authentication. Instead, verify this behavior from a separate computer in the domain.
Open a Web browser on this other computer and browse to the URL of your Web application.
The home page of the Kerberos-authenticated Web application should be displayed. For more information about confirming that Kerberos authentication was used to access the Web application, see the "Confirm successful access to the Web applications using Kerberos authentication" section in Configure Kerberos authentication (Office SharePoint Server).
Ensure the crawler has been granted the read permission-level or higher on the Web application
To enable the crawler to be authenticated by the Web application, the crawler must be granted the read permission-level or higher on that Web application. Otherwise crawling will fail. Ensure that one of the following conditions is true:
A crawl rule exists that specifies a domain account that has been granted the read permission-level or higher on the Web application.
The domain account assigned to the default content access account has been granted the read permission-level or higher on the Web application.
For information about crawl rules and the default content access account, see Configure how the crawler authenticates (Office SharePoint Server 2007)
Confirm correct search crawling behavior
On the Shared Services Administration page, in the Search section, click Search settings.
On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules.
Note
By default, when a farm administrator creates or extends a Web application, the URL of that Web application is automatically added to the default content source. This content source is named Local Office SharePoint Server sites, by default. You can use the default content source to perform a full crawl of the new Web application but doing so will also crawl all other Web applications specified in that content source. Because you must perform a full crawl of the new content source, using the default content source to crawl the content can take a significant amount of time to complete depending upon the amount of content being crawled. Consider creating a new content source to crawl the new Web application to avoid crawling all content in the default content source. If you choose to do this, you will first need to remove the URL to the Web application from the default content source. For information about creating a content source, see Add a content source to crawl SharePoint sites, Web sites, file shares, or Microsoft Exchange public folders (Office SharePoint Server).
On the Manage Content Sources page, point to the content source you want to crawl, click the arrow that appears, and then click Start Full Crawl on the menu that appears.
Note
The value in the Status column changes to Crawling Full for the content source you selected in this step. However, the value in the Status column on the page does not automatically change when the crawl is completed. To update the Status column, you must refresh the Manage Content Sources page by clicking Refresh.
Wait for the crawl to complete. If the crawl fails with "access denied" errors, it is either because the content access account does not have access to the content source or because Kerberos authentication has failed. You must correct this error before proceeding, because you must complete a full crawl of the Kerberos-authenticated Web application before you can confirm that search queries return accurate results. For more information about the content access account, see Ensure the crawler has been granted the read permission-level or higher on the Web application.
Confirm that search queries return accurate results
Log on to a computer that is in the same domain as your server farm. Ensure that the computer is not a front-end Web server in your farm.
Open a Web browser on that computer and browse to the top-level site of the Web application that you crawled.
When the home page is displayed, select the This Site search scope.
Type a keyword in the Search field and press ENTER.
Tip
Use a keyword that exists in your Web site.
Confirm that Search Query results are returned for the Web application. If they are not, confirm the following:
The keyword that you have typed is a word that exists in your Web application.
Indexing is running correctly.
The Office SharePoint Server Search service is running on your index and query servers.
If your index server is not also a query server, verify that there are no problems with search propagation from your index server to your query servers.
Publish the URL for the Kerberos-authenticated Web application to your end users.
Overview steps for Solution 2
Create a Web application that uses NTLM authentication, which is the default authentication method.
Extend the new Web application that is configured for NTLM authentication on the Default zone and configure a different zone, to use Kerberos authentication.
Either let IIS assign a random port or supply a non-standard port of your choice and configure the zone of the extended Web application for Kerberos authentication.
Create SPNs for the zone configured for Kerberos authentication to include the port number and configure your browser.
Confirm that browsing to the extended Web application by using Kerberos authentication is successful.
Confirm that browsing to the Web application by using NTLM authentication is successful.
Ensure the crawler has been granted the read permission-level or higher on the Web application.
Confirm correct search crawling behavior.
Confirm that search queries return accurate results.
Publish the URL for the Web application that used Kerberos authentication to your end users. Ensure that the URL contains a port number.
Deploy Solution 2
Create a Web application that uses NTLM authentication
On the Central Administration home page, click the Application Management tab.
On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application.
On the Create or Extend Web Application page, click Create a new Web application.
On the Create New Web Application page, in the IIS Web Site section, accept the default setting, Create a new IIS web site, and then type a name for the Web site in the Description box.
In the Port box, do one of the following:
Type 80 or 443. If you use port 443, you must also select Use SSL.
Type a non-standard port number or let IIS assign a non-standard port number.
Specify an IIS host header for the Web site.
For more information about configuring SSL for a Web site by using an IIS host header, see Configuring SSL Host Headers (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=111285).
In the Security Configuration section, accept the default setting, NTLM.
In the Application Pool section, accept the default setting, Create new application pool, and specify the security account for the new application pool.
Click OK.
Restart IIS.
To restart IIS, at a command prompt, type the following command, and then press ENTER:
Iisreset /restart /noforce
Close the command prompt.
Update DNS/WINS to resolve the IIS host header to the IP address of the Web front-end server.
Extend a Web application to use Kerberos authentication
On the Create or Extend Web Application page, click Extend an existing Web application.
On the Extend Web Application to Another IIS Web Site page, in the Web Application section, on the Web Application menu, click Change Web Application.
On the Select Web Application page, click the Web application that you just created.
In the IIS Web Site section, configure the settings for an extended Web application.
In the Description box, optionally type a description for the extended Web application.
Do one of the following:
In the Port box, type the port number that you want to use.
Let IIS assign a random port number.
In the Security Configuration section, select Negotiate (Kerberos).
In the Load Balanced URL section, select the zone that you want to use, for example, Intranet.
Click OK.
Restart IIS.
To restart IIS, at a command prompt, type the following command, and then press ENTER:
iisreset /restart /noforce
Perform the procedure on all front-end Web servers in the server farm.
Close the command prompt.
Create SPNs in Active Directory and configure your browser
Use the Setspn.exe tool from the Windows Server 2003 Support Tools to create two SPNs for the Web application. Use the following syntax:
**Setspn.exe -A HTTP/**ServerName:Port AdDomain/UserName
where HTTP is the Service Class; ServerName is either the NetBIOS name or the FQDN; Port is the non-standard or random port assigned to the extended Web application; AdDomain is the Active Directory domain; and UserName is the identity of the extended Web application's application pool.
If you are using Internet Explorer as your browser, configure it to recognize port numbers in SPNs. For information about configuring Internet Explorer to include port numbers in SPNs, see Knowledge Base article 908209 (https://go.microsoft.com/fwlink/?LinkId=99681).
Confirm that browsing to the Web application by using Kerberos authentication is successful
Log on to a computer that is in the same domain as your server farm.
Important
Do not verify correct Kerberos authentication behavior directly on one of the computers that is hosting the Web sites using Kerberos authentication. Instead, verify this behavior from a separate computer in the domain.
Open a Web browser on this other computer and browse to the URL of your Web application that is in the zone that is configured for Kerberos authentication.
The home page of the Kerberos-authenticated Web application should render. For more information about confirming that Kerberos authentication was used to access the Web application, see the "Confirm successful access to the Web applications using Kerberos authentication" section inConfigure Kerberos authentication (Office SharePoint Server).
Confirm that browsing to the Web application by using NTLM authentication is successful
Log on to a computer that is in the same domain as your server farm.
Do not verify correct NTLM authentication behavior directly on one of the computers that is hosting the Web sites you are browsing. Instead, verify this behavior from a separate computer in the domain. Open a Web browser on this other computer and browse to the URL of your Web application that is in the zone configured for NTLM authentication.
The home page of the NTLM-authenticated Web application should render. If you do not see the home page, investigate and correct the error.
Ensure the crawler has been granted the read permission-level or higher on the Web application
To enable the crawler to be authenticated by the Web application, the crawler must be granted the read permission-level or higher on that Web application. Otherwise crawling will fail. Ensure that one of the following conditions is true:
A crawl rule exists that specifies a domain account that has been granted the read permission-level or higher on the Web application.
The domain account assigned to the default content access account has been granted the read permission-level or higher on the Web application.
For information about crawl rules and the default content access account, see Configure how the crawler authenticates (Office SharePoint Server 2007)
Confirm correct search crawling behavior
On the Shared Services Administration page, in the Search section, click Search settings.
On the Configure Search Settings page, in the Crawl Settings section, click Content sources and crawl schedules.
On the Manage Content Sources page, point to the content source that contains the URL for the NTLM Web application that you created earlier, click the arrow that appears, and then click Start Full Crawl on the menu that appears.
Note
The value in the Status column changes to Crawling Full for the content source you selected in this step. However, the value in the Status column on the page does not automatically change when the crawl is completed. To update the Status column, you must refresh the Manage Content Sources page by clicking Refresh.
Wait for the crawl to complete and then view the crawl logs for the content source that you crawled to verify that the crawl has not failed with "access denied" errors. If the crawl failed with "access denied" errors, the content access account used by the crawler might not have access to the Web sites in the Web application. You must correct this error before going to the next step because you must complete a full crawl of the Kerberos-authenticated Web application before you can confirm that search queries return accurate results. For more information about the content access account, see the Ensure the crawler has been granted the read permission-level or higher on the Web application section earlier in this section.
Confirm that search queries return accurate results
Log on to a computer that is in the same domain as your server farm. Ensure that the computer is not a front-end Web server in your farm.
Open a Web browser on that computer and browse to the top-level site of the Web application that you crawled.
When the home page renders, select the This Site search scope.
Type a search keyword in the Search field and press ENTER.
Tip
Use a keyword that exists in your Web site.
Confirm that Search Query results are returned for the Web application. If they are not, confirm the following:
The keyword that you have typed is a word that exists in your Web application.
View the crawl logs for the content source that you crawled to ensure that indexing is running correctly.
The Office SharePoint Server Search service is running on your index and query servers.
If your index server is not also a query server, verify that there are no problems with search propagation from your index server to your query servers.
Publish the URL for the Kerberos-authenticated Web application to your end users and ensure that the URL contains a port number.