If I had a mailbag, this blog post would come from it. I got this email from Leo Ortiz:
We are getting ready to install SharePoint 2013 and I am reading the new SharePoint 2013 Administration book.
My question, very briefly, is why you wouldn't use Kerberos for Central Administration. The book didn't really provide an explanation other than it is not a farm-wide effect. Thank you for all your assistance. Again, a brief answer is ok.
I like this, Leo is holding my feet to the fire. It’s not enough that we say you shouldn’t do something. He’s not going to take our word for it, and who can blame him, I don’t trust us either. He wants to know why. Seems like a reasonable question. He went to all the trouble of buying the book (at least I hope he did), the least I can do is try to defend our position. Here’s what I sent back:
If you’ve ever enabled Kerberos in SharePoint you know it’s not a simple process, and unless everything is lined up perfectly, it won’t work. And the things that that can go wrong are often outside the purview of the SharePoint administrator. Kerberos can be screwed up by DNS issues, AD issues, network issues, etc. When you flip the Kerberos switch and you can’t log in, what do you do? You go into Central Admin and switch it back. Except it’s actually Central Admin that’s broken! Now what do you do?? Of course you can break out PowerShell, but it’s still a pain.
But what it comes down to is there is a lot of risk with Kerberos, but there’s no reward. What does enabling Kerberos in Central Admin get you? In most cases Kerberos is enabled to support BI scenarios, which of course don’t exist in Central Admin. Another reason to use Kerberos is security. On paper, it’s easier to crack a password from a network trace if the web app is using NTLM instead of Kerberos. Considering the limited amount of time people spend in Central Admin, and that the traffic is exclusively internal, I don’t think it’s much of a risk. I think the risk of Kerberos locking you out of Central Admin is greater.
So that’s why we don’t recommend Kerberos for Central Admin. There are a lot of risks with Kerberos and in our opinion the rewards aren’t worth it. I hope that helps.
In later emails with Leo he confirmed that this explanation answered his question. After I did all that typing I thought, “Cool, free blog post!” and here it is. Thanks, Leo.