Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's Office 365 Admin Blog > Posts > Should I use Kerberos for Central Admin?
September 11
Should I use Kerberos for Central Admin?

If I had a mailbag, this blog post would come from it. I got this email from Leo Ortiz:

We are getting ready to install SharePoint 2013 and I am reading the new SharePoint 2013 Administration book.
My question, very briefly, is why you wouldn't use Kerberos for Central Administration. The book didn't really provide an explanation other than it is not a farm-wide effect. Thank you for all your assistance. Again, a brief answer is ok.

I like this, Leo is holding my feet to the fire. It’s not enough that we say you shouldn’t do something. He’s not going to take our word for it, and who can blame him, I don’t trust us either. He wants to know why. Seems like a reasonable question. He went to all the trouble of buying the book (at least I hope he did), the least I can do is try to defend our position. Here’s what I sent back:

Leo,

If you’ve ever enabled Kerberos in SharePoint you know it’s not a simple process, and unless everything is lined up perfectly, it won’t work. And the things that that can go wrong are often outside the purview of the SharePoint administrator. Kerberos can be screwed up by DNS issues, AD issues, network issues, etc. When you flip the Kerberos switch and you can’t log in, what do you do? You go into Central Admin and switch it back. Except it’s actually Central Admin that’s broken! Now what do you do?? Of course you can break out PowerShell, but it’s still a pain.

But what it comes down to is there is a lot of risk with Kerberos, but there’s no reward. What does enabling Kerberos in Central Admin get you? In most cases Kerberos is enabled to support BI scenarios, which of course don’t exist in Central Admin. Another reason to use Kerberos is security. On paper, it’s easier to crack a password from a network trace if the web app is using NTLM instead of Kerberos. Considering the limited amount of time people spend in Central Admin, and that the traffic is exclusively internal, I don’t think it’s much of a risk. I think the risk of Kerberos locking you out of Central Admin is greater.

So that’s why we don’t recommend Kerberos for Central Admin. There are a lot of risks with Kerberos and in our opinion the rewards aren’t worth it. I hope that helps.

In later emails with Leo he confirmed that this explanation answered his question. After I did all that typing I thought, “Cool, free blog post!” and here it is. Thanks, Leo. Smile

tk

ShortURL: http://www.toddklindt.com/NoKerbonCA

Comments

Re: Should I use Kerberos for Central Admin?

Okay, so I'll disagree here.  I think Kerberos should be used over NTLM wherever possible, including CA.  Kerberos only provides a ticket, not a cryptographically insecure hash of your password like NTLM does.  I would rather eliminate the issue entirely within the environment than make exceptions, if possible.

Microsoft is also discouraging the active use of NTLM (as you can see in GPOs the ability to disable NTLM outright: http://technet.microsoft.com/library/jj852167(v=ws.10).aspx).  Yes, PowerShell isn't always fun, and it requires a good team to communicate between AD, SP, and networking.

As for the Powershell, it is fairly easy:

$wa = Get-SPWebApplication http://webAppUrl
$wa.IisSettings.Item("Default").DisableKerberos = $true
$wa.ProvisionGlobally()

I don't see that too much of a barrier for troubleshooting purposes :-)

-Trevor
 on 9/11/2013 10:35 PM

Re: Should I use Kerberos for Central Admin?

Well, I must be an exception.  I use Kerberos for Central Admin like Trevor says.  I also manager 8 individual Developer VMs which also use Kerberos for everything.  No issues yet (Knock on Wood)

-Bismarck
 on 9/12/2013 10:17 AM

Thuan Soldier

I think it depends on your security requirement. Essentially Kerberos is better than NTLM when it comes to security. As Trevor said, Kerberos uses a process that involves encrypted tickets to verify authenticity. I'd say Kerberos is more secure and scalable than NTLM. If you say Kerberos makes traffic slow then I can't agree. IMO, thanks to using TGT, Kerberos doesn't directly communicate with domain controller so it actually reduces load on the domain controller.

The only well-known issue I know so far is that crawl has problem with communication and ticket handling when your site isn't running on default port (80 and 443) and configured for Kerberos authentication.

At the end of the day, I have no reason why you shouldn't use Kerberos.

Regards,
-T.s
 on 9/14/2013 3:34 AM

With u

I am with Todd Klind here, if things go wrong with kerberos setup its a very painful process!! so first question is "is that worth it ?" as in most cases ppl dont mind reintering their password for authentication next hop but still ill go with kerberos if AD + Network + SP.. all teams work together, so that issues can be resolved on spot
 on 9/15/2013 7:22 AM

Re: Should I use Kerberos for Central Admin?

I just couldn't resist commenting on this one; I absolutely disagree and ALWAYS provision Central Admin using Kerberos. Perhaps it is just an ideal; but I do not TRUST NTLM in the least and at least in the environment I support kerberos is a security requirement.

IMHO Microsoft should NOT provide NTLM as an option. Period.
 on 9/18/2013 2:36 PM

Re: Should I use Kerberos for Central Admin?

Thanks for the feedback. Even if it disagrees with me. :)

tk
Todd O. KlindtNo presence information on 9/18/2013 2:52 PM

Considering Kerberos

I see reasons for security.  But we are experiencing postback failures for form submittal(presumably due to latency).  Can Kerberos help with that?
 on 10/4/2013 2:59 PM

Re: Considering Kerberos

I don't know that I'd lean on Kerberos to fix your latency issues. I think you should fix the root cause instead. It's probably causing you issues in other areas too. SharePoint would be happiest if you just fixed that. :)

tk
Todd O. KlindtNo presence information on 10/7/2013 11:36 AM

To Kerberos or Not Kerberos?

I had attended a session at the SharePoint Saturday here in UK this month and there was a session on Kerberos and SharePoint 2013. The guys was showing a demo on setting up Kerberos on a SharePoint web app and things didn't go as he planned. Something went wrong in the demo and he spent around 20 mins troubleshooting and finally there wasn't any time left for that. The session was supposedly for an hour and there was not much time left for troubleshooting.

Troubleshooting Kerberos was a pain! He was purging tickets from AD server, SQL Server, SharePoint servers, and the client VM he was working on. He was using many open source tools and even pointed out that he will have to use wireshark for further analysis. I can only imagine how hard would this whole process be in a multi server environment and where you have multiple AD severs world wide. Is it worth going through all this pain and enabling Kerberos in your web applications?
 on 11/19/2013 6:30 AM

Using SSL for Central Administration with SharePoint 2013

Using SSL for Central Administration with SharePoint 2013 is also a nice solution : Simple enough to mean that everybody should be using SSL for CA

http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Harbar+%28harbar.net%29&utm_content=LocalHos
 on 11/25/2013 12:10 AM
1 - 10Next

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Title


Body *


Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person

Twitter


Want a message when I reply to your comment? Put your Twitter handle here.

Attachments

 

 SysKit