Scenario 2: Authentication With Kerberos (Credential Delegation)

The following configuration describes a demonstration environment configured to use Kerberos authentication and credential delegation for web service communication between SharePoint and Jive.

Individual Server Machines:
Active Directory Settings

Note: To get to Active Directory Users and Computers, log on to the Domain Controller and click Start > All Programs > Administrative Tools.


Note: Please make sure your domain is running at least at Windows Server 2003.

SharePoint (MOSS) Accounts

Service Principal Names (SPN)

The following SharePoint service-level accounts were configured as necessary for Kerberos and credential delegation. The Service Prinicipal Name (SPN) entries can be made in Active Directory using two different approaches. One is to use the SETSPN.exe command-line tool and the other is to use the ADSIEdit.msc "snap-in" for your Active Directory Domain Controller. The screen shots below demonstrate use of the ADSIEdit.msc "snap-in" to make the collection of values visible per service account.

Note:
  • SETSPN.exe and ADSIEdit.msc are part of the Windows Server 2003 Support Tools (may require an additional download)
  • To access the ADSIEdit.msc "plugin", please launch it using the following method. Click Start > Run > type in adsiedit.msc.





MOSS_DBSvc - "Do not trust this user for delegation"

MOSS_FarmAdmin - "Trust this user for delegation to any service (Kerberos only)"

Note: The URLs ending with port 10000 represent the SharePoint Central Administration Site.

MOSSAppPool_SSP - "Trust this user for delegation to any service (Kerberos only)"

MOSSAppPool_Portal - "Trust this user for delegation to any service (Kerberos only)"

The following accounts were created to represent service accounts for explicit use on the Jive/SharePoint Installation screens (see Registering... screens below)
Note: The spacces and jiveaccess accounts have been configured for "Least Privelege". These accounts have minimal access to Jive and SharePoint and will only used to delegate the real user's credentials.
Component Services Configuration (on the SharePoint Server)
  1. Log into the SharePoint server using an Administrative account.
  2. Click on Start > All Programs > Administrative Tools > Component Services.
  3. Expand Component Services > Computers > My Computer > DCOM Config.
  4. Right-click on "IIS WAMREG admin Service" and click Properties.

  5. Select the Security tab.
  6. Edit "Launch and Activation Permissions".
  7. Grant the application pool accounts "Local Launch" and "Local Activation" permissions.

Setting the Authentication Provider in SharePoint

Registering a Jive Installation in SharePoint

Registering a SharePoint Location in Jive

Please see Configuring Client Browser Settings for the required browser updates to work with Kerberos.

Jive System Properties



Note:
  • The idm.principalAtRealm is checked for existence in "System Properties". The "spconnector" plugin uses this setting to enable Kerberos over default Jive authentication.
  • These properties are also listed in Jive SharePoint Plugin Installation Requirements.

Creating a Keytab File for Jive

See the section named "Creating keytab files" in the document named VSJ_Standard_Edition_3.3_ReferenceManual.pdf

Additional Links

Up to: Authentication Scenarios

Powered by Jive Software
© 1999-2010 Jive Software. All rights reserved.