Skip to content

Reconfigure Azure DevOps Server to use Kerberos instead of NTLM

  • by
Reconfigure Azure DevOps Server to use Kerberos instead of NTLM

What is Kerberos

Kerberos is a computer network authentication protocol that allows nodes to communicate on insecure networks to prove their identities to each other.

Kerberos uses a trusted third party for authentication, called the Key Distribution Center (KDC), which consists of two parts: the Authentication Server (AS) and the Ticket Server (TGS). Kerberos operates on the basis of tickets that help to prove identity.

For communication between the two companies, KDC generates a session key that they can use to secure their contacts. A KDC runs on each domain controller as a function of Active Directory Domain Services (AD KS).

Why use Kerberos

There are many more reasons to use Kerberos authentication than the default NTLM. The main reason is that it is more secure than NTML. Apart from this, it should also be used to deal with the “Double Hop” ( authentication issue. The most common scenarios for the double hop problem with SharePoint revolve around Excel services and data connection.

Setting up Kerberos authentication

To use Kerberos, you do not need to change anything if the domain controller is set up correctly. Kerberos clients are configured to automatically request Ticket Tickets (TGTs) from the Kerberos Major Distribution Center. If the ticket is successful, the Gerberos client saves the ticket at the local machine.

One of the first things you should consider when you want to use Kerberos authentication is which accounts you will be using for your services and web applications. Those accounts will have to get a Service Principal Name. The servers you will be using will have to allow delegation.

To trust a computer for delegation

  1. Click Start, point to Program Files, then Administration Tools, and then click on Active Directory Users and Systems.
  2. Go to the system account to be set up, for example, Active Directory Users and Computers / <Domain Name> / Computers / <System Name>.
  3. Double-click the computer name in the list on the right pane. On the Accounts tab, select the trusted account for representation and click OK.

If every server on the farm is trusted for representation, you can start creating SPNs (service primary names) for the SQL server and the accounts you use for the SharePoint farm.

Service Principal Names

Service primary names are associated with the security primary (user or group) in which the service operates in its security environment. Service primary names are formed by a specific syntax.

Service Principal Name syntax:

The basic syntax of service principal name is as follows:

[service type]/[instance name]:[port number]/[service name]

The elements of the syntax have the following meaning:

  • Type of service: Type of service such as “http” for http protocol.
  • InstanceName: The event name of the service. Depending on the type of service, this may be the name or IP address of the host who runs the service.
  • Port Number: If the number of ports used by the host service differs from the default for the service type.
  • Name of service: Name of service. The name can be the DNS name of the host, duplicate service, or domain; Or it could be the unique name of a service connection point object or RPC service object.

Configure Kerberos for your web applications

If you want your web applications to use Kerberos, you need to create the service primary names for the accounts used to run the web applications.

If writing some examples of SPN of multiple addresses of web applications. To use SSP infrastructure Kerberos, some new SPNs need to be developed. This is because the SSP infrastructure runs on every server on the SharePoint farm. It binds to the following ports TCP 56737 en TCP 56738 and the SPN should include the name of the shared service provider.



Leave a Reply

Your email address will not be published. Required fields are marked *