Configure Kerberos Auth for SharePoint Server 2019 Plugin

1. Set Service Principle Name (SPN) on a Machine

The following command must be run by a user with Active Directory Domain Admin rights. It can be run on any computer in the domain and it doesn't require being logged in to a Domain Controller.

setspn -U -S HTTP/<SPN> <DOMAIN>\spadmin

where:

  • -U specifies that <SPN> is a user account;
  • -S <SPN> adds the specified SPN for the computer, after verifying that no duplicates exist.

2. Enable Kerberos Auth in SharePoint WebApplication :

  1. Access Central Administration > Manage Web Applications
  2. Select the Web Application for which you wish to enable Kerberos
  3. Click the Authentication button
  4. Select the Zone (typically ‘Default’)
  5. Scroll down to Claims Authentication Types > Negotiate (Kerberos)
  6. Click Save
    • This will reprovision the Web Application on all SharePoint servers where the Foundation Web service is started.

3. Create Configuration Files for RDP

3.1. Create krb5.conf File 

[libdefaults]
     default_realm = [your default Kerberos realm]
     udp_preference_limit = 1
     dns_lookup_kdc = true
     dns_lookup_realm = false
[domain_realm]
     .[domain_name] = [realm_name]
     [hostname] = [realm_name]
[logging]
     kdc = SYSLOG:INFO
     admin_server = FILE=/var/kadm5.log
Click to copy

Use the above template to fill in default_realm and [domain_realm] with your data

3.2. Create login.conf File 

com.sun.security.jgss.login {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=false refreshKrb5Config=true;
    };
com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=false refreshKrb5Config=true;
    };
com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=false refreshKrb5Config=true;
    };
[app_name]{
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=false refreshKrb5Config=true;
    };
Click to copy

Use the above template to fill in [app_name] which is "MiApp" by default

  • If you want to use a different name, specify it under the application_name Parameter for SharePoint Server 2019 on Plugin Config Page.

4. Configure RDP

  • Add krb5.conf and login.conf to the /thirdparty/kerberos-config/ folder on the RDP. You will most likely need to create the folder.
  • Alternatively, add kerberos_file_path = <path to krb5.conf> and login_config_file_path=<path to login.conf> parameters under Plugin Config.

NOTE: The RDP must be run by the same user whose credentials are used for the Plugin.