when you change authentication type to Negotiate(Kerberos) in SharePoint central admin, all sharepoint do is to change NTAuthenticationProvider of sharepoint site in IIS to "Negotiate, NTML" from "NTLM". (how to find NTAuthenticationProvider value? see this post. If there are multiple WFEs in your farm, check each of them as I experienced a problem seeing the failure of setting this IIS meta data from SharePont Central Admin UI.).
What does that mean? is Kerberos guaranteed? not really. Kerberose will be selected only if clients support Kerberos (such as "intergrated window authentication" checked in IE), and SPN is registered (which make sure Kerberos is selected) and registered correctly (which make sure authentication will not fail)
But how do you know for sure you have Kerberos functioning? I usually go to EvntView of server and in security log find event id = 540, and if you have logon type =3 and AuthenticationPackage = Kerberos. you are good to go.
About Me
- Yang Li
- I am a SharePoint consultant, specializing on sharepoint security, farm architecture, search integration and customization. During spare time, I play basketball,while waiting for Heat to regain NBA Title, Redskins to win NFC East again, and Gamecocks to be convered in National TVs. Spending too much time on Captial BeltWay I only enjoy listening Leona Lewis. With my two wonderful kids, We have lots of fun together!
