Creating a Web Application using Kerberos as authentication instead of NTLM in SharePoint 2010 programmatically via PowerShell
If you have ever tried to programmatically create a Web Application using Kerberos as authentication provider you noticed that the Authentication Provider resets to NTLM. The cmdlet to create a new Web Application is New-SPWebApplication (or New-SPWebApplicationExtension to extending an exixting one) which comes with the toggle parameter to disable Kerberos authentication (DisableKerberosAuthentication). It happens, though, that by default DisableKerberosAuthentication is set to True and as it is toggle type it does not enable the use of “DisableKerberosAuthentication $true”.
Making a few tests to help respond a forum question I found out that we can circumvent this behavior in two ways:
Mode 1 - Setting Authentication Provider’s property DisableKerberos to false after creating an instance and passing this instance to New-SPWeb*. See example below:
> $ap = (New-SPAuthenticationProvider)
> $ap | fl
DisplayName : Windows Authentication
ClaimProviderName : AD
AllowAnonymous : False
UseBasicAuthentication : False
DisableKerberos : True <<<< Note that Kerberos is disabled by default
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl : /_windows/default.aspx
UpgradedPersistedProperties :
> $ap.DisableKerberos = $false
> $ap | fl *
DisplayName : Windows Authentication
ClaimProviderName : AD
AllowAnonymous : False
UseBasicAuthentication : False
DisableKerberos : False <<< Now I made sure that Kerberos is enabled
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl : /_windows/default.aspx
UpgradedPersistedProperties : {}
> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url https://www.contoso.com -AuthenticationProvider $ap
Mode 2 - Forcing the property DisableKerberos to be false during instantiation using a hack (thanks to Dan Holme):
> $ap = New-SPAuthenticationProvider -DisableKerberos:$false
> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url https://www.contoso.com -AuthenticationProvider $ap
Or using all in one single line:
> New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url https://www.contoso.com –AuthenticationProvider (New-SPAuthenticationProvider -DisableKerberos:$false)
*** SECOND WORKAROUND CREDIT ***
Binging around before posting this I found a post where Dan Holme suggests the second workaround:
https://www.windowsitpro.com/article/sharepoint/Power-Trip-PowerShell-Bug-and-Claims.aspx
Comments
Anonymous
October 25, 2010
This is assuming you want the web app as claims rather than classicAnonymous
November 11, 2010
Correct. This is the main point of this post as classic is the default behavior (even if you do not add -DisableKerberos, kerberos will still be disabled). You do not need much effort to create a web application with classic authentication. See below: New-SPWebApplication -Name "Kerberos App" -ApplicationPool "SharePoint - 80" -port 90 -url http://www.contoso.com –AuthenticationProvider (New-SPAuthenticationProvider) Thanks, RodneyAnonymous
June 05, 2012
(I think im posting this a second time, since im not sure if the 1st one was a success) Hi Rodney, We have a web app that was created using a script but we did not set the DisableKerberos to false, all other configs such as SPN's etc were created and the site was setup. But at Central Admin in the Authntication Provider window or tab, the authntication shows "NTLM". IF i selct kerberos from the dropdown, i get an error saying "webservice.identitymodel" missing in web.config. We arent able to show internal RSS feeds in or SSL enabled web app due to this. Any help or insights will be appreciated. Regards, Ganesh.MAnonymous
July 02, 2013
Just a note that the URL for Dan Holme's workaround is no longer valid. A working link is: sharepointpromag.com/.../power-trip-powershell-bug-and-claims