Using friendly DNS Names in your TFS environment with Kerberos Authentication Part 2

This is a continuation of Part 1 of configuring Kerberos Authentication.

I’ll continue to step through enabling Kerberos Authentication for the following services:

• TFS 2010 Application Tier which consists of both the Web Services and Team Web Access

To find out the Service Account that is relevant to this exercise in your environment, logon (or RDP) to your TFS 2010 Application Tier and launch the Team Foundation Server Administration Console

Application Tier Summary

There are five entries here which are relevant and they are:

• Service Account
• Authentication
• Notification URL
• Server URL
• Web Access URL

The URLs using your friendly name should only be display in Notification URL and Web Access URL, the Server URL should be set to localhost unless you have specific reason.

In my example I am using a domain account named DOMAIN\tfsService and a friendly DNS Name of tfs.domain.local with that information I can create the SPN (Service Principal Name) by executing the following command:

• Setspn -S http/tfs.domain.local domain\tfsService

With that step completed I need to return to the Team Foundation Server Administration Console and modify the Application Tier Authentication Settings and change it from NTLM to Negotiate (Kerberos).  I do this in the Administration Console by selecting the Authemtication Settings Hyperlink on the far right side of the console.

After that is complete Launch Internet Information Services (IIS) Manager and select the Site which hosts your Team Foundation Server Website and under Management select Configuration Editor.  If you are running IIS 7.0 (Windows Server 2008) this management feature may not be installed, if that is the case you can get the feature as part of the Administration Pack 1.0 for IIS 7.0.

IIS Configuration Editor

Double click on the Configuration Editor and navigate to the following Section:

system.webServer/security/authentication/windowsAuthentication

You must set the following attributes to True:

• useAppPoolCredentials
• useKernelMode

Then under Actions on the far right select Apply.  Now from a remote machine use a web browser (IE, Firefox requires some manual configuration) to access the Team Web Access site at http://tfs.domain.local/tfs/web/.

Firefox

If Kerberos authentication is working correctly you will see Logon events in the security event logs on the TFS Application Tier with Event ID 4624. In the general tab for these events you should see the Security ID being logged onto the computer and the Logon Process used, which should display as Kerberos.

Event ID 4624 Logon Process: Kerberos

Successfully authenticated to Visual Studio 2010 Team Web Access using IE 9.x and FireFox 13.x.

Team Web Access (IE 9.x)

Team Web Access (Firefox 13.x)