Enable single signon with Sharepoint using Kerberos authentication

To use the Kerberos protocol for your web applications, you must configure Internet Information Services (IIS), Sharepoint Portal, Microsoft SQL Server, your web browser, and IBM® Cognos® BI.

Configuration summary

Use the following table to help you enable single signon with Sharepoint using Kerberos authentication.

Table 1. Configuration summary for enabling single signon with Sharepoint using Kerberos authentication
Software	Configuration tasks
Microsoft Windows server	Allow users to be trusted for delegation.
Microsoft Internet Information Services (IIS)	Associate the website that is used for Cognos BI with an application pool, and ensure that the application pool is run by a domain service account that has delegation enabled. Ensure that Anonymous authentication is disabled. Enable Windows authentication Enable the Kerberos authentication provider for Windows authentication. Disable Kernel-mode authentication. Set up the Service Principal Names (SPN) for the IIS web server.
Microsoft Internet Explorer	Ensure that the URLs for the web applications are in the intranet zone or a zone that is configured to automatically authenticate with Integrated Windows Authentication.
Firefox	Enable support for Kerberos authentication in your Firefox web browser.
Active Directory	Create service accounts for the IIS application pool for the web applications. Register the Service Principal Names (SPN) for the web applications on the service account that is created for the IIS application pool for the web application. Configure Kerberos constrained delegation for service accounts.
SharePoint web application	To enable Kerberos authentication in SharePoint, you must: Create SharePoint Server managed accounts and ensure that the domain service account is registered as a managed account. Set the Service Principal Names (SPN) on the SharePoint server. Associate the SharePoint site with an application pool, ensure that the application is run by a domain service account, and ensure that the domain account has delegation enabled. Use SharePoint Central Administration to indicate that Kerberos authentication is used to define how users interact with a network service to gain access to network resources. Disable Anonymous authentication. Disable Kernel-mode authentication. For more information about enabling Kerberos authentication in Sharepoint, see the Microsoft SharePoint documentation (technet.microsoft.com/en-us/library/ee806870.aspx).
Microsoft SQL Server	Ensure that services are running using the domain account. Grant users appropriate permissions to the data source. Set the SPN on the SQL server.
IBM Cognos BI	Create an authentication namespace and disable Anonymous Access. Create a data source and secure it against the active namespace.