Web Analytics Service

Using Web Analytics in SharePoint 2010

http://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=250

Web Analytics in SharePoint 2010: Insights into Reports and Metrics

http://blogs.msdn.com/b/ecm/archive/2010/05/03/web-analytics-in-sharepoint-2010-insights-into-reports-and-metrics.aspx

 

Configure web analytics and health data collection in SharePoint 2010

http://www.c-sharpcorner.com/uploadfile/shyjumohan/configure-web-analytics-and-health-data-collection-in-sharepoint-2010/

Web Analytic Reports in SharePoint 2013

http://www.c-sharpcorner.com/UploadFile/17027c/web-analytic-reports-in-sharepoint-2013/

An Introduction to Single-Sign-On (SSO) with Data Views

Why SSO?
The Microsoft recommended practice for connecting to SQL Server is to use Windows authentication, meaning that the Windows domain credentials of the end user are passed to SQL Server.
But there’s a catch when you’re trying to access a database from the web server: you must find a way to overcome the "double hop" problem. Windows credentials can only make one "hop" between machines on a network. The first hop is from the browser to the web server; but to get to a SQL Server machine on your network, a second hop is involved.
There are two ways around the double hop problem: (1) establishing a Constrained Delegation relationship between the web server and the database server, and having the network domain configured to allow Kerberos Protocol Transition, or (2) using the LogonUser API to switch to the end-user identity on the web server before performing a single hop to the database server. SSO uses approach #2. Approach #1 is typically too complex and potentially impactful on the entire domain for corporate IT departments to allow it.
SSO provides a secure way to overcome the double hop problem. MOSS 2007 (Enterprise Edition) includes a feature to create and manage SSO connections. You can use the built-in SSO provider, or substitute your own if your enterprise has an existing SSO solution.
How does SSO work?
The SSO feature maintains a mapping between a user, or group of users, and the credentials (username and password) needed to access a particular data source. This mapping is referred to as an Application Definition (or "app def" for short). Only server administrators can create and modify app defs, using the browser-based Central Admin UI.
When the DataFormWebPart needs to access a remote data source using SSO, it calls the SSO API to retrieve the necessary credentials for the given app def. If they happen to be Windows credentials, the web part temporarily "logs in" with those credentials, and then attempts to connect to the data source. This means the Windows credentials are only making one hop – from the web server to the database server – and not two.
SPD can create Data Views using both kinds of SSO app defs:

• Group
• Individual

A Group app def is used to let everyone in a domain group access a database using a single account. For example, you might have a special account for database use that only has read-only permissions on a few tables; SSO lets you force everyone in your workgroup to connect to the database with the limited permission account.
An Individual app def lets users provide their own account information (username and password). The first time a connection is attempted and the end user's credentials are not already in SSO, the Data View will redirect to a web page to collect and store them. Subsequent attempts will reuse stored credentials without prompting.
Either type of app def can be used to store Windows credentials (from a network domain account, in the format "domain\account"), or basic (non-Windows) credentials. In the case of SQL Server, you can use SSO to establish either Windows auth connections or SQL auth connections. You can also use SSO access web services that require a specific username and password, or Windows authentication.
What if I don't have SSO?
You just need to ask your admin to turn on the SSO feature if you're running MOSS 2007 Enterprise Edition. SSO is not enabled by default.
Otherwise, if you need to make a Windows authenticated database connection, there are two alternatives: (1) use a "basic auth" connection with an embedded username and password in the database connection string, or (2) get your network domain admin to set up Constrained Delegation and Kerberos Protocol Transition.
How do I create a Data View using SSO?
Let’s suppose someone has already created an Application Definition to connect to the Northwind SQL Server database, and that the app def name is "nwsql."

1. Boot SharePoint Designer, and open a web site on the MOSS 2007 server where the app def is defined.
2. Launch the Data Source Library task pane, using the menu command Data View > Manage Data Sources.
3. Expand the Database Connections category, and click the link to Connect to a database:
   
   
   
4. Click the Configure Database Connection button in the dialog that appears. Enter the server name, and then choose the option for SSO authentication.
   
   
   
   IMPORTANT: if the dialog does not show an option for "Use Single Sign-On authentication," the SSO feature is either not activated or not available on the SharePoint server. Contact your server admin for details, or read the last section of this article about how to configuring SSO.
   
   Next, click the Settings button to bring up this dialog:
   
   
   
   These are the 3 critical pieces of information you need to establish an SSO connection. The server admin who configured the SSO app def will be able to provide them; for more information, see step 6 below in the section about configuring an SSO connection. Note that this dialog is asking for the Application Name, not the Display Name. For example, suppose the SSO admin used a display name of "Product Support – Group Definition" and an application name of "ps_g." That means the dialog should be filled out as follows:
   
   
   
   By default, the username field is called "Username" and the password is called "Password" when the SSO app def is created.
   
5. Click the Next button to pick the Database and Table you want to query. From here on, there is no difference between using an SSO data connection and a non-SSO data connection. However, keep in mind that external databases typically have lots and lots of data, so it’s a good idea to set a Filter on the data connection to limit the number of returned records.

What does the markup look like for an SSO connection string?
An SSO ConnectionString looks like this in SPD’s Code view, for a typical SQL Server connection:

ConnectionString="Data Source=servername;User ID=<CredentialValue Class='User ID' Resource='sso:appname' Type='Username'/>;Password=<CredentialValue Class='Password' Resource='sso:appname' Type='Password'/>;Initial Catalog=databasename;"

That looks a bit strange, until you observe that there are HTML-encoded tags inside the string.
For example, suppose your SQL Server is called “dbserv”, and your database is called “Northwind”, and your SSO application is called “myapp”. In that case, the ConnectionString property would look like this (when HTML-decoded):

Data Source=dbserv;
User ID=<CredentialValue Class='User ID' Resource='sso:myapp' Type='Username'/>;
Password=<CredentialValue Class='Password' Resource='sso:myapp' Type='Password'/>;
Initial Catalog=Northwind;

As you can see, this is just a normal SQL Server connection string, with some embedded tags that get substituted with the credentials retrieved from the SSO app def – the Username and Password strings.
How do I troubleshoot SSO data connections?
Unfortunately for SPD users, most error messages coming back from the data source layer are purposely vague for security reasons – basically they just tell you "sorry, it didn't work."
However, SSO does write more helpful info in the server’s Event Viewer. To find it, search for the app def name in the Description field of Error events. For example, suppose I have an app def called "ps_g" that stops working. A server admin can open Event Viewer, and go to the Application log:

Invoking the command Action > Find brings up the following dialog. Uncheck everything but Error, put the app def name ("ps_g" in this case) in the Description, and click Find Next:

Open the matching error events to see what went wrong:

Once you've gotten an SSO-based data view working, it usually stays working, except for the following conditions:

• A password reset on one of the SSO accounts – in which case you’ll have to reconfigure the app def
• A change to the SSO app def by a server admin – either it gets deleted or modified
• The SSO service is no longer running on the server – probably not set to AutoStart after a reboot

How do I configure SSO and create an Application Definition?
Office Online has documentation on how to configure Single Sign-On. But the first time through it really helps to have pictures, and the steps can be simplified somewhat in the "single-machine farm" case. Just a warning: there are about 6 long steps to set up SSO the very first time; but after the initial work is done, it typically takes less than a minute to create each new app def.
You must be a server administrator logged into the main farm machine to configure SSO.

1. Login to the server machine as an administrator (either on the console or using Terminal Server), and start up a Central Admin browser session (Start > Programs > Administrative Tools > SharePoint 3.0 Central Admin).
   
2. Click the Operations tab, and then in the Security Configuration section, choose Manage settings for single sign-on:
   
   
   
   Note: the very first time you try to configure SSO, you will see the following red error message at the top of the page:
   
   
   
   If you don't see this message, skip ahead to the next step; the SSO service is running. Otherwise, go to the Windows control panel (Start > Control Panel > Administrative Tools > Services). Find the entry in the dialog that says Microsoft Single Sign-on Service and edit its properties by double-clicking:
   
   
   
   Set the Startup type to Automatic:
   
   
   
   Go to the Log On tab, choose This account, and provide the credentials for the admin account you are currently logged in as (in "domain\account" format):
   
   
   
   Go back to the General tab, click the Start button, then click OK, close the Control Panel dialogs, and finally click Refresh in the browser window. You should no longer see a red error message at the top of the page, and the Manage server settings link should now be enabled.
   
3. Click the Manage server settings link. In the form that appears, you typically only need to provide a domain account name in the first two textboxes, the rest is filled in for you with default values:
   
   
   
   With a sandbox server, you can use the same admin account name for both (the account used above when configuring the SSO service).
   
   Click OK to return to the Manage SSO page.
   
4. Click the link for Manage encryption key, then click the button for Create Encryption Key. Click OK in the page that appears afterwards:
   
   
   
   Click the Operations link at the top of the page, then the link to Manage settings for single-sign on.
   
5. Click the link to Manage settings for enterprise application definitions, then click the New Item link to create a new application definition with this form:
   
   
   
   The Display Name is what users see in the browser UI in Central Admin. The Application Name is a shorter version that will appear in connection strings. Also, note that the fields for holding credential information are always called "Username" and "Password" by default.
   
   As described earlier, you will need the following 3 pieces of information from this page in order to use the app def in SharePoint Designer:
   
   
   • Application name ("nwsql" in the example above)
   • Field 1 Display Name ("Username" in the example)
   • Field 2 Display Name ("Password" in the example)
   SharePoint Designer data views can use either Group or Individual app defs, with or without Windows authentication. SPD cannot use a "Group using restricted account" app def.
   
6. Click the browser’s Back button to take you back to the Manage Settings page, and click the link to Manage account settings for enterprise application definitions:
   
   
   
   Select the app def name to change (the "Display name" from the previous form) and enter the account name to use when making the database connection.
Click the Set button, which brings up a form to enter the username and password for the app def:



Click OK, then click Done.

Just to recap, all 6 of these steps are required when setting up SSO for the very first time, but afterwards you only need to perform the last 2 steps for each new app def.

Reference:

http://blogs.msdn.com/b/sharepointdesigner/archive/2007/08/27/an-introduction-to-single-sign-on-sso-with-data-views.aspx

Single Sign On(SSO) between Sharepoint and non sharepoint portal

Every organization will have a lot of end user facing portals, some of which may even be partner sites. The users of these portals need to login into these portals to make complete use of the various features and functionalities of the portal, including making online purchases. It is painstaking for users to supply their credentials for every portal, especially if the user wants to switch from one portal to another. This is felt especially when switching to partner sites or other portals of the same organization, Here I am just suggesting high level approach , if need exact solution, please reach to me and I would be more than happy to provide all source files

SharePoint does support the Single Sing On feature with Claim based and Federation Module But you ask me if you have requirement where any non-SharePoint portal can have Single Sign-on then it is not supported or you have do lots of analysis (there is no easy way to do it)  and spent a time to share claim between Portal, here I am describing the custom and Simple way to achieve Single sign on , Custom SSO Auth provide all features included

Ø  Single Sign-On (SSO) is the feature that enables a user to receive a single challenge for credentials within a certain realm, and use the same token for access to other applications which require user authentication.

Ø  Platform Agnostic : Custom SSO Auth is the custom way to support SSO across the technologies

Ø  Easy To Integrate: Any technologies based Portal can be integrated with SSO Auth

Ø  Center Login Box: Center Login box hosted on SSO Auth will be take care of Authenticating the user and creating the Token.

Ø  Standard Patterns: SSO Auth does support Standard Patterns which will be needed to follow in order to integrate.

Ø  User Token: User Token can be easily to be extent to contain  more user profile Property which can be shared to all sites at the time when authentication has been requested

Top Features

•       Authenticate only once and use multiple portals or partner sites or resources.

•       Improved User Productivity

•       Ease of Administration

Prerequisite Requirements

1)      FBA Enabled Site with custom membership & Provider

2)      ASP.NET Application for SSO Auth- to store/share token

3)      One ASP.net application to check the SSO.

To Test the SSO.

Reference:


http://rampawar1509.blogspot.in/2013/03/single-sign-onsso-between-sharepoint.html

Making a SharePoint 2010 site externally available (Alternate Access Mappings, Host Header Bindings)

Scenario:How to make a SharePoint 2010 site externally available? Explanation:This is a very fundamental scenario that many SharePoint developers may encounter in the SharePoint world. A SharePoint site can be made externally available by following the steps below:

Point the desired host name (i.e. portal.sitename.com for example) to the public ip address of the SharePoint server (may it be the ip of the server in a single server farm or the load balancer in a multi server farm). Typically the network administrator does this.
Once that has been set, all the requests for http://portal.sitename.com will be directed to the specified SharePoint Server. But the SharePoint server needs to know which site to serve for such requests. Therefore we need to configure host name bindings in IIS.
Open up IIS Manager and select the desired sharepoint site and choose "Edit Bindings"



In the resulting screen, click edit





Next, provide the host name (portal.sitename.com in this case) 

 


 Now its time to configure Alternate Access Mappings in SharePoint. Go to Central Admin > Application Management > Alternate Access Mappings.

 

 Click on "Edit Public URLs" and then choose the appropriate Alternate Access Mapping Collection.

 

All looks fine now. At this point, if you create a new site collection and try to access the host (http://portal.sitename.com) from a different machine than the server, it works. But if you try to access the host from within the server, you may get a 404 page not found error.
While we are aware of the problems that SharePoint can encounter related to the Windows Server loopback check issue and host headers, I just wanted to reiterate that while it is OK to outright disable the check in dev/qa environments, we should instead be specifying a list of acceptable host names in the registry for production environments.
Completely disabling the check is a security hole that would likely be picked up should one of our production environments be audited.
Both techniques for handling the Loopback check issue are covered in this KB article: http://support.microsoft.com/kb/896861
Thanks to our Practice Lead David Perkinson for helping me resolve this issue.
Specify host names (Preferred method if NTLM authentication is desired)To specify the host names that are mapped to the loopback address and can connect to Web sites on your computer, follow these steps:

1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base: 281308 (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
2. Click Start, click Run, type regedit, and then click OK.
3. In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
4. Right-click MSV1_0, point to New, and then click Multi-String Value.
5. Type BackConnectionHostNames, and then press ENTER.
6. Right-click BackConnectionHostNames, and then click Modify.
7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
8. Quit Registry Editor, and then restart the IISAdmin service.

Now we should be able to access the site using the host name both internally as well as externally.


Reference:

http://underthehood.ironworks.com/2010/06/making-a-sharepoint-2010-site-externally-available-alternate-access-mappings-host-header-bindings.html

SharePoint Alternate Access Mappings explained....my way!

I see many people confused about AAMs, their role and their usage. Therefore, I decided to write a post about them and explain in clear English what are they, when to use them and where to define them.

What AAms are?

AAMs are different urls mapped to the same application in order to give access to the same content using different zones. We cannot talk about AAMs without talking about web application zones. Each SharePoint web application can have five zones : Default, Internet, Intranet, Extranet and Custom. Each zone can have its own authentication provider. For example, Integrated windows authentication for the Default zone, Anonymous access for the Internet zone and Form based authentication for the Extranet zone. All the five zones share the same Database. i.e. the same content, but each one has its proper IIS web Site. Each zone has a public url. When we create a web application, the default zone is created. Let's say "http://default.mycompany:80". Then, we can extend this web application to the four remaining zones if we need to. For our example, we will extend our web application to the Internet zone "http://www.mycompany.com" and the Extranet zone "http://extranet.mycompany.com".

When to use AAMs?

Suppose that for convenience, I want my internal users to access the default zone using a more simplified url. What to do? Create a new AAM (http://mycompany) and map it the default zone. Now, the default zone can be accessed using whether http://mycompany or http://default.mycompany:80.

Suppose again that my company has been sold to a rich man. The urls I created for my web application are no longer valid. What to do to rename my web application urls from mycompany to hiscompany? Backup the content, create a new web application with new urls then restore the content? Yes, it could be. However, there is a better and simpler solution : AAMs. Create new AAMs, i.e. "http://default.hiscompany:80", "http://mycompany", "http://www.hiscompany.com" and "http://extranet.hiscompany.com" and map each url to the appropriate zone.

Where do I define these AAMs?

I'm glad you asked! Go to Central Admin > Operations > Alternate Access Mappings, under the Global Configuration section.

It goes without saying that the urls we are talking about must be first defined in the DNS and IIS.

I hope I have shed more light on AAMs by now. Nevertheless, if you have any question, feel free to ask.

Hope this post is helpful.


Reference:

http://spbyexamples.blogspot.in/2009/08/sharepoint-alternate-access-mappings.html
 

Things to know about SharePoint 2010 Claims-based Authentication

If you are configuring SharePoint 2010 with Claims-based Authentication for the first time, there are several things you should know before beginning to set up your environment to support Claims-based Authentication:

1. If you are using Active Directory as your user repository, attributes such as E-mail Address will not be available unless you are using Microsoft Exchange within your organization.  Active Directory does not natively support the E-mail Address attribute, therefore, if your organization uses an alternative Mail Server such as Lotus Notes, you will have to figure out alternative methods to populate this attribute.
2. Claims-based Authentication and Windows NTLM Authentication (Classic Mode Authentication) for a SharePoint 2010 Web Application are not interchangeable within the Central Administration GUI interface.  If you are performing all of your management activities within the GUI interface and you accidentally configure an NTLM-based Web Application, you will have to delete it and re-create it in order to select Claims-based Authentication.
3. If you are working with PowerShell in conjunction with using SharePoint Central Administration, you can still convert an NTLM-based Web Application over to Claims-based Authentication. (http://technet.microsoft.com/en-us/library/gg251985.aspx) Of course, this is a one-way conversion.  If you later decide you really want NTLM Authentication, you will have to once again delete the Web Application and create it.  The PowerShell command to convert a Classic Mode Authentication Web Application (NTLM) over to Claims-based Authentication is the following ( http://www.topsharepoint.com/enabling-or-disabling-claims-based-authentication):
   $ConvertApp = Get-SPWebApplication "http://<web application name>"
$ConvertApp.UseClaimsAuthentication = "True"
$ConvertApp.Update()
4. You will need SSL Certificates on your SharePoint Server and your Security Token Service (or on ADFS if you are using ADFS). If you do not purchase 3rd party SSL Certificates, you will either need to use an internal Certification Authority server or issue Self-signed certificates. Of course, using internal or Self-signed certificates may result in a browser security certificate warning when end users browse to your SharePoint website.
5. If you are planning on setting up an Identity Provider for Claims-based Authentication (such as ADFS), you can provide BOTH Claims-based Authentication using Windows Integrated Authentication as well as Identity Provider authentication.  This allows you to continue to access SharePoint even while configuring or troubleshooting issues with using the Identity Provider authentication and authorization process.
6. If you are using Claims-based authentication with the NTLM vs. using an Identity provider (such as ADFS), you will get a DIFFERENT set of Claims between the 2 authentication mechanisms.  This will either require you to map Claims to each other or to simplify things simply using a single Claims authentication provider such as your Identity Provider.
7. You can set up different authentication mechanisms based on different Urls for a SharePoint Web Application.  For example, you may want to support NTLM authentication for all users accessing your web site via the Intranet, while supporting Forms-based authentication for all users accessing your web site via the Extranet or Internet.  
8. After setting up Claims-based Authentication, you will have to click on the User Policy tab in Central Administration in order to add one or more users with the appropriate permissions to log into the site using Claims Authentication credentials.  
9. If you are using Claims-based authentication with load balancing, you will need to set up Affinity/Sticky Sessions for your load balancing:  http://blogs.technet.com/b/speschka/archive/2011/10/28/make-sure-you-know-this-about-sharepoint-2010-claims-authentication-sticky-sessions-are-required.aspx
10. In order to speed up the Claims Authentication process, you may want to DisableLoopbackCheck in the registry as described in this article: http://support.microsoft.com/kb/896861.

Reference:

http://samirvaidya.blogspot.in/2012/03/things-to-know-about-sharepoint-2010.html

Authentication in Sharepoint - Kerberos/Negotiate vs NTLM

SharePoint supports a variety of authentication mechanism. “Support” may be a loose term as SharePoint does not really authenticates any asset directly, rather it relies upon IIS and what IIS can support using the provider framework within ASP.NET 2.0. Most of these methods are end user facing.

When a user visits a SharePoint site how the web site will get the users credential validated? In this scenario, browser (e.g., IE, Fire Fox, Chrome, etc) is the client. Here you have a wide variety of selection to choose from.

To fulfill the end user’s for a resource (e.g., link to a file) on a SharePoint site, SharePoint becomes the client (on end user’s behalf) and request ADO.NET to get the file from database. Now .NET runtime installed on Server becomes the client and submits a request to SQL Server to get the requested content from its data-store. The process unwinds and end-user eventually gets what he requested.

Is the user actually entitled to see and get the content is determined by the process of authorization that SharePoint keeps a full control of. Here again it uses the ASP.NET (role) provider framework model to determine the user’s eligibility. Validating a user is “Authentication” that SharePoint outsourced to IIS and determining the user’s eligibility is “Authorization” that SharePoint decide to keep in-house.

When it comes to inner working of SharePoint servers and services running on same server or across different servers it always requires you to choose Integrated Authentication as its plumbing is built into the foundation of Windows Server.
For integrated authentication, there are two methods (protocols) that are available and supported in a SharePoint implementation are NTLM and Kerberos.

NTLM is a lightweight and efficient protocol with its foundation into early networking products that Microsoft built before NT (LAN Manager!! – ring any bell?).

Kerberos is industry de facto with its roots into UNIX based systems.

There have been enough discussions and great write up at various Microsoft & Community Sites discussing the reasoning for one or the other and my intent is not to start that debate again. With time and maturity of product and the increased awareness in community weight is shifting more towards Kerberos than NTLM and there are good reasons for it. A SharePoint implementation might be happier with Kerberos but as a SharePoint practitioner you need to have a holistic view of a customer’s environment where NTLM might be better for simple usage and its low maintenance overheads. For a client project where post implementation support is limited or difficult, I would think twice before deciding for Kerberos. For example, a simple change in a service account context may result in errors or broken functionality. People might not know what the cause is but they will see a product (SharePoint) that stopped working giving a bad repo to product and/or the implementers.
Kerberos vs. NTLM

Those who have networking background from old Novell and NT time may recall IPX vs IPX/SPX ODI or IPXODI, NetBEUI vs. TCP/IP. IPX and NetBEUI were simple to implement non-routable protocols that just worked in small LAN environments where networking begins and ended with simple File & Print Sharing or may be some dumb terminals. Those, who in early days, implemented TCP/IP might recall the overhead of configuring the TCP/IP protocol stack on computers, and running in duplicate IP issues, or maintaining a list of available IP addresses. Configuring was not that straight forward either – install, set & load the vendor provided drivers, configure the IP address, mask, gateway and DNS at the least and it machine is moved to different network go and reconfigure it. Though TCP/IP was much better protocol and de facto in Unix environments but for many implementation it was not worth going through the configuration and maintenance overhead unless interoperability or internetworking is needed. Over the passage of time, story got lot better and now SOHO devices, (like broadband devices for home networking) come with self managed TCP/IP stacks and built-in DHCP servers.


If the SharePoint implementation that you working on is a typical, single farm, simple AD domain with few servers in the farm, and have no other application that requires to know (authenticate) who the end user is you will be just fine with NTLM.


If you have a complex large farm or farms, large number of users on the farm and in AD and integrates with other applications like SSRS you can achieve better results with Kerberos.

Kerberos solves multi hop application domain authentication challenges without requesting user to authenticate again NTLM is chatty, means it talks a lot with your domain controller to check if user credentials have the appropriate permissions (role) to access the resource. Whereas, Kerberos protocol is less chatty but has larger overhead as at authentication time it reads all the groups/roles that user has and use that cached information. The performance characteristics of Kerberos has a lower point of diminishing return if your Directory Service (AD) has lot of users and groups and user is member of many group. How many is too many? I don’t have any matrix or performance test results but in my experience and based on what I know (or I think I know) many users might mean many tens of thousands of users and many groups means few thousand AD groups and many groups for user means few hundred groups that your typical user is member of.



Decision support documentation for Kerberos that we see in SharePoint and many other places like TechNet, informs you to make sure Kerberos is supported in your environment. When you ask IT System Engineer if they support Kerberos many if not most will answer in No – we don’t use Kerberos. In reality Kerberos is extensively used by Windows OS and network Services that windows provides. Windows self-managed these Kerberos registration and deregistration without you ever knowing about. Network objects that you see in AD, like servers and workstations and services running under Local System accounts they all have Kerberos SPN (Service Principal Name) registered with AD. The proper term for what I have been Kerberos registration and deregistration is SPN (de)registration. SPN – Service Principal Name. Where it gets reregistered is KDC – Key Distribution Center; a service that runs on Domain Controller. Once an asset (object like a server host or a service like a web or LDAP Server) a token is issued that that holder carries for the duration. Here it kind of resembles to a DNS record’s TTL (Time to Live) or a commuter train ride pass good for a day. Directory Objects (like hosts and registered services) that windows networking manage maintain these tokens and they get expired and renewed with you ever knowing about it.
The SPN that do not get registered automatically is for configuration setting that you chose to implement as part of your design like SPN registration for a name given to a web server like intranet.example.com or mysite.example.com or the SQL server instance running under a domain user account (opposed to Local System). So the system administrators needs to know how to (un)register a SPN for such user created instance and the implications of duplicate entries or how to go about identifying the problem and resolving it.
Think about SPN like an IP address or email address. It has to be unique on the network or internetwork. Two people cannot have same email address but a person can have more than one email address, or two computers cannot have same IP address but a given computer can have more than one IP address (some wise sys admin might say I have a server that has dual port NICs and both ports have same IP address. This is called teaming, outside world still sees it as a single IP address and it’s the vendor’s provided driver or firmware that is managing them for either redundancy or for increased capacity)
Not everything is Kosher or Halal. So when you implement the Kerberos you still have low level OS components that require NTLM and you cannot block the NTLM traffic and expect things to work as normal. One thing that is going to run into problems is search components and the file or IPC shares that you have for inter-service communications or when index files get copied to query servers.
Unlike duplicate IP address issues, one nice thing about integrated authentication using Kerberos is it will fall back to NTLM if it cannot figure out Kerberos. By figuring out I mean, if Kerberos is not properly configured.
The story has gotten lot better with SharePoint v3 (i.e., WSS v3 and MOSS 2007). When the product was released Web Application Servers were supported on Kerberos and now with Infrastructure Update release (post SP1) SSP, SharePoint Web Services sites are also supported to run with Kerberos. Not to forget about SQL the muscle behind the SharePoint that can be configured to run with Kerberos.

Reference: http://www.agileconcepts.com/Blogs/AQ/


 Reference:

http://www.sharepointpitstop.com/2012/04/sharepoint-authentication-kerberos-ntlm.html