SharePoint Security – State of the Union

SharePoint Security – State of the Union

A call to action regarding SharePoint and Security

Citizens of SharePoint!
I would like to say a little something about SharePoint and Security.
The usual focus when talking about IT and Security is technical aspects of security, it is a global phenomenon and it has always been like that. My most private thinking on the reasons for this is, that technical solutions simply are a lot more fun than the boring processes and policies. Take a Windows laptop for example, when discussing security it always comes down to Bit locker instead of discussing how you work to be secure.
SharePoint is no different, but in the SharePoint industry I feel that we have taken it even further, we do not even feel that Security is that much fun, or even that important maybe, the SharePoint community feels that custom solutions and architectural designs, maybe even corporate branding are a lot more fun than any aspect of Security.

Titanic, the unsinkable ship that sunk

In my personal opinion this is a shame and my hope is that this will gradually change in the future toward a more Security aware SharePoint community.
Developing new solutions, new custom applications and designing the world’s most elaborate SharePoint architecture will for a while yet I realize, be more interesting to the individual engineer than promoting the importance of keeping your local admin groups clean and why you should not logon using the farm account, for the most experienced Certified Master same as for the SharePoint IT-Pro beginner.
This is a fact and the risk is that we will start to see downsides from this as SharePoint for real has by now, found its rightful place in most every company’s infrastructure, all over the world.
Now you are probably starting to wonder how I can be so bold to state these things unfounded and without proof? You are probably thinking that you yourself is not like that, you do care about Security and all this is just about everyone else, if even that. Maybe some of us are better and some are worse, but we can all do better.
I have a feeling and I have some proof:
– I have for a while now worked dedicated with SharePoint Security, reviewing existing SharePoint environments and designing and implementing fresh new environments. During this period I have yet to come by a Security aware design of a SharePoint environment (my own designs excluded obviously).
– I have customers that have come to me and stated that part of the reason that they have contacted me, is that there simply is no other partner that focuses on SharePoint and Security and that can offer the services that I do. I am according to my customer, without competition, at least in my part of the world.
– I have seen from the SharePoint conference participant surveys, that of all of the topics that the participants want to hear more about next year, Security is always at the very bottom of the list.
– The number one rated and watched session at TechEd this year, was about hacker tools…

I may be wrong but I doubt it, security is not really on our agenda.
In my experience, all of us in this larger and larger SharePoint community, should pay a little extra attention on Security in all that we do. Not only in the Security technical aspects that we implement because we have to, take for example Kerberos authentication (Link to guide). Kerberos is a great Security feature that will enhance the Security in most SharePoint environments, but not many implementations have been made for the Security aspects of it, but for the simple reason that a double-hop scenario required it and thus it was implemented (visit my blog for an easy step by step guide to Kerberos in SharePoint).
Also, many, many SharePoint environments out there are setup by developers, I beg your pardon developers, but your focus is often to get a working test and development platform up and running, not to make it secure and stable. Also, after a solution has been developed and tested for functionality, your job is often done. The result is often something that is less than perfect in terms of Security.

It would be really nice if we could all help to change this, if we could all do just a few things that will in fact make the SharePoint environment more secure or at least, make it harder to penetrate and easier to keep track of.

I have made a list of things that we could all easily think of and do, and that would help SharePoint Security awareness.

Keep the number of local server administrators down to a minimum (0).

In most SharePoint environments we can assume that a local server administrator can get access to all of the content in SharePoint. Use domain groups, add an individual’s user account only as needed and remove when he/she is done.
You’ll find a command at the end that will show you a course list of the members of the local administrators group.

Do not disable the Loopback check on your Web servers.

This is a great Security feature, it will make life a little harder on a possible intruder, so why disable it. Add the URLs you need instead. If you buy a house and it has an alarm installed, you do not disable it, you grant access to the members of your family. Also worth mentioning, you should always avoid browsing from the server, but some features like search may depend on accessing the local server so a configuration may be the best answer.
You’ll find a PowerShell script at the end how you can easily configure it to allow the URL’s you need instead of disabling it completely.

Disable the SQL authentication and especially the SA account.

These account are completely unmanaged and unmonitored, it is a popular backdoor for any hacker.
They are rarely used and when used often by legacy applications, if they are, find out why and reconfigure or put the legacy app on a separate instance or server.

Never use Shared accounts (Never ever!).

I still see people defending the ‘setup account’ (shared installation and configuration user) and they state that it is given special permissions that are required later on. Operations people with a lot of people coming and going often use a ‘server monitor’ account that can be borrowed and used to get easy and fast access to the server. It is often a local account and often has a password that is well known by all…
In my opinion, there is never or very rarely a reason to keep a shared account. If you absolutely feel that you must, use a domain account and more importantly, disable it when it is not used. Also, change the password regularly.

Keep the Windows Firewall On (Ports-Link/Conf-Link).

Need I even explain this? It is however a sad fact that it is often disabled even in a production environment. It should be used and on in all environments, the development environment would else make an easy target for the evil hacker.
Configure it even during development, there are many ways to do it, PowerShell may be the simplest, check my blog blksthl.com on how to.
If you don’t do it right away, you or your customer will most likely forget to enable and configure it when you are done.

Keep the IE ESC On – Internet Explorer Enhanced Security Configuration.

A server is not really meant for us to browse SharePoint sites or the internet, use a client machine or a separate test server if you have to. If you MUST browse from this particular SharePoint server, disable it for admins only and enable it when done.
You’ll find a PowerShell script at the end how you can easily configure it.

Use HTTPS on Central Administration site.

Often, too often, https is used for web applications bt usually not for the central administration site, it is a bit of configuring and thinking to get it working, but it is a recommended way to protect your Environment. Remember, passwords will at times be transfered in cleartext on the central admin site.
Follow the Word of Spencer Harbar to get it done:
Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

***

Summary,
My hope is, that we will all try do something extra when it comes to Security in the future, do your best to leave a better more secure environment behind, take a while instructing the customer on the importance of keeping the environment secure even after you have left. Make them aware as well.
If you or your customers need a wakeup call, please watch my dear colleague’s session from TechEd North America this year voted no 1, Marcus Murray and Hasain Alshakarti at Truesec:
Live Demonstration: Hacker Tools You Should Know and Worry About
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B309#fbid=SxGCyIja7i5
After you or your customer has seen what can be done with simple tools avalable to all…perhaps the general attitude towards security processes may improve a bit?

Final word: It is not all about cool buzzwords/technologies like oauth or claims or federations, it is even more about processes and boring policies…

Configure Loopbackcheck (Link) In a PowerShell prompt running as administrator: Get-Item -path ”HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0” | new-Itemproperty -Name “BackConnectionHostNames” -Value (“coolsite.corp.balkestahl.se”, “alias.corp.balkestahl.se”) -PropertyType “MultiString” (Replace mine with your own URL’s and add more using double quotes and a comma and space as separator) Make the changes stick with: Restart-Service IISADMIN

Configure IE ESC (Link) In a PowerShell prompt running as administrator: function Disable-IEESC { $AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 Stop-Process -Name Explorer } Disable-IEESC (You have to hit enter twice after pasting the script)

Crude list of all members of Local Administrators In a PowerShell prompt running as administrator: Gwmi win32_groupuser | where-object {$_.groupcomponent –like ‘*”Administrators”‘} | ft partcomponent There are better looking examples out there but this is a one-liner that does the trick…

References:

DisableLoopbackCheck & SharePoint: What every admin and developer should know. (Spencer Harbar folks)
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

A quick guide to configuring the Loopback check
https://blog.blksthl.com/2013/05/07/a-quick-guide-to-configuring-the-loopback-check/

Configure automatic password change in SharePoint 2013 using PowerShell
https://blog.blksthl.com/2013/05/14/configure-automatic-password-change-in-sharepoint-2013-using-powershell/

TCP/IP Ports of SharePoint 2013
https://blog.blksthl.com/2013/02/21/tcpip-ports-of-sharepoint-2013/

A guide to https and Secure Sockets Layer in SharePoint 2013
https://blog.blksthl.com/2012/12/20/a-guide-to-https-and-secure-sockets-layer-in-sharepoint-2013/

How to disable IE Enhanced Security in Windows Server 2012
https://blog.blksthl.com/2012/11/28/how-to-disable-ie-enhanced-security-in-windows-server-2012/

The first Kerberos guide for SharePoint 2013 technicians
https://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Using SSL for Central Administration with SharePoint 2013
http://www.harbar.net/archive/2013/02/13/Using-SSL-for-Central-Administration-with-SharePoint-2013.aspx

Thanks to:

Hasain Alshakarti – TrueSec
Marcus Murray – TrueSec
TrueSec Sweden / TrueSec US
Spencer Harbar – harbar.net
Andrija Marcic – Microsoft

___________________________________________________________________________________________________

Consider?

Regards

Twitter | Technet Profile | LinkedIn

Fix: The trust relationship between this workstation and the primary domain failed

Updated 2014-01-10 : Finally added a PowerShell method

This guide is using the PowerShell or NETDOM tool and does not require rejoining the domain

Have you seen this? ‘The trust relationship between this workstation and the primary domain failed’
Or this? ‘The security database on the server does not have a computer account for this workstation trust relationship.’ Same issue, different symptom.

I have on multiple occasions beeing a heavy Hyper-V user for my labs…
There are apparently a number of reasons why this happens, but the main reason seems to be lost connection between the ‘client/server’ and the Domain controllers. If the scheduled password change occurs while the server or client is unavailable or has been shut down, then the passwords stored in the server/client and the domain controllers for the computer account mismatch, and you will end up getting this error when trying to logon to the server. It can also appear differently, like if all service accounts stop functioning with events logged as a result, or similar that happens when the server is still running and you have been able to logon or simply never logged off.

The real question…How do we fix it? There are a number of TechNet forum threads on this(added one below as references) and many blog posts allready written, but since I’m always having difficulty finding them myself when I need them, I’ll make my own. Please feel free to borrow this knowledge and reblog/repost it yourself 🙂 (The guide however, is my own creation…)
The easiest or at least the quickest solution, is to have the server leave the doamin by adding it to a workgroup, then joining it back to the domain again. But, this can sometimes be a bit risky, you may have lots of service account running as domain users and so on, you don’t feel like uncoupling the server from the domain at all, then do this instead.

This guide is taking for granted that you prior to following these steps, have restored network connectivity between the server/client and the domain controllers, else this will fail. Resetting the computer password can not be done offline.

–

The following steps are performed on a Windows Server 2008 R2 machine, but the same steps apply to Windows Server 2012

Ok, I’ll do as I’m used to and describe what to do in a step by step guide, like this:

You log on to your server like you are used to, using your personal domain account:

You type the password and hit enter, then, BAM! This, instead of the normal logon procedure…what a start on a monday morning…

No good…if you don’t like to meddle with server affairs and are the kind of person who likes to stick to your apps once logged into the server, copy the link to this blogpost and send it to someone who can fix it…else, keep reading.

Press OK and then Switch user.

Then use the local server administrator account to logon to the server.

In my case it is one of my SQL boxes, so I type the Servername, Backslash, Local Admin and hit Enter.

The Username can just as well be in the form: ‘.\administrator’, with the single dot replacing the servername

PowerShell Method
New Method, steps performed on Windows Server 2012 but are valid on Win7, Win8x, WS2008 and WS2012R2

Once logged in, you will want to start a PowerShell prompt or PowerShell ISE with administrative privilieges, ‘as administrator’.

Next, we solve the problem by resetting the Computer password in Active Directory and on the Local machine, for this we use a PowerShell CMDlet called Reset-ComputerMachinePassword. Type in the following command:

Reset-ComputerMachinePassword -Server <Name of any domain controller> -Credential <domain admin account>

In my environment it looks like this:

Hit Enter, you will then be prompted for the Domain Administrator accounts password

Type in the password and hit OK. It will take between 2 to 10 seconds to complete Yoy will then, if everything works, see this:

Yup, nothing overwelming like ‘Succeeded’ or OK…just the released prompt. It is a success though 🙂

Now, we have to do one more thing before order is restored completely, we have to reboot the server. If you don’t, you will still not be able to logon using the domain account.

Use PowerShell…

Or the GUI if you prefer

After the server has rebooted, you are good to go, logon using your regular personal domain account.

Done!

NETDOM Method
Old method, performed on Windows Server 2008R2, but are valid also on WS2012 and WS2012R2, not however on Win7 or Win8X

Once logged in, you will want to start a PowerShell prompt or a Command prompt with administrative privilieges, ‘as administrator’.

Next, we solve the problem by resetting the Computer password in Active Directory and on the Local machine, for this we use a commande called NETDOM.
Type in the following command:

NETDOM RESETPWD /Server:<name of any domain controller> /UserD:<domain admin account> /PasswordD:<password>

(Yes, the trailing D’s are supposed to be there, don’t ask me why…)

In my prompt it looks a bit like this:

Important! Unlike in this Picture, the domain administrators password will be visible in cleartext, so be careful and close the prompt after you are done!

If you change the password part to be /PasswordD:* It will prompt you to enter your password, and it will not be shown in the CMD box.
(Thanks to Jason Hanson for the tip, and Gerrard Singleton)

Hit Enter and if everything works, you should see this:

Now, we have to do one more thing before order is restored completely, we have to reboot the server. If you don’t, you will still not be able to logon using the domain account.

After the server has rebooted, you are good to go, logon using your regular personal domain account.

Done!

If this did not work out for you, perhaps any of these reference links can be of use for you with additional steps and alternate solutions?
Good luck!

References

NETDOM
http://technet.microsoft.com/en-us/library/cc772217(v=ws.10).aspx

Netdom Overview
http://technet.microsoft.com/sv-se/library/cc737599(v=ws.10).aspx

How to use Netdom.exe to reset machine account passwords of a Windows Server domain controller
http://support.microsoft.com/kb/325850

Reset-ComputerMachinePassword
http://technet.microsoft.com/en-us/library/hh849751.aspx

Don’t rejoin to fix
http://www.implbits.com/about/blog/tabid/78/post/don-t-rejoin-to-fix-the-trust-relationship-between-this-workstation-and-the-primary-domain-failed/default.aspx

TechNet Forum: The trust relationship between this workstation and the primary domain failed – Windows 7 Enterprise joining 2008 Domain, Error 5722
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/8155d5ea-a5c2-4306-8d2b-be3464234460/

TechNet Wiki: Trust Relationship between Workstation and Primary Domain failed
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-and-primary-domain-failed.aspx

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

The complete list of tools in Windows Server 2012

Tools Tools Tools Tools Tools….I wonder how much smaller in diskspace Windows would be without the tools? There are Tools for almost every task, just browse this list and you understand what I’m talking about.
Have you ever wondered about a commandline tool and did not find the proper explanation or the TechNet page for it?
Have you like me, had to learn what a lot of these does simply to be able to pass a certification?

(Oh, the Picture shows two bowls of chocolate, nothing else…)

Look no further, bookmark this page and you will find it all in one convenient place. No PowerShell here though, a lot of the stuff that can be made using these tools may or may not be performed using PowerShell CMDlets as well, but these are not listed here, this list is strictly for hardcore tools!

Do you miss any certain Windows Server 2012 tool that you feel should be here? Please let me know which it is and I’ll be sure to add it if you can convince me that it should be part of the list.
–

A B C D E F G H I J K L M
––
N O P Q R S T U V W X Y Z

Jump to References

–
–

A	Back to the menu
Adprep	Extends the Active Directory® schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs a later version of the Windows Server operating system than the current domain controllers in the forest or domain.
Append	Allows programs to open data files in specified directories as if they were in the current directory. If used without parameters, append displays the appended directory list.
Arp	Displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. There is a separate table for each Ethernet or Token Ring network adapter installed on your computer. Used without parameters, arp displays help.
Assoc	Displays or modifies file name extension associations. If used without parameters, assoc displays a list of all the current file name extension associations.
At	Schedules commands and programs to run on a computer at a specified time and date. You can use at only when the Schedule service is running. Used without parameters, at lists scheduled commands.
Atmadm	Monitors connections and addresses that are registered by the ATM Call Manager on an asynchronous transfer mode (ATM) network. You can use atmadm to display statistics for incoming and outgoing calls on ATM adapters. Used without parameters, atmadm displays statistics for monitoring the status of active ATM connections
Attrib	Displays, sets, or removes attributes assigned to files or directories. If used without parameters, attrib displays attributes of all files in the current directory.
Auditpol	Displays information about and performs functions to manipulate audit policies.
Autochk	Runs when the computer is started and prior to Windows Server® 2008 R2 starting to verify the logical integrity of a file system.
Autoconv	Converts file allocation table (FAT) and FAT32 volumes to the NTFS file system, leaving existing files and directories intact at startup after Autochk runs. Volumes converted to the NTFS file system cannot be converted back to FAT or FAT32.
Autofmt	Formats a drive or partition when called from the Windows Recovery Console.
B	Back to the menu
Bcdboot	Enables you to quickly set up a system partition, or to repair the boot environment located on the system partition. The system partition is set up by copying a simple set of Boot Configuration Data (BCD) files to an existing empty partition.
Bcdedit	BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores, adding boot menu parameters, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on earlier versions of Windows, but with two major improvements: Exposes a wider range of boot parameters than Bootcfg.exe and has improved scripting support.
Bdehdcfg	Prepares a hard drive with the partitions necessary for BitLocker Drive Encryption. Most installations of Windows 7 will not need to use this tool because BitLocker setup includes the ability to prepare and repartition drives as required.
Bitsadmin	BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.
Bootcfg	Configures, queries, or changes Boot.ini file settings.
Break	(Deprecated) Sets or clears extended CTRL+C checking on MS-DOS systems. If used without parameters, break displays the current setting.
C	Back to the menu
Cacls	Displays or modifies discretionary access control lists (DACL) on specified files.
Call	Calls one batch program from another without stopping the parent batch program. The call command accepts labels as the target of the call.
Cd	Displays the name of or changes the current directory. If used with only a drive letter (for example, `cd C:`), cd displays the names of the current directory in the specified drive. If used without parameters, cd displays the current drive and directory. (This command is the same as the chdir command.)
Certreq	Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.
Certutil	Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
Change	Changes Remote Desktop Session Host (RD Session Host) server settings for logons, COM port mappings, and install mode.
Chcp	Changes the active console code page. If used without parameters, chcp displays the number of the active console code page.
Chdir	This command is the same as the cd command.
Chglogon	Enables or disables logons from client sessions on an RD Session Host server, or displays current logon status.
Chgport	Lists or changes the COM port mappings to be compatible with MS-DOS applications.
Chgusr	Changes the install mode for the Remote Desktop Session Host (RD Session Host) server.
Chkdsk	Checks the file system and file system metadata of a volume for logical and physical errors. If used without parameters, chkdsk displays only the status of the volume and does not fix any errors. If used with the /f, /r, /x, or /b parameters, it fixes errors on the volume.
Chkntfs	Displays or modifies automatic disk checking when the computer is started. If used without options, chkntfs displays the file system of the specified volume. If automatic file checking is scheduled to run, chkntfs displays whether the specified volume is dirty or is scheduled to be checked the next time the computer is started.
Choice	Prompts the user to select one item from a list of single-character choices in a batch program, and then returns the index of the selected choice. If used without parameters, choice displays the default choices Y and N.
Cipher	Displays or alters the encryption of directories and files on NTFS volumes. If used without parameters, cipher displays the encryption state of the current directory and any files it contains.
Clip	Redirects command output from the command line to the Windows clipboard. You can then paste this text output into other programs.
Cls	Clears the Command Prompt window.
Cluadmin	Enables you to connect to a failover cluster (formerly known as server cluster). Used without parameters, cluadmin starts Cluster Administrator, the tool used to configure and manage failover clusters.
Cluster	Creates a new cluster or configures an existing cluster.
Cmd	Starts a new instance of the command interpreter, Cmd.exe. If used without parameters, cmd displays the version and copyright information of the operating system.
Cmdkey	Creates, lists, and deletes stored user names and passwords or credentials.
Cmstp	Installs or removes a Connection Manager service profile. Used without optional parameters, cmstp installs a service profile with default settings appropriate to the operating system and to the user’s permissions.
Color	Changes the foreground and background colors in the Command Prompt window for the current session. If used without parameters, color restores the default Command Prompt window foreground and background colors.
Comp	Compares the contents of two files or sets of files byte-by-byte. If used without parameters, comp prompts you to enter the files to compare.
Compact	Displays or alters the compression of files or directories on NTFS partitions. If used without parameters, compact displays the compression state of the current directory and the files it contains.
Convert	Converts file allocation table (FAT) and FAT32 volumes to the NTFS file system, leaving existing files and directories intact. Volumes converted to the NTFS file system cannot be converted back to FAT or FAT32.
Copy	Copies one or more files from one location to another.
Cprofile	Cprofile – Cprofile is deprecated, and is not guaranteed to be supported in future releases of Windows.
Cscript	Starts a script so that it runs in a command-line environment.
Csvde	Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
D	Back to the menu
Date	Displays or sets the system date. If used without parameters, date displays the current system date setting and prompts you to enter a new date.
Dcdiag	Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting.
Dcgpofix	Recreates the default Group Policy Objects (GPOs) for a domain.
Dcpromo	Installs and removes Active Directory Domain Services (AD DS). (Preferred method is Server Manager, but dcpromo should be used for RODC’s and Server core)
Defrag	Locates and consolidates fragmented files on local volumes to improve system performance.
Del	Deletes one or more files. This command is the same as the erase command.
Dfscmd	Configures DFS folders and folder targets in a DFS namespace.
Dfsrmig	The dfsrmig command migrates SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication, provides information about the progress of the migration, and modifies Active Directory Domain Services (AD DS) objects to support the migration.
Diantz	This command is the same as the makecab command.
Dir	Displays a list of a directory’s files and subdirectories. If used without parameters, dir displays the disk’s volume label and serial number, followed by a list of directories and files on the disk (including their names and the date and time each was last modified). For files, dir displays the name extension and the size in bytes. Dir also displays the total number of files and directories listed, their cumulative size, and the free space (in bytes) remaining on the disk.
Dirquota	The dirquota command-line tool is installed with File Server Resource Manager and includes subcommands for creating and managing quotas, auto apply quotas, and quota templates, as well as configuring general administrative options for working with quotas.
Diskcomp	Compares the contents of two floppy disks. If used without parameters, diskcomp uses the current drive to compare both disks.
Diskcopy	Copies the contents of the floppy disk in the source drive to a formatted or unformatted floppy disk in the destination drive. If used without parameters, diskcopy uses the current drive for the source disk and the destination disk.
Diskedit	diskedit has been deprecated since Windows Server 2003 – not available in Windows Server 2012
DiskPart	diskpart is a text-mode command interpreter that enables you to manage objects (disks, partitions, volumes, or virtual hard disks) by using scripts or direct input from a command prompt.
Diskperf	diskperf is used to enable or disable physical and logical disk performance counters in Windows 2000 systems.
DiskRAID	DiskRAID is a command-line tool that enables you to configure and manage redundant array of independent (or inexpensive) disks (RAID) storage subsystems.
Diskshadow	DiskShadow is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS). By default, DiskShadow uses an interactive command interpreter similar to that of DiskRAID or DiskPart. DiskShadow also includes a scriptable mode.
Dispdiag	Logs display information to a file.
Djoin	Provisions a computer account in a domain and requests an offline domain join when a computer restarts.
Dnscmd	A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.
Doskey	Calls Doskey.exe (which recalls previously entered command-line commands), edits command lines, and creates macros.
Driverquery	Enables an administrator to display a list of installed device drivers and their properties. If used without parameters, driverquery runs on the local computer.
Dsacls	Displays and changes permissions (access control entries) in the access control list (ACL) of objects in Active Directory Domain Services (AD DS).
Dsadd	Adds specific types of objects to the directory.
Dsamain	Exposes Active Directory data that is stored in a snapshot or backup as a Lightweight Directory Access Protocol (LDAP) server.
Dsdbutil	Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer.
Dsget	Displays the selected properties of a specific object in the directory.
Dsmgmt	Facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)
Dsmod	Modifies an existing object of a specific type in the directory.
Dsmove	Moves a single object, within a domain, from its current location in the directory to a new location, or renames a single object without moving it in the directory tree.
Dsquery	Queries the directory by using search criteria that you specify. Each of the dsquery commands finds objects of a specific object type, with the exception of dsquery *, which can query for any type of object.
Dsrm	Deletes an object of a specific type or any general object from the directory.
E	Back to the menu
Echo	Displays messages or turns on or off the command echoing feature. If used without parameters, echo displays the current echo setting.
Edit	Starts MS-DOS Editor, which creates and changes ASCII text files.
Endlocal	Ends localization of environment changes in a batch file, and restores environment variables to their values before the corresponding setlocal command was run.
Erase	This command is the same as the del command. See Del for syntax and parameters.
Eventcreate	Enables an administrator to create a custom event in a specified event log.
Eventquery.vbs	Eventquery.vbs is deprecated, and is not guaranteed to be supported in future releases of Windows.
Eventtriggers	Eventtriggers is deprecated, and is not guaranteed to be supported in future releases of Windows.
Evntcmd	Configures the translation of events to traps, trap destinations, or both based on information in a configuration file.
Exit	Exits the Cmd.exe program (the command interpreter) or the current batch script.
Expand	Expands one or more compressed files. You can use this command to retrieve compressed files from distribution disks.
Extract	Extract is deprecated and is no longer part of Windows Server
F	Back to the menu
Fc	Compares two files or sets of files and displays the differences between them.
Filescrn	The filescrn command is installed with File Server Resource Manager and includes subcommands for creating and managing file groups, file screens, file screen exceptions, and file screen templates, and for configuring general administrative options for screening files.
Find	Searches for a string of text in a file or files, and displays lines of text that contain the specified string.
Findstr	Searches for patterns of text in files.
Finger	Displays information about a user or users on a specified remote computer (typically a computer running UNIX) that is running the Finger service or daemon. The remote computer specifies the format and output of the user information display. Used without parameters, finger displays help.
Flattemp	Enables or disables flat temporary folders.
Fondue	Enables Windows optional features by downloading required files from Windows Update or another source specified by Group Policy. The manifest file for the feature must already be installed in your Windows image.
For	Runs a specified command for each file in a set of files.
Forfiles	Selects and executes a command on a file or set of files. This command is useful for batch processing.
Format	Formats a disk to accept Windows files.
Freedisk	Checks to see if the specified amount of disk space is available before continuing with an installation process.
Fsutil	Performs tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. If it is used without parameters, fsutil displays a list of supported subcommands.
Ftp	Transfers files to and from a computer running a File Transfer Protocol (FTP) server service. Ftp can be used interactively or in batch mode by processing ASCII text files.
Ftype	Displays or modifies file types that are used in file name extension associations. If used without an assignment operator (=), ftype displays the current open command string for the specified file type. If used without parameters, ftype displays the file types that have open command strings defined.
Fveupdate	Fveupdate is deprecated, and is not guaranteed to be supported in future releases of Windows.
G	Back to the menu
Getmac	Returns the media access control (MAC) address and list of network protocols associated with each address for all network cards in each computer, either locally or across a network.
Gettype	Gettype is deprecated, and is not guaranteed to be supported in future releases of Windows.
Goto	Directs cmd.exe to a labeled line in a batch program. Within a batch program, goto directs command processing to a line that is identified by a label. When the label is found, processing continues starting with the commands that begin on the next line.
Gpfixup	Fix domain name dependencies in Group Policy Objects and Group Policy links after a domain rename operation.
Gpresult	Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
Gpupdate	Updates Group Policy settings.
Graftabl	Enables Windows operating systems to display an extended character set in graphics mode. If used without parameters, graftabl displays the previous and the current code page.
H	Back to the menu
Hashgen	Creates or deletes BranchCache content information, also called hashes, for the content in the specified directory on a BranchCache-capable file server.
Help	Provides online information about system commands (that is, non-network commands). If used without parameters, help lists and briefly describes every system command.
Helpctr	Helpctr is deprecated, and is not guaranteed to be supported in future releases of Windows.
Hostname	Displays the host name portion of the full computer name of the computer.
I	Back to the menu
Icacls	Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.
If	Performs conditional processing in batch programs.
Inuse	Inuse is deprecated, and is not guaranteed to be supported in future releases of Windows.
Ipconfig	Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.
Ipxroute	Displays and modifies information about the routing tables used by the IPX protocol. Used without parameters, ipxroute displays the default settings for packets that are sent to unknown, broadcast, and multicast addresses.
Irftp	Sends files over an infrared link.
Ismserv	This service enables messages to be exchanged between computers running Windows Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites by using SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS. The set of transports used for communication between sites must be extensible; therefore, each transport is defined in a separate add-in dynamic link library (DLL). These add-in DLLs are loaded into the ISM service, which runs on all domain controllers that are candidates for performing communication between sites. The ISM service directs send requests and receive requests to the appropriate transport add-in DLLs, which then route the messages to the ISM service on the destination computer.
J	Back to the menu
Jetpack	Compacts a Windows Internet Name Service (WINS) or Dynamic Host Configuration Protocol (DHCP) database. Microsoft recommends that you compact the WINS database whenever it approaches 30 MB.
K	Back to the menu
Klist	Displays a list of currently cached Kerberos tickets. This information applies to Windows Server 2012.
Ksetup	Performs tasks that are related to setting up and maintaining Kerberos protocol and the Key Distribution Center (KDC) to support Kerberos realms, which are not also Windows domains. For examples of how this command can be used, see the Examples section in each of the related subtopics.
Ktmutil	Starts the Kernel Transaction Manager utility. If used without parameters, ktmutil displays available subcommands.
Ktpass	Configures the server principal name for the host or service in Active Directory Domain Services (AD DS) and generates a .keytab file that contains the shared secret key of the service. The .keytab file is based on the Massachusetts Institute of Technology (MIT) implementation of the Kerberos authentication protocol. The Ktpass command-line tool allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service in Windows Server 2008 R2.
L	Back to the menu
Label	Creates, changes, or deletes the volume label (that is, the name) of a disk. If used without parameters, the label command changes the current volume label or deletes the existing label.
Ldifde	Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.
Ldp	Performs operations such as connect, bind, search, modify, add, delete against any Lightweight Directory Access Protocol (LDAP)-compatible directory, such as Active Directory Domain Services (AD DS). Ldp is an LDAP client that you use to view objects that are stored in AD DS along with their metadata, such as security descriptors and replication metadata.
Lodctr	Allows you to register or save performance counter name and registry settings in a file and designate trusted services.
Logman	Logman creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.
Logoff	Logs off a user from a session on a Remote Desktop Session Host (RD Session Host) server and deletes the session from the server.
Lpq	Displays the status of a print queue on a computer running Line Printer Daemon (LPD).
Lpr	Sends a file to a computer or printer sharing device running the Line Printer Daemon (LPD) service in preparation for printing.
M	Back to the menu
Macfile	Manages File Server for Macintosh servers, volumes, directories, and files. You can automate administrative tasks by including a series of commands in batch files and starting them manually or at predetermined times.
Makecab	Package existing files into a cabinet (.cab) file.
Manage-bde	Used to turn on or turn off BitLocker, specify unlock mechanisms, update recovery methods, and unlock BitLocker-protected data drives. This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item.
mapadmin	You can use Mapadmin to manage User Name Mapping for Microsoft Services for Network File System.
Md	Creates a directory or subdirectory. This command is the same as the mkdir command.
Mkdir	This command is the same as the md command. See Md for syntax and parameters.
Mklink	Creates a symbolic link.
Mmc	Using MMC command-line options, you can open a specific MMC console, open MMC in author mode, or specify that the 32-bit or 64-bit version of MMC is opened.
Mode	Displays system status, changes system settings, or reconfigures ports or devices. If used without parameters, mode displays all the controllable attributes of the console and the available COM devices.
More	Displays one screen of output at a time.
Mount	You can use mount to mount Network File System (NFS) network shares.
Mountvol	Creates, deletes, or lists a volume mount point.
Move	Moves one or more files from one directory to another directory.
Mqbkup	Backs up MSMQ message files and registry settings to a storage device and restores previously-stored messages and settings.
Mqsvc	Message Queuing technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios.
Mqtgsvc	Monitors a queue for incoming messages and performs an action, in the form of an executable file or COM component, when the rules of a trigger are evaluated as true.
Msdt	Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.
Msg	Sends a message to a user on a Remote Desktop Session Host (RD Session Host) server.
Msiexec	Provides the means to install, modify, and perform operations on Windows Installer from the command line.
Msinfo32	Opens the System Information tool to display a comprehensive view of the hardware, system components, and software environment on the local computer.
Mstsc	Creates connections to Remote Desktop Session Host (RD Session Host) servers or other remote computers, edits an existing Remote Desktop Connection (.rdp) configuration file, and migrates legacy connection files that were created with Client Connection Manager to new .rdp connection files.
N	Back to the menu
Nbtstat	Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. Nbtstat allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, nbtstat displays help.
Net computer	Adds or deletes a computer from a domain database.
Net group	Adds, displays, or modifies global groups in domains.
Net localgroup	Adds, displays, or modifies local groups. Used without parameters, net localgroup displays the name of the server and the names of local groups on the computer.
Net print	Displays information about a specified printer queue or a specified print job, or controls a specified print job.
Net session	Manages server computer connections. Used without parameters, net session displays information about all sessions with the local computer.
Net share	Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer. For each resource, the device name(s) or pathname(s) and a descriptive comment are displayed.
Net use	Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.
Net user	Adds or modifies user accounts, or displays user account information.
Net view	Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.
Netcfg	Installs the Windows Preinstallation Environment (WinPE), a lightweight version of Windows used to deploy workstations.
Netdiag	The Netdiag command-line diagnostic tool helps to isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. These tests and the key network status information that they expose give network administrators and support personnel a more direct means of identifying and isolating network problems. Moreover, because this tool does not require parameters or switches to be specified, support personnel and network administrators can focus on analyzing the output rather than on training users how to use the tool.
Netdom	Enables administrators to manage Active Directory domains and trust relationships from the command prompt.
Netsh	Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer.
Netstat	Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.
Nfsadmin	You can use nfsadmin to manage Server for NFS and Client for NFS.
Nfsshare	You can use nfsshare to control Network File System (NFS) shares.
Nfsstat	You can use nfsstat to display or reset counts of calls made to Server for NFS.
Nlb	After you have installed and configured Network Load Balancing (NLB), you can control its operations and modify parameter settings using the NLB control program, nlb.exe. To simplify and centralize system administration, you can run nlb.exe either on the cluster hosts or on any remote computer running Windows Server 2008 that can access the cluster over a local or wide area network. However, certain actions, such as modifying parameters, can be performed only on the cluster hosts.
Nlbmgr	Using Network Load Balancing Manager, you can configure and manage your Network Load Balancing clusters and all cluster hosts from a single computer, and you can also replicate the cluster configuration to other hosts. You can start Network Load Balancing Manager from the command-line using the command nlbmgr.exe, which is installed in the systemroot\System32 folder.
Nltest	Performs network administrative tasks.
Nslookup	Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Before using this tool, you should be familiar with how DNS works. The Nslookup command-line tool is available only if you have installed the TCP/IP protocol.
Ntbackup	The ntbackup command is not available in Windows Vista or Windows Server 2008. Instead, you should use the wbadmin command and subcommands to back up and restore your computer and files from a command prompt.
Ntcmdprompt	Runs the command interpreter Cmd.exe, rather than Command.com, after running a Terminate and Stay Resident (TSR) or after starting the command prompt from within an MS-DOS application.
Ntdsutil	Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Ntfrsutl	Dumps the internal tables, thread, and memory information for the NT File Replication Service (NTFRS). It runs against local and remote servers. The recovery setting for NTFRS in Service Control Manager (SCM) can be critical to locating and keeping important log events on the computer. This tool provides a convenient method of reviewing those settings.
O	Back to the menu
Openfiles	Enables an administrator to query, display, or disconnect files and directories that have been opened on a system. Also enables or disables the system Maintain Objects List global flag.
P	Back to the menu
Pagefileconfig.vbs	Pagefileconfig.vbs is deprecated, and is not guaranteed to be supported in future releases of Windows.
Path	Sets the command path in the PATH environment variable (the set of directories used to search for executable files). If used without parameters, path displays the current command path.
Pathping	Provides information about network latency and network loss at intermediate hops between a source and destination. Pathping sends multiple Echo Request messages to each router between a source and destination over a period of time and then computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Pathping performs the equivalent of the tracert command by identifying which routers are on the path. It then sends pings periodically to all of the routers over a specified time period and computes statistics based on the number returned from each. Used without parameters, pathping displays help.
Pause	Suspends the processing of a batch program and displays the following prompt.
Pbadmin	Pbadmin is deprecated, and is not guaranteed to be supported in future releases of Windows.
Pentnt	Pentnt is deprecated, and is not guaranteed to be supported in future releases of Windows.
Perfmon	Start Windows Reliability and Performance Monitor in a specific standalone mode.
Ping	Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) Echo Request messages. The receipt of corresponding Echo Reply messages are displayed, along with round-trip times. Ping is the primary TCP/IP command used to troubleshoot connectivity, reachability, and name resolution. Used without parameters, ping displays help.
Pnpunattend	Audits a computer for device drivers, and perform unattended driver installations, or search for drivers without installing and, optionally, report the results to the command line. Use this command to specify the installation of specific drivers for specific hardware devices.
Pnputil	Pnputil.exe is a command line utility that you can use to manage the driver store. You can use Pnputil to add driver packages, remove driver packages, and list driver packages that are in the store.
Popd	Changes the current directory to the directory that was most recently stored by the pushd command.
Powercfg	Control power settings and configure computers to default to Hibernate or Standby modes.
PowerShell	Windows PowerShell™ is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.The PowerShell.exe command-line tool starts a Windows PowerShell session in a Command Prompt window. When you use PowerShell.exe, you can use its optional parameters to customize the session. For example, you can start a session that uses a particular execution policy or one that excludes a Windows PowerShell profile. Otherwise, the session is the same as any session that is started in the Windows PowerShell console.
PowerShell_Ise	Windows PowerShell Integrated Scripting Environment (ISE) is a graphical host application that enables you to read, write, run, debug, and test scripts and modules in a graphic-assisted environment. Key features such as IntelliSense, Show-Command, snippets, tab completion, syntax-coloring, visual debugging, and context-sensitive Help provide a rich scripting experience.
Print	Sends a text file to a printer.
Prncnfg.vbs	Configures or displays configuration information about a printer.
Prndrvr.vbs	Adds, deletes, and lists printer drivers.
Prnjobs.vbs	Pauses, resumes, cancels, and lists print jobs.
Prnmngr.vbs	Adds, deletes, and lists printers or printer connections, in addition to setting and displaying the default printer.
Prnport.vbs	Creates, deletes, and lists standard TCP/IP printer ports, in addition to displaying and changing port configuration.
Prnqctl.vbs	Prints a test page, pauses or resumes a printer, and clears a printer queue.
Prompt	Changes the Cmd.exe command prompt. If used without parameters, prompt resets the command prompt to the default setting, which is the current drive letter and directory followed by the greater than symbol (>).
Pubprn.vbs	Publishes a printer to the Active Directory Domain Services.
Pushd	Stores the current directory for use by the popd command, and then changes to the specified directory.
Pushprinterconnections	Reads Deployed Printer Connection settings from Group Policy, and deploys/removes printer connections as needed.
Q	Back to the menu
Qappsrv	Displays a list of all Remote Desktop Session Host (RD Session Host) servers on the network.
Qprocess	Displays information about processes that are running on a Remote Desktop Session Host (RD Session Host) server.
Query	Displays information about processes, sessions, and Remote Desktop Session Host (RD Session Host) servers.
Quser	Displays information about user sessions on a Remote Desktop Session Host (RD Session Host) server.
Qwinsta	Displays information about sessions on a Remote Desktop Session Host (RD Session Host) server.
R	Back to the menu
Rasdial	Connects or disconnects a dial-up or virtual private network (VPN) connection. When you run the command without parameters, the status of current network connections is displayed.
Rcp	Copies files between computers. This command has been deprecated.
Rd	Deletes a directory. This command is the same as the rmdir command.
Rdpsign	Enables you to digitally sign a Remote Desktop Protocol (.rdp) file.
Reagentc	Configures the Windows Recovery Environment (Windows RE) and enables image recovery solutions.
Recover	Recovers readable information from a bad or defective disk.
Redircmp	Redirects the default container for newly created computers to a specified, target organizational unit (OU) so that newly created computer objects are created in the specific target OU instead of in CN=Computers.
Redirusr	Redirects the default container for newly created users to a specified, target organizational unit (OU) so that newly created user objects are created in the specific target OU instead of in CN=Users.
Reg	Performs operations on registry subkey information and values in registry entries.
Regini	Modifies the registry from the command line or a script, and applies changes that were preset in one or more text files. You can create, modify, or delete registry keys, in addition to modifying the permissions on the registry keys.
Regsvr32	Registers .dll files as command components in the registry.
Relog	Extracts performance counters from performance counter logs into other formats, such as text-TSV (for tab-delimited text), text-CSV (for comma-delimited text), binary-BIN, or SQL.
Rem	Records comments (remarks) in a batch file or CONFIG.SYS. If no comment is specified, rem adds vertical spacing.
Ren	Renames files or directories. This command is the same as the rename command.
Rename	This is the same as the ren command.
Rendom	Rendom.exe is a command-line tool that is used to rename Active Directory domains. A domain rename is a complex operation that also requires other tools and processes in addition to using Rendom.exe.
Repadmin	Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.
Repair-bde	Accesses encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data.
Replace	Replaces files. If used with the /a option, replace adds new files to a directory instead of replacing existing files.
Reset session	Enables you to reset (delete) a session on a Remote Desktop Session Host (RD Session Host) server.
Rexec	Rexec is deprecated, and is not guaranteed to be supported in future releases of Windows.
Risetup	The risetup command is deprecated in Windows Server® 2008 and Windows Server 2008 R2.
Rmdir	This command is the same as the rd command. See Rd for syntax and parameters.
Robocopy	Advanced filecopy
Route	Displays and modifies the entries in the local IP routing table.
Rpcinfo	Lists programs on remote computers. The rpcinfo command-line utility makes a remote procedure call (RPC) to an RPC server and reports what it finds.
Rpcping	Confirms the RPC connectivity between the computer running Microsoft Exchange Server and any of the supported Microsoft Exchange Client workstations on the network. This utility can be used to check if the Microsoft Exchange Server services are responding to RPC requests from the client workstations via the network.
Rsh	This command has been deprecated. Runs commands on remote computers running the RSH service or daemon.
Rsm	Manages media resources using Removable Storage. Using the rsm command, you can run batch scripts for applications that do not currently support the Removable Storage API.
Rss	Manages Remote Storage from the command line. Using the rss command, you can run batch scripts for applications that will allow them to access Remote Storage directly.
Runas	Allows a user to run specific tools and programs with different permissions than the user’s current logon provides.
Rundll32	Loads and runs 32-bit dynamic-link libraries (DLLs). There are no configurable settings for Rundll32.
Rwinsta	Enables you to reset (delete) a session on a Remote Desktop Session Host (RD Session Host) server.
S	Back to the menu
Sc	Communicates with the Service Controller and installed services. The SC.exe program provides capabilities similar to those provided in Services in the Control Panel.
Schtasks	Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.
Scwcmd	Command line-tool used to perform Security Configuration Wizard tasks.
Secedit	Configures and analyzes system security by comparing your current configuration to specified security templates.
Serverceipoptin	Allows you to participate in the Customer Experience Improvement Program (CEIP).
Servermanagercmd	Servermanagercmd.exe has been deprecated, and is not available in Windows Server 2012.
Serverweroptin	Allows you to enable error reporting.
Set	Displays, sets, or removes CMD.EXE environment variables. If used without parameters, set displays the current environment variable settings.
Setlocal	Starts localization of environment variables in a batch file. Localization continues until a matching endlocal command is encountered or the end of the batch file is reached.
Setspn	Reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. You use SPNs to locate a target principal name for running a service. You can use setspn to view the current SPNs, reset the account’s default SPNs, and add or delete supplemental SPNs.
Setx	Creates or modifies environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
Sfc	Scans and verifies the integrity of all protected system files and replaces incorrect versions with correct versions.
Shadow	Enables you to remotely control an active session of another user on a Remote Desktop Session Host (RD Session Host) server.
Shift	Changes the position of batch parameters in a batch file.
Showmount	You can use showmount to display mounted directories.
Shutdown	Enables you to shut down or restart local or remote computers one at a time.
Sort	Reads input, sorts data, and writes the results to the screen, to a file, or to another device.
Start	Starts a separate Command Prompt window to run a specified program or command.
Storrept	The storrept command is installed with File Server Resource Manager and includes subcommands for creating and managing storage reports and storage report tasks, as well as for configuring general administrative options for File Server Resource Manager.
Subst	Associates a path with a drive letter. If used without parameters, subst displays the names of the virtual drives in effect.
Sxstrace	Diagnoses side-by-side problems.
Sysocmgr	Sysocmgr is deprecated, and is not guaranteed to be supported in future releases of Windows.
Systeminfo	Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).
T	Back to the menu
Takeown	Enables an administrator to recover access to a file that previously was denied, by making the administrator the owner of the file.
Tapicfg	Creates, removes, or displays a TAPI application directory partition, or sets a default TAPI application directory partition. TAPI 3.1 clients can use the information in this application directory partition with the directory service locator service to find and communicate with TAPI directories.You can also use Tapicfg to create or remove service connection points, which enable TAPI clients to efficiently locate TAPI application directory partitions in a domain.
Taskkill	Ends one or more tasks or processes. Processes can be ended by process ID or image name. Taskkill replaces the kill tool.
Tasklist	Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool.
Tcmsetup	Sets up or disables the TAPI client.
Telnet	Communicates with a computer running the Telnet Server service.
Tftp	Transfers files to and from a remote computer, typically a computer running UNIX, that is running the Trivial File Transfer Protocol (TFTP) service or daemon.
Time	Displays or sets the system time. If used without parameters, time displays the current system time and prompts you to enter a new time.
Timeout	Pauses the command processor for the specified number of seconds.
Title	Creates a title for the Command Prompt window.
Tlntadmn	Administers a local or remote computer that is running the Telnet Server Service.
Tracerpt	The tracerpt command can be used to parse Event Trace Logs, log files generated by Performance Monitor, and real-time Event Trace providers. It generates dump files, report files, and report schemas.
Tracert	Determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo Request or ICMPv6 messages to the destination with incrementally increasing Time to Live (TTL) field values. The path displayed is the list of near/side router interfaces of the routers in the path between a source host and a destination. The near/side interface is the interface of the router that is closest to the sending host in the path.
Tree	Displays the directory structure of a path or of the disk in a drive graphically.
Tscon	Connects to another session on a Remote Desktop Session Host (RD Session Host) server.
Tsdiscon	Disconnects a session from a Remote Desktop Session Host (RD Session Host) server.
Tsecimp	Imports assignment information from an Extensible Markup Language (XML) file into the TAPI server security file (Tsec.ini). You can also use this command to display the list of TAPI providers and the lines devices associated with each of them, validate the structure of the XML file without importing the contents, and check domain membership.
Tskill	Ends a process running in a session on a Remote Desktop Session Host (RD Session Host) server.
Tsprof	Copies the Remote Desktop Services user configuration information from one user to another.
Type	Displays the contents of a text file. Use the type command to view a text file without modifying it.
Typeperf	The typeperf command writes performance data to the command window or to a log file. To stop typeperf, press CTRL+C.
Tzutil	Displays the Windows Time Zone Utility.
U	Back to the menu
Uddiconfig	Saves Universal Description, Discovery, and Integration (UDDI) configuration settings to an XML file.
Umount	You can use Umount to remove Network File System (NFS)–mounted drives.
Unlodctr	Removes Performance counter names and Explain text for a service or device driver from the system registry.
V W	Back to the menu
W32tm	You can use the W32tm.exe tool to configure Windows Time service (W32time) settings. You can also use W32tm.exe to diagnose problems with the time service. W32tm.exe is the preferred command-line tool for configuring, monitoring, or troubleshooting the Windows Time service.
Waitfor	Sends or waits for a signal on a system. Waitfor is used to synchronize computers across a network.
Wbadmin	Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.
Wdsutil	WDSUTIL is a command-line utility used for managing your Windows Deployment Services server.
Wecutil	Enables you to create and manage subscriptions to events that are forwarded from remote computers, which support WS-Management protocol.
Ver	Displays the operating system version number.
Verifier	Driver verifier manager.
Verify	Tells cmd whether to verify that your files are written correctly to a disk. If used without parameters, verify displays the current setting.
Wevtutil	Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.
Where	Displays the location of files that match the given search pattern.
Whoami	Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.
Winnt	Winnt is deprecated, and is not guaranteed to be supported in future releases of Windows.
Winnt32	Winnt32 is deprecated, and is not guaranteed to be supported in future releases of Windows.
Winpop	Winpop is deprecated, and is not guaranteed to be supported in future releases of Windows.
Winrs	Windows Remote Management allows you to manage and execute programs remotely.
Winsat	winsat assesses various features, capabilities, and attributes of a computer running Windows Vista®.
Wlbs	The Wlbs command has been replaced by Nlb.exe. For more information, see Nlb
Wmic	Displays WMI information inside an interactive command shell.
Vol	Displays the disk volume label and serial number, if they exist. If used without parameters, vol displays information for the current drive.
Wscript	Windows Script Host provides an environment in which users can execute scripts in a variety of languages, languages that use a variety of object models to perform tasks.
Vssadmin	Displays current volume shadow copy backups and all installed shadow copy writers and providers.
X	Back to the menu
Xcopy	Copies files and directories, including subdirectories
Y	Back to the menu
Z	Back to the menu

Thats it, and thats that!

References

Windows Server 2012 Command-Line Reference
http://technet.microsoft.com/en-us/library/cc754340

Windows PowerShell Support for Windows Server 2012
http://technet.microsoft.com/en-us/library/hh801904.aspx

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn

The first Kerberos guide for SharePoint 2013 technicians

Last update: June 5, 2013
Updated 2012-12-08 – New note added to Step 3. Delegation
Updated 2012-12-11 – New note added to Step 4. Authentication Provider
Updated 2012-12-25 – New link added to Skip all the talk and get straight down to business
Updated 2013-02-14 – New update added to Step 4. Authentication Provider – ignore step 4.18, 4.19 and 4.20.
Updated 2013-05-14 – New note added to step 5.6
Updated 2013-06-05 – Added some t-shooting links after step 5.11

This is obviously an extension to ‘The final Kerberos guide for SharePoint technicians‘ published previously. As I was making that post and collecting material and Pictures, verifying the functionality, I was beginning to wonder if such a guide would be applicable in the same way to SharePoint 2013 as it is to SharePoint 2010, after some quick research I found out that it is. Using the SharePoint 2013 preview installed on Windows Server 2008 R2 with a 2008 R2 Active Directory and SQL Server 2008 R2, the steps are the same (almost).

(Herakles and Kerberos)

I came upon a few ‘snags’ that took me a while to figure out, but part from that, all is similar to how it is in SharePoint 2010. So, good for me, I only have to update Everything, not re-learn the whole thing!
As help in the task of writing this post, I had nothing…its still pretty empty for SharePoint 2013 on the topic of Kerberos and authentication (a few references added at the bottom section of this post), no doubt that will change as we get closer to launch but today, it was a void waiting to be filled. So, take it as is, this is built solely upon the preview bits. Use the 2010: The Whitepaper (242 pages) as reference, most of it is still valid.
Ok, enough talk, lets get down to business:

‘The first Kerberos guide for SharePoint 2013 technicians’

This time, I will try and get back later and add a scenario involving Windows Server 2012 and SQL Server 2012. Not that the SQL server will make much or any difference here, but the server environment will. Perhaps I’ll even have a brand new AD to work with based on 2012.

Scenario 1 – Basic

Kerberos authentication to SharePoint 2013 site on default port 80 with a single SharePoint Web Server(Windows Server 2008 R2) from Windows 7/2008R2, IE 9. (using Basic delegation/Unconstrained delegation)

(This guide assumes that a normal NTLM authentication to the same Web Application with the same user has been verified, by adding this line I’m among other things taking AAM and site permissions out of the equation. These things have to work before attempting to use this guide)

Note: To perform some of these procedures, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory and you have to be a member of the Farm Administrators Group in SharePoint, or you must have been delegated the appropriate authorities. As a security best practice, consider using ‘Run as’ when applicable to perform these procedures.

–

Checklist:

Step	Summary
1. Name Resolution	An entry for the Web Applications URL must exist in either DNS or in the clients hosts file.
2. Service Principal Names	HTTP SPN’s must be created for the Web Application URL(s) and its Application Pool service account.
3. Delegation	The SharePoint Web Server must be ‘Trusted for delegation’ in Active Directory. (Note added 2012-12-08)
4. Authentication Provider	The Web Applications Authentication provider must be set toAuthentication type: WindowsIIS Authentication setting: Integrated Windows authentication/Negotiate(Kerberos)
5. Verification of functionality(IMPORTANT!)	Klist.exe on client must have a HTTP ticket for URL and User accountSecurity log on SharePoint Web Server must have event ID 4624 with user and kerberos. (If Kerberos fails NTLM authentication will be used! Unless, see links at the end of step 5.)
References and Credits

If you do need assistance on configuring ALternate Access Mappings or https/SSL, use any of these links:
– A guide to Alternate Access Mappings Basics in SharePoint 2013
– A guide to https and Secure Sockets Layer in SharePoint 2013
– The final guide to Alternate Access Mappings (Free Download)

Step 1

Name Resolution

There are two ways to do this, one excellent and one less excellent, the lesser of the two is really only ‘allowed’ for developing or testing purposes, but it exists and should be taken into consideration. Testing is also something that you will want to do here, and the less modifications you must do that requires a service down or a (Service Management) change order at an early stage, the better. Use Hosts for testing, then DNS in production.

DNS

Make sure that the URL of the Web Application has a A-Record in DNS, if not, you need to create it.

A server that is joined to an Active Directory Domain gets a A-record created automatically, but verify that it is there.

Create a A-Record in DNS using the following:

1.1 Open DNS Management in Administrative Tools on a DNS server.

1.2 Expand forward lookup zones container.

1.3 Right click on the zone (domain name) and click on new host (A or AAAA).

1.4 Type in the name of the record, this is the URL of the Web Application (minus the domain part in a FQDN) and type in the IP address of the SharePoint 2013 Web Server

1.5 Click on ‘Add Host’

1.6 Click on ‘Done’

1.7 You will see this verification dialog:

1.8 Verify that the record has been created in the right pane.

1.8 Just to be sure, do a flush of the DNS cache, to do this, type:
Ipconfig -flushdns (hit enter)

1.9 In a Command Prompt, ping the Web Application URL.

1.10 You are now done with step 1, Name Resolution. Move on to step 2. Service Principal Name(SPN).

Note: A known issue exists with some clients (IE7 and IE8 included) that causes kerberos authentication to fail with the use of DNS alias instead of an A-Record.

Hosts (not recommended method)

1.x1 Locate the hosts file on your client or server if this is what you are using as client. It is located in the following path: C:\Windows\System32\Drivers\etc\hosts. Use Notepad to open it(open notepad using right click and ‘Run as Administrator’ and you will be allowed to save the changes)

1.x2 At the bottom of the file, add a row with the following: IP-Address<tab>hostname/FQDN <enter>

– Example:

192.168.1.104 sharepoint2013

– Also add any FQDN’s needed, like in my example:

192.168.1.104 sharepoint2013.corp.balkestahl.se

Note: Always end the last line with a Linefeed/Enter, else you may experience issues using the hosts file.

1.x3 Example of how the file could look above…Save the file using the same filename(hosts only, no extension)

You are now done with step 1, Name Resolution. Move on to step 2. Service Principal Name(SPN).
Back to main menu

–

Step 2

Service Principal Name(SPN)

Note: To perform these procedures, you must have membership in Domain Admins, Enterprise Admins, or you must have been delegated the appropriate authority. For information on delegating the permissions to modify SPNs, see Delegating Authority to Modify SPNs.

Note: To use setspn, you must run the setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click ‘Run as administrator’.

When creating or setting up your SPN’s, you need some basic information first, as you will be creating HTTP SPN’s you need a URL and a Service account name. If the SharePoint Web Application has both a NetBIOS name and an FQDN, then you need to create separate SPN’s for both.

2.1 Start by opening a Command Prompt ‘Running as administrator’ (See note at the start of this step 2)

2.2 Next, list all SPN already in Place for the Service Account, type:

setSPN -L domain\serviceaccount (hit enter) or without the domain name setSPN -L serviceaccount (hit enter)

Wait for it…

Most likely, you get back nothing. This is ok. If you do get some registered SPN’s back, just make sure that they are not the same as the ones you are about to add, if they aren’t they you can leave them be.

2.3 Next, we create our own SPN’s for the service account paired with the Web Application and SPN type, to create this SPN type:

Note: Do not configure service principal names with https even if the web application uses SSL

setspn -S HTTP/mywebappurl domain\serviceaccount (hit enter) Note: HTTP can be upper or lowercase, does not matter.

2.5 Now we also have to add an SPN for the FQDN, type:

setspn -S HTTP/mywebappurl.domain.com domain\serviceaccount (hit enter)

2.6 Listing the SPN’s now should list one additional SPN, type:

setspn -L domain\serviceaccount (hit enter)

If Everything has gone well and you had no previous SPN’s created from this service account, then the result from the command will be:

HTTP/mywebappurl
HTTP/mywebappurl.domain.com

Note: You see in the Picture in addition to the 2013 SPN’s, my SPN’s created for the SharePoint 2010 server, that farm uses the same service account, corp\spwebapp and thus the SPN’s are still registered to it. Those two extra SPN’s do not in any way affect this service. Leave them be and we will be fine.

The necessary SPN’s have now been created successfully and the service will be able to request tickets in your name.

Note: Using the -S parameter with setspn when creating an SPN will check for duplicates before creating a new one, thus eliminating the risk of duplicate SPN’s, which would cause Kerberos to fail.

You are now done with step 2, Service Principal Name(SPN). Move on to step 3. Trust for delegation.
Back to main menu

–

Step 3

Trust for delegation

Note: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

By default, no server is trusted for delegation, meaning that a service on a server in the Active Directory, cannot act on a user’s behalf, basically this means that a service if trusted for delegation, can impersonate a user and request a Kerberos ticket in the users name.

(added 2012-12-08)
Note: Step 3 can be skipped if you only want to authenticate your users. Delegation is only needed if you are planning to access external or ‘second hand’ datasources, such as an RSS feed, Reporting Services or any other service external to the SharePoint server, that would require the users authentication to be delegated. Configuring delegation together with Kerberos will allow for ‘double hop’ scenarios.
(Thanks Spencer Harbar for pointing this out)

Change this setting in Active Directory using the following:

3.1 Open Active Directory Users and Computers.

3.2 In the console tree, click Computers. (Or the appropriate OU where your SharePoint Web Server resides)

3.3 Right-click the computer you want to be trusted for delegation, and click Properties

3.4 On the Delegation tab, click ‘Trust this computer for delegation to any service (Kerberos only)’.

3.5 Click OK.

You are now done with step 3. Trust for delegation. Move on to step 4. Authentication Provider.
Back to main menu

–

Step 4

Authentication Provider

(Added 2012-12-11) Update: In response to several comments, the steps 4.18, 4.19 and 4.20 can be ignored, these steps are not required and can be disregarded. IIS will show a red warning but this is what SharePoint does and it works even with FBA enabled. So, if it works with FBA enabled, leave it on.
See references section at the end of this post for a link to a really good explanation to how claims based authentication in SharePoint works.

Note: To perform this procedure, you must be a member of the SharePoint Farm Administrators group, or you must have been delegated the appropriate authority.

Note: If you are creating a new Web Application at this Point, simply select ‘Classic Mode Authentication’ as authentication and ‘Negotiate(Kerberos)’ as Authentication provider in the Security Configuration dialog during Web Application creation.

In order for the Web Application and SharePoint to use Kerberos instead of the default NTLM, we have to configure SharePoint to use just that. Unlike what many Think, there is no way to force SharePoint to use only Kerberos, what we have available is the option to use Kerberos if possible, else use NTLM. Don’t ask me why this is so, but this is what we have. However, if all of the Kerberos Components are configured correctly, this is what will be used for authentication at all times.

So…the last configuration Before testing it all out…configure SharePoint to use Kerberos using the following:

4.1 In the Central Administration, go to ‘Application Management’ – ‘Manage Web Applications’

4.2 Select the Web Application you want to configure, and click on Authentication providers in the top ribbon.

4.3 In the ‘Authentication Providers’ dialog, click on the authentication provider you want to alter, usually its default.

4.4 In the ‘Edit Authentication’ dialog, verify that ‘Claims Authentication Type’ is set to: ‘Enable Windows Authentication’ and ‘Integrated Windows authentication’ In the dropdown, select ‘Negotiate (Kerberos)’.

4.5 Scroll down the dialog to ‘Save’ / ‘Close’. Press Save and wait…you will not see any progress…

4.6 Sit here until you feel that you have waited long enough and that the save MUST be done.

4.7 Click on Cancel(?!)

You have now made the modifications needed in SharePoint for Kerberos authentication to function, now we have to verify that the Changes has been made to IIS by SharePoint.

To verify the IIS Web Site Authentication settings, follow these steps:

4.8 In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’.

4.9 Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’

4.10 Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’.

4.11 In the Authentication dialog, select Windows Authentication (usually at the bottom).

4.12 Click on ‘Providers’ in the right ‘Actions’ pane.

4.13 Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top.

4.14 Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’.

4.15 Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked.

4.16 Click Cancel.

4.17 IIS will warn you that this is disabled, but SharePoint disables this setting because of a ‘feature’ in IE8 that may prevent them from connecting. Do not follow their advice this time…

4.18 (DISREGARD THIS STEP – See note at beginning of step 4. added 2012-12-11) I noticed here as well, after some trial and error, that SharePoint 2013 for some reason enabled ‘Forms Authentication’ for the my Web Application in IIS, when both are enabled, you will never be able to access the site.

4.19 (DISREGARD THIS STEP – See note at beginning of step 4. added 2012-12-11) I even got a Little error about it in the top-right pane:

4.20 (DISREGARD THIS STEP – See note at beginning of step 4. added 2012-12-11) Important! Disable the ‘Forms Authentication’ if it is enabled:

4.21 Exit Internet Information Services Manager.

You are now done with step 4. Authentication Provider. Move on to step 5. Verification of functionality.

Note: DO NOT make any Changes using the Internet Information Services Manager, if Changes need to be made, Always use the SharePoint Central Administration interface.
Another way to make changes to SharePoint is PowerShell, which is also a recommended way if you really know what you are doing.

Back to main menu

–

Step 5

Verification of functionality

Many Tools exist that can be used to verify that Kerberos authentication actually occurs, Tools such as NetMon(Network Monitor), WireShark, Fiddler, KerbTray and many more can be used for this step. I have however focused on two Tools that will be sufficient and that exists already in the Environment. I have chosen to focus on these two:

Klist (Client)

Security Log (Server)

Klist

(Klist is available on Windows server 2008 and later and on Windows 7 and later, for Windows Server 2003, see note at the end of this step)

Before anything, Close down all open Internet Explorers or other browser sessions you have open.

5.1 On the client, start a command prompt as administrator (Right click, ‘Run as administrator’).

5.2 Flush the DNS cache, type:
Ipconfig -flushdns (hit enter)

5.3 List all tickets on the system, type:
klist (hit enter)
Note: this does not affect any other functionality on the client or server

The tickets listed does not necessarily have anything to do with us at this point (SharePoint).

5.4 Now, we want to clean up this list so that we can see if a new ticket is granted to our user when logging on to SharePoint.

Clear the list, type:
klist purge (hit enter)
Note: this does not affect any other functionality on the client or server

In the prompt you will see:

Deleting all tickets:

Ticket(s) purged!

5.5 Try again listing all tickets, type:

klist (hit enter)

This time the list should be empty. (if not, then some service has managed to connect again during the time from that you purged until you ran Klist again)

5.6 With an empty Kerberos ticket list, open up a new Internet Explorer session and go to the URL of the Web Application.
Note: You cannot start a browser as a different user, if you do, the tickets will not be available to the klist command for the logged on user.

5.7 When authenticated and logged into the site, all loaded ok

5.8 Switch back to the command prompt and again, type:

klist (hit enter)

Now, with Kerberos working, you will see two tickets, the most important one is the second ticket(#1) that contains:

Client: username@domain.com

Server: HTTP/mywebappurl

KerbTicket Encryption Type:

And a few timestamps and similar stuff. This is good!

If you see this ticket, things are working! Now, all we have to do is verify that it looks good on the Web Server as well.

Close down the Command Prompt and move on to the next task in this guide, the security log.

Note: For Windows Server 2003, KLIST is available as a free download in the Windows Server 2003 Resource Kit Tools. To obtain the tools, visit the following Microsoft Web site: Download Klist here

Security Log

Note: Before checking for events in the eventlog, you may want to verify that your server is logging authentication success, else you will not see the event ID 4624 in the Security Log of your Web servers.
You will find the Group Policy at ‘Computer Configuration / Windows Settings / Security Settings / Local Policies / Audit Policy > [Audit logon events], make sure this is set to ‘Success’.
(Thanks to Alvar Kresh for sharing this important note)

Verify that the Web Server Authenticates the user using Kerberos using the following:

5.9 On the SharePoint Web Server, in Administrative Tools, open up Event Viewer.

5.10 Expand the ‘Windows Logs’ container and locate the ‘Security’ Log.

5.11 In the Security log, locate a recent event with the ID of 4624. This event should be a successfull logon, and hold the security ID and accountname of the user that accessed the SharePoint Web Application using Internet Explorer on the client, and it should also state:

Logon process: Kerberos

Authentication Package: Kerberos.

If you can verify that you do have this event, then you are done, Kerberos works!

You are now done with step 5. Verification of functionality, there are no more steps from here…

This means that if you have successfully completed all steps in this guide, you have managed to configure Kerberos for SharePoint 2013.

If Kerberos authentication fail with an error, then you may experience that authentication does not fall back to NTLM at all. It simply fails. There are a few reasons why this can happen and you may want to keep this in mind just in case.

Related links:
Problems with Kerberos authentication when a user belongs to many groups
http://support.microsoft.com/kb/327825
“HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2020943
Users who are members of more than 1,015 groups may fail logon authentication
http://support.microsoft.com/kb/328889/
Group Policy may not be applied to users belonging to many groups
http://support.microsoft.com/kb/263693/

CONGRATULATIONS!
Back to main menu

–

Thanks to, for technical and spiritual support!

Hasain Alshakarti – Truesec

Mattias Gutke – Enfo Zipper

Anders Grönlund – Enfo Sweden

Markus Murray – Truesec

Herakles – Unknown

–

References

Plan for Kerberos authentication in SharePoint 2013
http://technet.microsoft.com/en-us/library/ee806870(v=office.15).aspx

Plan authentication in SharePoint 2013
http://technet.microsoft.com/en-us/library/ee794879(v=office.15).aspx

Plan for user authentication methods in SharePoint 2013
http://technet.microsoft.com/en-us/library/cc262350(v=office.15).aspx

Setspn (Windows Server 2008, Windows Server 2008 R2)
http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx

Klist (Windows Server 2008 R2)
http://technet.microsoft.com/en-us/library/hh134826(v=ws.10).aspx

DNS Server Overview (Windows Server 2008)
http://technet.microsoft.com/en-us/library/cc770392(v=ws.10).aspx

Trust for delegation (Windows Server 2003 but this still goes)
http://technet.microsoft.com/en-us/library/cc739764(v=ws.10).aspx

How the Kerberos Version 5 Authentication Protocol Works
http://go.microsoft.com/fwlink/p/?LinkID=196644

Kerberos Explained (old but still good)
http://technet.microsoft.com/en-us/library/bb742516.aspx

Microsoft Kerberos
http://msdn.microsoft.com/en-us/library/aa378747(VS.85).aspx

Multiple Authentication Methods in SharePoint 2010
http://shpt2010.wordpress.com/2011/11/10/multiple-authentication/
(A really good link that explains the inner workings of claims based authentication in SharePoint, valid for 2010 and 2013 alike.)

Kérberos (lat. Cérberus)
http://en.wikipedia.org/wiki/Cerberus

_________________________________________________________

Enjoy!

Regards

Twitter | Technet Profile | LinkedIn