Authentication settings issue for SharePoint 2013 Mysite

Question

Hi Everyone,

We are in the process of exposing our on premise SharePoint sites via M365/AAP.

During some initial testing we discovered an issue with accessing the Mysite web app where it was being blocked via AAP for authentication.

I discovered that the Mysite web app was actually set to IWA > NTLM, whereas the other web apps are set to IWA > Negotiate (Kerberos).

1. Would there be any reason why the people that provisioned the farm chose to set it this way?
2. Is there any harm in changing it to Kerberos?

If it was modified, I am assuming that there would be an outage whilst the farm reconfigured itself and may also require some IIS restarts etc

Please advise.

Thanks

Answer 1

@Dean-1015 ,

1. Both NTLM and the Kerberos protocol are Integrated Windows authentication methods, which let users seamlessly authenticate without prompts for credentials.
   NTLM is the simplest form of Windows authentication to implement and typically requires no additional configuration of authentication infrastructure.
   The Kerberos protocol requires additional configuration of the environment.
   To enable your SharePoint Web Applications to use Kerberos requites two steps: Setting the SPN (Service Principal Name) on a Domain User account(Service account running Application Pool of the Web application) and enabling Kerberos on the Web Application.
2. Per my research, there is no harm in changing NTLM to Kerberos, make sure that kerberos is successfully configured for the web application, otherwise you will not be able to access the site.

---

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.