cd ../blog
$ published · 1 min read

Going to the Dark Side (Infra)

A developer's journey into SharePoint infrastructure — debugging Central Admin authentication failures using Fiddler and fixing a Negotiate vs NTLM misconfiguration.

#sharepoint#infra#debugging
</>

Since SharePoint is such a big platform, it’s only natural to get curious about the other side. Going from development to infra seems like a big step, and most developers I know say they don’t want or need to look at the infrastructure side of SharePoint.

I disagree. As a developer it’s increasingly important to know at least the basics of the infra side. With the App model it’s becoming clear that coding alone isn’t sufficient to fully understand the platform.

Here’s something I’ve seen at many clients that almost nobody fixes — even though the solution is straightforward.

Issue: Central Admin Only Accessible from the App Server

The administrator can access Central Admin from the App server, but not from any other server (like the WFE). A credentials window pops up 3 times and then nothing loads.

Let’s investigate before jumping to solutions.

Debugging with Fiddler

Fiddler is your best friend here. I needed to understand what was happening with those authentication prompts and why no page was shown.

Using Fiddler and IE to navigate to the CA address revealed that IE simply wasn’t working at all. Trying Firefox, however — CA loaded after entering credentials.

Looking at the Fiddler captures, the key difference was visible in the headers:

  • IE was sending: Authorization: Negotiate
  • Firefox was sending: Authorization: NTLM

Root Cause

Checking the authentication provider on the CA web application revealed it was set to Negotiate (Kerberos).

The problem: the WFE server wasn’t configured with the proper SPN for Kerberos, so the Negotiate handshake failed silently in IE (which faithfully tried Kerberos first). Firefox, not attempting Kerberos, fell back to NTLM and connected fine.

Fix

Changed the CA web application authentication provider from Negotiate to NTLM → immediately able to log in via the WFE.

Edit (09/04/2014): A colleague (Koen Vosters, MSC) pointed out an important nuance:

  1. The strange part is that it’s supposed to be Negotiate — meaning if Kerberos fails, IE should fall back to NTLM automatically.
  2. The correct fix would be to define SPNs for Kerberos properly, rather than downgrading to NTLM.

So while switching to NTLM fixes the symptom, the real issue is an incorrectly configured Kerberos setup. Fix the SPN and you can keep Negotiate.

Hope this helps someone — no more walking to the App server just to access CA 😊