SharePoint Performance Tuning – Part 2

In the previous part of the SharePoint Performance Tuning series we configured  file-based caching for the Web Front-End SharePoint server. Now, we still stay with the Front-End

Enabling Kerberos Authentication

If your sites are serving numerous requests at a time, and you are experiencing a slow page load, you should consider switching the site-level authentication from NTLM to Kerberos. Whilst NTLM is good for small or medium sized sites, Kerberos is useful when your environment requires high workload and needs to process a large number of requests. Using NTLM, authentication requests aren’t cached and they need to go to the domain controller every time a request is made to an object which is a performance drag. With Kerberos authentication,  requests can be cached, so the process won’t have to communicate with the domain controller to retrieve the object from the site this can dramatically improve SharePoint performance.

To enable Kerberos authentication for your web application, we’ll have to specify the application pool identity and then create a new SPN using the setspn.exe tool.

Go to the IIS Manager on the web server server, and select the website where you want to enable Kerberos authentication (1), using the left pane. Then go into the Authentication Icon, select Windows Authentication (2) (which should be enabled) and click on Advanced Settings (3). You need to make sure that the “Enable Kernel-mode authentication” option is checked (4), checking this option will perform an IIS Reset before resuming.

SharePoint performance

Enabling Kernel Mode Authentication in IIS Manager

Next, we need to run appcmd and set the useAppPoolCredentials attribute to true for our web application (SharePoint – 80). You need to run cmd console in administrator mode if your server has User Account Control enabled. The appcmd tool can be accessed from C:WindowsSystem32inetsrv folder.

Now, execute a command:

Appcmd set config “SharePoint – 80” /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

SharePoint performance

CMD console with appcmd command

Now we need to check if the application host configuration is properly configured in order to continue with Kerberos authentication setup. Open C:WindowsSystem32inetsrvconfigapplicationHost.config and check if our application (SharePoint – 80) has the proper attributes set in the system.webServer section.

My entire SharePoint – 80 entry in the applicationHost.config file is below:

<location path="SharePoint - 80">


<handlers accessPolicy="Read, Execute, Script" />



<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">


<clear />

<add value="NTLM" />


<extendedProtection tokenChecking="None" />


<anonymousAuthentication enabled="false" />

<digestAuthentication enabled="false" />

<basicAuthentication enabled="false" />



<urlCompression doStaticCompression="true" doDynamicCompression="true" />

<httpErrors existingResponse="PassThrough" />



<clear />

<add value="ASP.NET" />

<add name="MicrosoftSharePointTeamServices" value="" />





Please note the attributes   bolded above  are the attributes we’ve just set which are required for Kerberos authentication to work properly.

Now perform IISReset /noforce command to reload the changes on the web server. We have only one step left on the backend configuration of Kerberos – we need to set SPN, which is required to map the service and host name to our custom application pool account.

On the Web-Front End server open command prompt with administrative privileges, and execute the command:

Setspn –A http://SiteURL domainapplication_pool_account

It is very important to type in the valid application URL and the domain account that is the identity of the application pool of the site. If you are unsure what the application pool identity is, go to IIS Manager, select Application Pools section in the left pane, and read the account that is running on your application pool (SharePoint – 80 in this example)

SharePoint performance

Application Pools view in IIS Manager

As you can see in our example, the SharePoint – 80 application pool is using account chaosspsadmin, so the command in my environment will be like:

Setspn –A http://sps2010 chaosspsadmin

Now, we should enable the trust for delegation for this account. To do this, go to the Domain Controller and launch Active Directory Users and Computers console, then locate the account (in our example it is chaosspsadmin account) and in the properties of the account, select the Delegation tab and then select “Trust this user for delegation to any service (Kerberos Only)” option.

Note, that you won’t see the Delegation tab if you have missed a step or made a mistake during the configuration using setspn command for the application pool identitity.

Now the last Kerberos step – we need to enable Kerberos on the Web Application itself. To do this, launch Central Administration, select Application Management – Manage Web Applications, and mark our web application (SharePoint – 80). You should now see in the ribbon the Authentication Providers icon – click on it.

SharePoint Performance 2

Central Administration – Authentication Providers icon in the ribbon

Select the correct zone for your web application where we’ll be enabling Kerberos authentication (by default it is Default zone) and in the IIS Authentication settings change the radio button from NTLM to Negotiate (Kerberos).

SharePoint Performance 2

Authentication for the application changed from NTLM to Kerberos

We’ve spent quite some time configuring Kerberos, but believe me – it is worth the time consumed, especially in larger environments, where you’ll probably need to tweak performance ratings in the first place.

Application Pool Recycling.

There’s not so much to configure, but a lot to explain in this section. It is very important to tweak the application pool recycling to suit your farm infrastructure and server architecture. It is best to recycle the pools at night, when your sites has the lowest user traffic. If you have multiple load balancing servers, it’s strongly recommended to turn of the recycling server from the Load Balancer, or you’ll experience poor performance during the process. Since SharePoint Server 2010, which requires 64-bit environment, you can forget about maximum memory based limits since this is managed by the IIS Server itself.

SharePoint Performance 2

Application Pool recycling settings

Checked Out Pages

If your sites are using Enterprise Content Management and Check-In/Check-Out functionality, you should never leave sites checked out, because this decreases the page rendering performance visibly to the users. Instead, check them in as quickly as possible to avoid slower performance.

Now we have looked at most of the front-end SharePoint performance settings. In Part 3 we will look at some of the back-end performance tuning.


No comments yet... Be the first to leave a reply!