Well since SharePoint is such a big platform It is only natural that we display some curiosity to the other. Going from development to infra seems a big step and most people are reluctant to even look at the infra side of SharePoint. Most developers I know say that they don”t want and need to look at this side of SharePoint. Well here I believe they are wrong, as a developer it is more and more important that we know about the infra side of things. Not that we need to fully understand this side, but at least we have to¬† know the basics. With the app model It is becoming more clear that only coding isn”t sufficient to understand the platform.

Since I am doing more and more infra here a few things I have seen a lot and almost nobody that fixes them, while it is such an easy solution.

First Issue: Central admin is only accessible from the APP server and not from the WFE.

I see at many clients the same issue coming back every time. The administrator can access the central admin from the app server, but not from any other server. A credentials window comes up 3 times and doesn”t show anything.

But before I just tell you the solution.. Let”s do some investigation first..

Fiddler is your best friend in this.. I needed to know what happened with those authentication windows and why no page was shown.

So fired up my servers and using fiddler and IE to navigate to my CA address and see what”s happening.



At this point it was clear that this wouldn”t work what so ever, going to test with another browser (Firefox in this case). And surprise , Firefox came with a credential question, filled in all the data and CA was loaded. Strange



As you can see, the authorization headers and authentication headers are different with IE and Firefox. The first one goes for ‘Negotiated’ and Firefox uses ‘NTML’.

Ok going to check the authentication provider on the CA web application…



And just as I expected it was set to negotiate. Changed this to NTML and low and behold I could log in via the Web front end server to the CA.


Hope it helps for someone and that they don”t keep going to the App server just to be able to log on to the CA.

Edit 09/04/2014

Some time ago a buddy of mine (Koen Vosters, MSC) read this blog and noted a small issue with it.

1. The strange part is that it supposed to be negotiated, so meaning if Kerberos is not working, IE should fall back to the NTML way.

2. I should have defined SPN if I am using Kerberos.