3. Please visit our Gold Sponsor stands,
we couldn't do it without you…
4. MCTS in SQL Server and SharePoint
Over a decade of Microsoft solution development and
architecture
Lately focused on SQL Server 2012 BI in SharePoint
Integrated Mode
I like dogs, especially big ones
5. Focus on SharePoint + SQL Server
Why Kerberos
Service Principal Names
Delegation options
Claims & Kerberos
Testing &Troubleshooting
Live Demo!
6. More secure, Less DC load, interoperability...
Enables Delegation!
◦ Unified Security at data source level
◦ Data driven security
◦ Personalised reports
NTLM or
Kerberos
SP Farm
or DB server
Kerberos
Delegation
Data Source
7. NTLM or
Kerberos
SP Farm Data Source
1st “hop”
Any protocol
2nd “hop”
Kerberos only!
Impersonate
user
8. Identify your data sources
Service Principle Names
Decide on your delegation
Constrained or not?
Set delegation type
Allow data sources to be delegated to
Easy, right?
9. Service Principal Name
◦ What (Service) and
◦ Where (Computer or “Principal”) to connect to
Identifies the target
◦ Not the delegating service
◦ Certainly not the client
◦ The Data Source Service!
1
10. Service Principal Name
<service class>/<NetBIOS>[:<port or instance>]
or/and
<service class>/<FQDN>[:<port or instance>]
setspn.exe -S <SPN> <AccountName>
Service identity:
Service account as <domainusername>
or
Host Account if running as Local System
Host identity
1
12. SETSPN -S MSOLAPSVC.3/BI-SQL:UDM HADESSQL-SSAS
NetBIOS:
BI-SQL
FQDN:
Hades.
Local SQL-SSAS
Domain
SSAS service
account identity
Analysis Services
Service class
Host server
OR
Instance:
UDM
BI-SQL.HADES.LOCAL
13. IIS server
SP-WFE FQDN:
Hades.
Local SP-PORTAL
SharePoint Portal
Application Pool identity
SharePoint WFE
Host server
OR
OLYMPUS.HADES.LOCAL
SETSPN -S HTTP/OLYMPUS HADESSP-PORTAL
DNS “A”
record:
OLYMPUS
Port: 80
14. Now I can see Delegation tab!
SETSPN -S DUMMYSPN HADESSP-XLS-SVC
? FQDN:
Hades.
Local
SP-XLS-SVC
Domain Delegating account
Arbitrary string
Non-existing service
15. Identifies the target
Stored against target’s identity
Instance name for Analysis Services
Arbitrary SPN to show delegation tab
Don’t forget discovery services for SQL2005
1
17. 2
SSRS
SSRS
Basic
◦ Delegates to any service
◦ Cross-domain delegation
◦ No protocol transition
◦ Can precede constrained
Constrained
◦ Any service can use
◦ Most require
◦ More secure
◦ Only delegates if
allowed!
◦ Only within a domain
20. Use Basic for
◦ SSRS (SQL Reporting Services) to connect to another domain
◦ When security is not critical
Use Constrained for
◦ Any other case!
2
22. Add a dummy SPN to the Delegating account to bring
up delegation tab in ADUC:
Allows trust
for constrained
delegation
Enables protocol
transition
for SharePoint
3
23. Select allowed SPNs:
Use ADUC delegation tab
Locate SPN’s account
Click to select SPNs to add
SPN’s account
4
24. ADSIEdit (easier):
◦ Same string as in
SETSPN statement
PowerShell:
◦ Not for wimps
◦ Active Directory Module:
Set-ADObject
Get-ADObject
Set-KCD
CMD (document):
◦ ldifde
25. Set your SPNs (inc Dummy and Browser 2005)
Use “KerberosHelper.xslx” from www.data-united.co.uk
Decide: Basic or Constrained?
Set delegation type
Add Allowed SPNs (for constrained)
Test working, Sit back and relax!
Let me know if it doesn't work
www.data-united.co.uk
26. Claims to Windows Token Service (C2WTS)
◦ SharePoint protocol transition:
Kerberos
Delegation!
NTLM
or
Kerberos
SharePoint
Web
Frontend
SharePoint
Application
Server
Data
Source
STS
Claims
C2WTS
?
UPN
Claim
Windows
Token
27. Starts automatically
Depends on Cryptographic Service
◦ sc config c2wts depend= CryptSvc
Service Identity is trusted for delegation
◦ Local System by default (and should stay that way)
◦ If changed to Windows Identity, must be a local admin
Claims-aware services are allowedCaller s
◦ c2wtshost.exe.config
Use Rodney Viana's little tool c2WTSTest.exe
28. “NT Authority/Anonymous” is no more!
Profiler shows Your login
Test every service against every data source
SSRS
29. 15 character limit on
Windows NetBIOS
Open Port 88 on Firewall
SPN for SQL 2005
browser/discovery services
Sensitive Client Account
30. Enable Kerberos logging (don’t forget about it!)
Registry hack http://support.microsoft.com/kb/262177
Check Kerberos errors in Event log on SP App server and client
ULS log (SP App server with Verbose)
Use Event log, Kerbtray and Kerberos helper tools to check
for common errors
Use Klist –purge to re-test Kerberos
Use dcdiag to check SPNs
33. Community Events
SQL Saturday Edinburgh 7/8 June www.sqlsaturday.com/202/
SQL Relay 17/27 June www.sqlrelay.co.uk
SQL Saturday Dublin 21/22 June www.sqlsaturday.com/229/
SQL Saturday Cambridge27 September www.sqlsaturday.com/228/
UK User Groups All the time www.sqlserverfaq.com
35. We hope you had a great
conference day!
Keep checking
www.sqlbits.com for
slides, videos and news of
the next conference
#SQLBIT
S
36. Kerberos: authentication protocol
Principal – a computer in the Kerberos protocol, usually the
target
UPN: user principal name
FQDN: Fully Qualified Domain Name
WCF: Windows Communication Foundation (.NET)
C2WTS: WCF service granting windows token for a UPN claim
37. How the Kerberos Version 5 Authentication Protocol
Works
http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
Overview of Kerberos authentication for Microsoft
SharePoint 2010 Products
http://technet.microsoft.com/en-us/library/gg502594.aspx
Kerberos Guide for SharePoint 2013
http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/
Kerberos Blog and Resources
www.data-united.co.uk
38. Kerberos using PowerShell
http://blog.msresource.net/2012/07/12/fim-service-principal-names-and-kerberos-delegation/
Troubleshooting C2WTS by Rodney Viana
http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-
windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-
to-start.aspx
Kerberos Professional Services
www.data-united.co.uk
39. Command Prompt
◦ List all Kerberos Tickets on the principal (a ticket must be present for the
URL, otherwise NTLM is used)
Klist
◦ Purge Kerberos Tickets (run on all principals to avoid reboot/wait)
Klist –purge
◦ List all msDS-AllowedToDelegateTo properties for a single account (only
computers with )
ldifde -f c:tempfilename.txt -d "CN=SA_SVC_C2WTS,OU=Service
Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo
◦ List all msDS-AllowedToDelegateTo properties all accounts in an OU:
ldifde -f c:tempfilename.txt -d "OU=Service Accounts,
DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo
Editor's Notes
Enables to control security Windows at the data source level – once for all data consumers through various reporting technologies
Having security governed at Data Source level allows fine grain security permissions – to object level in the database and down to cell level in the cube.
Allows seamless personalisation without compromising security
Easier development of personalized reports: you know exactly who the user is at the data source level.
So when do we need Kerberos delegation...
This diagram shows a classic double hop situation. Client authenticates to a SharePoint farm server and then accesses a document with an external data source connection.
On refresh SharePoint attempts to connect to the external data source. Since the data source is not local to the farm, SharePoint must use some
Install all the software with active directory service accounts
Set SPNs including arbitrary SPNs for services requiring delegation to be configured (e.g. Excel Service). Don’t forget to add SPNs for SQL Browser Discovery Service when you establish a connection to a named instance of SQL Server 2005 Analysis Services or Database Services http://support.microsoft.com/kb/950599 (service class MSOLAPDisco and MSSQLBrowser)
Configure constrained delegation for SP service
Use ADUC (dsa.msc) delegation tab of the service identity to configure delegation type and add SPNs to delegate to for constrained delegation on 2008 functional level domains
For pre-2008 domains use ADSIEdit to add target SPNs to msDS-AllowedToDelegateTo attribute of the service identity
Use PowerShell in large-scale configurations or development environments
Service Principal Name, helps Kerberos to find the Service and the computer (Principal)
Two SPNs can be recorded for the same service: one is mandatory, two is optional. The first resolves connections from within the same domain, the other serves clients from across domains.
“Fake” or arbitrary SPNs are set up for non-existing services/accounts just to be able to display Delegation tab for a account in Active Directory User and Computers account properties.
Only one SPN required within domain (NetBIOS)
Computer FQDN for cross-domain Kerberos
Service class is a string that identifies the general class of service; for example, "SqlServer". There are well-known service class names, such as "www" for a Web service or "ldap" for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name. This string is not processed during the authentication, it is purely for information only (identifies what type of service it is).
Computer name is a NetBIOS name of the computer that Runs the service or an A name of the DNS entry for the HTTP connection
Port must be specified if not default, e.g. You do not need to specify the port for HTTP connections on port 80 or connections to default instances of SQL Server on port 1433
For Analysis Services instance MUST BE USED instead of the port number!
This works well with dynamic port allocation. Mind the 15 character limit on Microsoft NetBIOS!
Remember, it is all about the target!
Environment:
FQDN: contoso.msft.com
Service name: MSSQLSVC
SQL Server Service Account: SQLSVR-SVC
SQL Server host A-Name (or cluster resource group name in case of clustered instance): SQLSVR
SQL Server instance port (only needed if not running on default port 1433): 64352
Mandatory:
SETSPN -S MSSQLSVC/SQLSVR:64352 contoso\SA_BI_SQLSVR
Additional, for cross-domain authentication:
SETSPN -S MSSQLSVC/P_BI_SQLSVR.contoso.msft.com:64352 contoso\SA_BI_SQLSVR
Environment:
FQDN: contoso.msft.com
Service name: MSOLAPSvc.3
SQL Server Service Account: SA_BI_SQLUDM
SQL Server host A-Name (or cluster resource group name in case of clustered instance): P_BI_SQLAS_UDM
SQL Server instance Name (only needed if not running on default port 2383): UDM
Mandatory:
SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM:UDM contoso\SA_BI_SQLSVR
Additional, for cross-domain authentication:
SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM.contoso.msft.com:UDM contoso\SA_BI_SQLSVR
If you are using a named instance of Analysis Services, note that you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly
Discovery Service:
An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 database http://support.microsoft.com/kb/950599
MSOLAPDisco.3/serverHostName
Purpose: Kerberos authentication to the SharePoint web front end (WFE). This is not necessary for the success of the delegation, but is best practice from security perspective.
Environment:
FQDN: contoso.msft.com
Service name: http
IIS Application Pool Identity: SA_BI_SP_APP
DNS Forward Lookup Zone A-Name : CONTOSOBI
Mandatory:
SETSPN -S http/CONTOSOBI contoso\SA_BI_SP_APP
Additional, for cross-domain authentication:
SETSPN -S http/CONTOSOBI.contoso.msft.com contoso\SA_BI_SP_APP
Identifies the target, the service to connect to
Registered against the identity of that service as a Service Principal Name attribute of the account in AD
Use Instance name instead of the port number for named instances of Analysis Services
Set up arbitrary SPNs to bring up Delegation tab to configure delegating service account
Basic (unconstrained)
Only some services can use (e.g. SSRS)
Delegation is not restricted (no need to specify a set of SPNs for the delegating service)
Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services)
Constrained
Any SharePoint Service app can use and some require (Excel, Performance Point, etc)!
More secure (delegation is restricted)
Cannot be followed by basic in protocol transition
Basic (unconstrained)
Only some services can use (e.g. SSRS)
Delegation is not restricted (no need to specify a set of SPNs for the delegating service)
Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services)
Constrained
Any SharePoint Service app can use and some require (Excel, Performance Point, etc)!
More secure (delegation is restricted)
Cannot be followed by basic in protocol transition
Basic (unconstrained)
Only some services can use (e.g. SSRS)
Delegation is not restricted (no need to specify a set of SPNs for the delegating service)
Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services)
Constrained
Any SharePoint Service app can use and some require (Excel, Performance Point, etc)!
More secure (delegation is restricted)
Cannot be followed by basic in protocol transition
So when do we need Kerberos delegation...
This diagram shows a classic double hop situation. Client authenticates to a SharePoint farm server and then accesses a document with an external data source connection.
On refresh SharePoint attempts to connect to the external data source. Since the data source is not local to the farm, SharePoint must use some
Use “Active Directory Users and Computers” to set “Trust for delegation to specified services only” with “Any authentication protocol” to allows protocol transition. This must be configured for the service account used for the IIS application pool of the delegating service. If it is running as Local System, the computer name must be used instead.
There are two things I personally find confusing about these. First of all, you need to look up SPNs using the service account you have registered SPNs for, not the host where the service is running. Secondly, once you have located your SPNs using the service account in Add Services dialogue box, you need to click on the SPNs to select the ones you want to add (or click “Select All”) and only then click Ok. Otherwise it adds nothing.
Install all the software with active directory service accounts
Set SPNs including arbitrary SPNs for services requiring delegation to be configured (e.g. Excel Service). Don’t forget to add SPNs for SQL Browser Discovery Service when you establish a connection to a named instance of SQL Server 2005 Analysis Services or Database Services http://support.microsoft.com/kb/950599 (service class MSOLAPDisco and MSSQLBrowser)
Configure constrained delegation for SP service
Use ADUC (dsa.msc) delegation tab of the service identity to configure delegation type and add SPNs to delegate to for constrained delegation on 2008 functional level domains
For pre-2008 domains use ADSIEdit to add target SPNs to msDS-AllowedToDelegateTo attribute of the service identity
Use PowerShell in large-scale configurations or development environments
Initial authentication can be NTLM or Kerberos, Kerberos is preferable, but NTLM can be used by a client in another domain with no trust across domains.
Authenticated user is issued a claims token used to authenticate within SharePoint to all claims –aware services
C2WTS extracts UPN from that token to issue a windows token for that user to the service. The SharePoint service, such as Excel Services then uses that Windows Token to delegate user credentials to the data source service using Kerberos protocol.
Kerberos often gets the blame when it is in fact C2WTS that is not working
SSRS 2012 is now claims aware – no need to install SQL Server SSRS component on WFE in n-tier architecture: huge saving!
It is possible to change C2WTS back to local system if it fails to work with AD identity – but remember to tell SharePoint first:
Get-SPServiceInstance | Where {$_.TypeName.StartsWith(“Claims”)} | ForEach-Object {$_.Service.ProcessIdentity.CurrentIdentityType = 0; $_.Service.ProcessIdentity.Update(); $_.Service.ProcessIdentity.Deploy()}
Klist output on the client/app server must have a ticket for the target URL/computer
Data Source must see the user account of the user, not a “NT Authority/Anonymous“, stored credentials or service identity: SSAS, SSRS and Secure store provide alternative means of tackling double-hop
If the server name exceeds 15 character limit, configuring Kerberos becomes a real pain. Please consider being less verbose.
Please remember to configure Service Principal Names for SQL Browser Service and/or Analysis services discovery service for SQL Server 2005
Make sure “Account is sensitive and cannot be delegated” option for the user account whose credentials are to be delegated is not checked, otherwise delegation is not possible.
Switch verbose logging for the SharePoint service and look out for critical and unexpected events
Use Klist –purge on all principals to avoid rebooting the servers (helps if you are domain admin and there is only one DC) ANOTHER SLIDE?
Diagnostics:
dcdiag /s:dc2.fabrikam.com /v /c > dcdiag.txt
dcdiag /test:checksecurityerror
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
