Kerberos: The Four Letter Word


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kerberos: The Four Letter Word

  1. 1. Kerberos It’s a real pain in the as The Four Letter WordKerberos 1
  2. 2. #GMSQLKerberos
  3. 3. Ken Maglio Microsoft Solution Architect World Wide Technology, Inc. @kenmaglio /in/kenmaglio Bio IntroduKerberos 3
  4. 4. Today: •Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode •SQL Server 2012 No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? ) Introduction BenefKerberos
  5. 5. Delegation of client credentials •pass that identity to other network services on the clients behalf •NTLM does not allow this delegation – “double-hop” •Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware Security •AES encryption, mutual authentication, support for data integrity and data privacy Potentially better performance •Less traffic to the domain controllers compared with NTLM Benefits AssumKerberos
  6. 6. You know how to: •install SQL Server 2012 •work with W indows Server 2008 R2 •work with IIS 7 •work with SharePoint 2010 (central admin mainly) Assumptions Kick TKerberos
  7. 7. Getting started Environment: W indows Server 2008 R2 – Active Directory – blah blah blah SharePoint 2010 with Two W Applications eb IntranetPortal ReportingPortal SQL Server 2012 RDBM for SharePoint Databases SQL Server 2012 Analysis Services Kick The Tires ShareKerberos
  8. 8. DNS Records Register a DNS A Record for the web application – just don’t use CNames Active Directory ActiveKerberos
  9. 9. Service Accounts Create a service accounts for the web applications’ IIS application pool Active Directory ActiveKerberos
  10. 10. SPN Configuration Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}{App Pool Acct} Register SPN the Service Account: SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct} SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct} Example SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet   SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting Active Directory ShareKerberos
  11. 11. Configure Managed Accounts Enter in the Name and Password and click OK for both of the Accounts SharePoint Configuration ShareKerberos
  12. 12. Portal Creation SharePoint Configuration ShareKerberos
  13. 13. Portal Creation SharePoint Configuration ShareKerberos
  14. 14. RSS Test Page Setup RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS. Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals. SharePoint Configuration ShareKerberos
  15. 15. RSS Test Page Setup The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step. Each of the Web parts can be edited to change the name and the RSS properties. Results: SharePoint Configuration ShareKerberos
  16. 16. W Application Configuration – Kerberos On eb Click on the Web Application to select it and then from the ribbon click Authentication Providers Click the Default Zone to setup our authentication Once done click Save and Close the Authentication Provider window. Repeat the other Web Application SharePoint Configuration IIS CoKerberos
  17. 17. IIS Site Authentication Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes. IIS Configuration IIS CoKerberos
  18. 18. Kernel-Mode Authentication Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. In the Right Panel click on Advanced Settings… Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked Verify that Kernel mode authentication is disabled IIS Configuration IIS CoKerberos 18
  19. 19. Providers Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers. IIS Configuration VerifyKerberos 19
  20. 20. Checking RSS with Kerberos Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect. One final task is needed to restrict this access. Delegation Verify ActiveKerberos
  21. 21. Delegation To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. It may seem redundant to configure Shortcut? delegation from a service to itself, Note that when you return to the delegation NO!!! such as the portal service account dialog you do not actually see all the SPNs delegating to the portal service selected. To see all SPNs, check the Expanded application, but this is required in check box in the lower left hand corner. This scenarios where you have multiple restriction will allow SharePoint to only delegate servers running the service. This is it’s credentials to the other User or Computer. to address the scenario where one server may need to delegate to another server running the same Perform these steps for each service account in service; for instance a WFE your environment that requires delegation. processing a request with a RSS viewer which uses the local web application as the data source Active Directory SQL CKerberos
  22. 22. Configure DNS Configure DNS for the SQL Server in your environment. In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP The SQL Server database engine is running on the default instance. SQL CONFIGURATION SQL CKerberos
  23. 23. SPN for SQL For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance. M SQLS v c /< FQDN : p o rt S > Default Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t} S a } a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a }: a c Named Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a ns a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a }: ns a a c In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12SQL12_Engine) with the following SetSPN command: Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S SQL CONFIGURATION SQL CKerberos
  24. 24. SQL Server named instances If you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances: Registering a Service Principal Name An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 SQL CONFIGURATION VerifyKerberos
  25. 25. Verify SQL Server Kerberos configuration Reboot the computers that are running SharePoint Server This action restarts all services and forces them to re-connect and re- authenticate by using Kerberos authentication. Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server. SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; Verify VerifyKerberos
  26. 26. Verify SQL Server Kerberos configuration Additionally you can get more information: If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results Verify SQL CKerberos
  27. 27. Create a test SQL Server DB and test table To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later. In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database. CREATE TABLE [dbo].[Sales]( [RowID] [int] IDENTITY(1,1) NOT NULL, [Region] [nvarchar](10) NOT NULL, [Year] [nvarchar](40) NOT NULL, [Amount] [money] NOT NULL Populate with data ) ON [PRIMARY] GO Save the table with the name "Sales". SQL CONFIGURATION AnalysKerberos
  28. 28. Setup Analysis Services Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services. I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance. The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance. Analysis Services Configuration AnalysKerberos
  29. 29. SSAS SPNs For SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: M O LA S PSvc . 3 /{FQDN } So for a single Analysis Services Data Source the format would be S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t} a a c S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t } a } a c We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12SQL12_SSAS) will require the following SetSPN commands: S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS To Confirm this S e tS PN m y Do m 1 2 SQL1 2 _ SSA -L S Analysis Services Configuration AnalysKerberos
  30. 30. SSAS Named Instances If the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. M LA SO PSv c . 3 /{FQDN {I ta nc e N m e } }: ns a When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN commands: Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A S S_ nlSv c Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2 S SQL1 2 _ SSA A S_ nlSv c Analysis Services Configuration AnalysKerberos
  31. 31. Verify SSAS Kerberos configuration Once the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010. Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab From the From Other Source drop-down select From Analysis Services Analysis Services Configuration AnalysKerberos
  32. 32. Verify SSAS Kerberos configuration In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next. Analysis Services Configuration AnalysKerberos
  33. 33. Verify SSAS Kerberos configuration From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos. Analysis Services Configuration C2WTKerberos
  34. 34. Claims to Windows Token Service (C2WTS) The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). C2WTS C2WTKerberos
  35. 35. DNS Create a service account in Active Directory to run the service under. In this example we created myDom12SP10_svcC2WTS. Permission for the Account C2WTS Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. C2WTKerberos
  36. 36. Local Security Policy for the Account In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions: C2WTS C2WTKerberos
  37. 37. Central Administration From Central Administration click on the link to Security Under Security | Configure Managed Service Accounts click on Configure managed Accounts Register managed account for C2WTS service account => Go back to Security | Configure Service Accounts Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account. C2WTS C2WTKerberos
  38. 38. Central Administration Under services, select Application Management | Service Applications click on Manage services on server. Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted C2WTS C2WTKerberos
  39. 39. Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service. Open the Command Prompt window and enter s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc Find the Claims to Windows Token Service in the services console. Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is C2WTS C2WT listed.Kerberos
  40. 40. Windows Service for C2WTS Restart the C2WTS from the services console. In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS. This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned. C2WTS C2WTKerberos
  41. 41. SPN for C2WTS Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t} a a c In our example we registered SP10C2WTS/C2WTSsvc to the myDom12SP10_svcC2WTS using the following command: Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS C2WTS SSRSKerberos
  42. 42. REPORTING SERVICES Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source. SSRS SSRSKerberos 42
  43. 43. SQL Reporting Services service account As a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created:Kerberos 43
  44. 44. SPNs SPN Format SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account} SQL Reporting Services SPN Configuration SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12 SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12 SSRS SSRSKerberos 44
  45. 45. VERITY SPNS Verification of SPNs Verify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}{Service Account} SQL Reporting Service Account SetSPN -L myDom12SP10_SvcSSRS12 ---- we did these prior to now ---- Data Source Account SetSPN -L myDom12SQL12_Engine C2W Account TS SetSPN -L myDom12SP10_SvcC2WTS SSRS SSRSKerberos 45
  46. 46. Delegation To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS. Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services. Principal Type Principal Name Delegates To Service User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433 User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433 SSRS SSRSKerberos 46
  47. 47. SSRS Constrained Delegation To configure constrained delegation from SQL Reporting Services to the Data Source follow these steps. 1. Open the Active Directory Object’s properties in Active Directory Users and Computers. 2. Navigate to the Delegation tab. 3. Select Trust this user for delegation to specified services only. 4. Select Use any authentication protocol. This enables protocol transition and is required for the service account to use the C2WTS. 5. Click the add button to select the service principal allowed to delegate to. 6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service: myDom12SQL12_Engine 8. Click OK. 9. Select the services for the SQL Server data source 10. Click OK. 11. You should now see the selected SPNS in the services to which this account can presented delegated credentials list. 12. Clicking Expanded will show both the short and long form of the SPNs entered for the data source. 13. Click OK SSRS SSRSKerberos 47
  48. 48. C2WTS Constrained Delegation To configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done: . In this example it is the service account for the SQL Server service. myDom12SQL12_Engine SSRS SSRSKerberos 48
  49. 49. SharePoint Create Managed Account SSRS SSRSKerberos 49
  50. 50. Reporting Services service Start the Reporting Services service Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS. SSRS SSRSKerberos 50
  51. 51. SSRS 12 Service Application Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running. SSRS SSRSKerberos 51
  52. 52. SSRS 12 Service Application In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance When complete the SQL SSRS Reporting Services Service Application will be created SSRSKerberos 52
  53. 53. SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell. Run the following command from the SharePoint 2010 Management Shell: $w = Get-SPWebApplication -Identity http://ReportingPortal $w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12") The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties SSRS SSRSKerberos 53
  54. 54. Testing Create a document library for reports Validate site collection settings for Reporting Services SSRS SSRSKerberos 54
  55. 55. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRSKerberos 55
  56. 56. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRSKerberos 56
  57. 57. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRSKerberos 57
  58. 58. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio Validate in IE SSRS GotchKerberos 58
  59. 59.  Thing s  to  no te : Mixed Mode Active Directory (2k3/2k8) “The Given Key Was Not Present in the Dictionary” Delegation – No Shortcuts Rushing – Don’t Gotchas SummKerberos
  60. 60. Summary Setting up Kerberos – Slow – Painful – Time Consuming   If you follow these steps – hopefully you’ll avoid undo pain When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run. Possible to run the tool in an offline mode – hopefully you read between the lines here. Don’t skip steps, don’t take shortcuts, don’t do things out of order. When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.  … You can always call Oakwood too … I guessKerberos
  61. 61. Please fill out the evaluation and turn it in to this session’s host. #GMSQLKerberos