SlideShare a Scribd company logo

Kerberos: The Four Letter Word

•Download as PPT, PDF•
•
Kenneth Maglio
Kenneth Maglio
Technology
1 of 61
Kerberos It’s a real pain in the as The Four Letter Word Kerberos 1
#GMSQL Kerberos
Ken Maglio Microsoft Solution Architect World Wide Technology, Inc. @kenmaglio /in/kenmaglio kenmaglio@outlook.com Bio Introdu Kerberos 3
Today: •Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode •SQL Server 2012 No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? ) Introduction Benef Kerberos
Delegation of client credentials •pass that identity to other network services on the client's behalf •NTLM does not allow this delegation – “double-hop” •Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware Security •AES encryption, mutual authentication, support for data integrity and data privacy Potentially better performance •Less traffic to the domain controllers compared with NTLM Benefits Assum Kerberos
You know how to: •install SQL Server 2012 •work with W indows Server 2008 R2 •work with IIS 7 •work with SharePoint 2010 (central admin mainly) Assumptions Kick T Kerberos
Getting started Environment: W indows Server 2008 R2 – Active Directory – blah blah blah SharePoint 2010 with Two W Applications eb IntranetPortal ReportingPortal SQL Server 2012 RDBM for SharePoint Databases SQL Server 2012 Analysis Services Kick The Tires Share Kerberos
DNS Records Register a DNS A Record for the web application – just don’t use CNames Active Directory Active Kerberos
Service Accounts Create a service accounts for the web applications’ IIS application pool Active Directory Active Kerberos
SPN Configuration Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}{App Pool Acct} Register SPN the Service Account: SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct} SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct} Example SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet   SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting Active Directory Share Kerberos
Configure Managed Accounts Enter in the Name and Password and click OK for both of the Accounts SharePoint Configuration Share Kerberos
Portal Creation SharePoint Configuration Share Kerberos
Portal Creation SharePoint Configuration Share Kerberos
RSS Test Page Setup RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS. Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals. SharePoint Configuration Share Kerberos
RSS Test Page Setup The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step. Each of the Web parts can be edited to change the name and the RSS properties. Results: SharePoint Configuration Share Kerberos
W Application Configuration – Kerberos On eb Click on the Web Application to select it and then from the ribbon click Authentication Providers Click the Default Zone to setup our authentication Once done click Save and Close the Authentication Provider window. Repeat the other Web Application SharePoint Configuration IIS Co Kerberos
IIS Site Authentication Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes. IIS Configuration IIS Co Kerberos
Kernel-Mode Authentication Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. In the Right Panel click on Advanced Settings… Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked Verify that Kernel mode authentication is disabled IIS Configuration IIS Co Kerberos 18
Providers Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers. IIS Configuration Verify Kerberos 19
Checking RSS with Kerberos Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect. One final task is needed to restrict this access. Delegation Verify Active Kerberos
Delegation To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. It may seem redundant to configure Shortcut? delegation from a service to itself, Note that when you return to the delegation NO!!! such as the portal service account dialog you do not actually see all the SPNs delegating to the portal service selected. To see all SPNs, check the Expanded application, but this is required in check box in the lower left hand corner. This scenarios where you have multiple restriction will allow SharePoint to only delegate servers running the service. This is it’s credentials to the other User or Computer. to address the scenario where one server may need to delegate to another server running the same Perform these steps for each service account in service; for instance a WFE your environment that requires delegation. processing a request with a RSS viewer which uses the local web application as the data source Active Directory SQL C Kerberos
Configure DNS Configure DNS for the SQL Server in your environment. In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on the default instance. SQL CONFIGURATION SQL C Kerberos
SPN for SQL For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance. M SQLS v c /< FQDN : p o rt S > Default Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t} S a } a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a }: a c Named Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a ns a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a }: ns a a c In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12SQL12_Engine) with the following SetSPN command: Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S SQL CONFIGURATION SQL C Kerberos
SQL Server named instances If you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances: Registering a Service Principal Name http://go.microsoft.com/fwlink/?LinkID=196796 An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=196799 SQL CONFIGURATION Verify Kerberos
Verify SQL Server Kerberos configuration Reboot the computers that are running SharePoint Server This action restarts all services and forces them to re-connect and re- authenticate by using Kerberos authentication. Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server. SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; Verify Verify Kerberos
Verify SQL Server Kerberos configuration Additionally you can get more information: If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results Verify SQL C Kerberos
Create a test SQL Server DB and test table To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later. In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database. CREATE TABLE [dbo].[Sales]( [RowID] [int] IDENTITY(1,1) NOT NULL, [Region] [nvarchar](10) NOT NULL, [Year] [nvarchar](40) NOT NULL, [Amount] [money] NOT NULL Populate with data ) ON [PRIMARY] GO Save the table with the name "Sales". SQL CONFIGURATION Analys Kerberos
Setup Analysis Services Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services. I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance. The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance. Analysis Services Configuration Analys Kerberos
SSAS SPNs For SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: M O LA S PSvc . 3 /{FQDN } So for a single Analysis Services Data Source the format would be S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t} a a c S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t } a } a c We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12SQL12_SSAS) will require the following SetSPN commands: S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS To Confirm this S e tS PN m y Do m 1 2 SQL1 2 _ SSA -L S Analysis Services Configuration Analys Kerberos
SSAS Named Instances If the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. M LA SO PSv c . 3 /{FQDN {I ta nc e N m e } }: ns a When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN commands: Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A S S_ nlSv c Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2 S SQL1 2 _ SSA A S_ nlSv c Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration Once the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010. Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab From the From Other Source drop-down select From Analysis Services Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next. Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos. Analysis Services Configuration C2WT Kerberos
Claims to Windows Token Service (C2WTS) The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). C2WTS C2WT Kerberos
DNS Create a service account in Active Directory to run the service under. In this example we created myDom12SP10_svcC2WTS. Permission for the Account C2WTS Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. C2WT Kerberos
Local Security Policy for the Account In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions: C2WTS C2WT Kerberos
Central Administration From Central Administration click on the link to Security Under Security | Configure Managed Service Accounts click on Configure managed Accounts Register managed account for C2WTS service account => Go back to Security | Configure Service Accounts Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account. C2WTS C2WT Kerberos
Central Administration Under services, select Application Management | Service Applications click on Manage services on server. Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted C2WTS C2WT Kerberos
Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service. Open the Command Prompt window and enter s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc Find the Claims to Windows Token Service in the services console. Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is C2WTS C2WT listed. Kerberos
Windows Service for C2WTS Restart the C2WTS from the services console. In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS. This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned. C2WTS C2WT Kerberos
SPN for C2WTS Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t} a a c In our example we registered SP10C2WTS/C2WTSsvc to the myDom12SP10_svcC2WTS using the following command: Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS C2WTS SSRS Kerberos
REPORTING SERVICES Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source. SSRS SSRS Kerberos 42
SQL Reporting Services service account As a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created: Kerberos 43
SPNs SPN Format SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account} SQL Reporting Services SPN Configuration SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12 SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12 SSRS SSRS Kerberos 44
VERITY SPNS Verification of SPNs Verify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}{Service Account} SQL Reporting Service Account SetSPN -L myDom12SP10_SvcSSRS12 ---- we did these prior to now ---- Data Source Account SetSPN -L myDom12SQL12_Engine C2W Account TS SetSPN -L myDom12SP10_SvcC2WTS SSRS SSRS Kerberos 45
Delegation To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS. Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services. Principal Type Principal Name Delegates To Service User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433 User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433 SSRS SSRS Kerberos 46
SSRS Constrained Delegation To configure constrained delegation from SQL Reporting Services to the Data Source follow these steps. 1. Open the Active Directory Object’s properties in Active Directory Users and Computers. 2. Navigate to the Delegation tab. 3. Select Trust this user for delegation to specified services only. 4. Select Use any authentication protocol. This enables protocol transition and is required for the service account to use the C2WTS. 5. Click the add button to select the service principal allowed to delegate to. 6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service: myDom12SQL12_Engine 8. Click OK. 9. Select the services for the SQL Server data source 10. Click OK. 11. You should now see the selected SPNS in the services to which this account can presented delegated credentials list. 12. Clicking Expanded will show both the short and long form of the SPNs entered for the data source. 13. Click OK SSRS SSRS Kerberos 47
C2WTS Constrained Delegation To configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done: . In this example it is the service account for the SQL Server service. myDom12SQL12_Engine SSRS SSRS Kerberos 48
SharePoint Create Managed Account SSRS SSRS Kerberos 49
Reporting Services service Start the Reporting Services service Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS. SSRS SSRS Kerberos 50
SSRS 12 Service Application Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running. SSRS SSRS Kerberos 51
SSRS 12 Service Application In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance When complete the SQL SSRS Reporting Services Service Application will be created SSRS Kerberos 52
SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell. Run the following command from the SharePoint 2010 Management Shell: $w = Get-SPWebApplication -Identity http://ReportingPortal $w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12") The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties SSRS SSRS Kerberos 53
Testing Create a document library for reports Validate site collection settings for Reporting Services SSRS SSRS Kerberos 54
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 55
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 56
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 57
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio Validate in IE SSRS Gotch Kerberos 58
 Thing s  to  no te : Mixed Mode Active Directory (2k3/2k8) “The Given Key Was Not Present in the Dictionary” Delegation – No Shortcuts Rushing – Don’t Gotchas Summ Kerberos
Summary Setting up Kerberos – Slow – Painful – Time Consuming   If you follow these steps – hopefully you’ll avoid undo pain When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run. Possible to run the tool in an offline mode – hopefully you read between the lines here. Don’t skip steps, don’t take shortcuts, don’t do things out of order. When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.  … You can always call Oakwood too … I guess Kerberos
Please fill out the evaluation and turn it in to this session’s host. #GMSQL Kerberos

Recommended

SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelSPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelMichael Noel
 
Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Rakesh Gujjarlapudi
 
Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1LiquidHub
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewJaguaraci Silva
 
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
 
Vmug it's all about the app
Vmug it's all about the appVmug it's all about the app
Vmug it's all about the appsubtitle
 
Build Your Business Process On A Solid Foundation–Web Sphere Application Server
Build Your Business Process On A Solid Foundation–Web Sphere Application ServerBuild Your Business Process On A Solid Foundation–Web Sphere Application Server
Build Your Business Process On A Solid Foundation–Web Sphere Application ServerCarly Snodgrass
 
Cim smash 500_prog
Cim smash 500_progCim smash 500_prog
Cim smash 500_progDaividdi Morais
 

Recommended

SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelSPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael NoelMichael Noel
 
Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Oracle OSB Tutorial 2
Oracle OSB Tutorial 2Rakesh Gujjarlapudi
 
Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1Sharepoint 2007 Install Best Practice Phase 1
Sharepoint 2007 Install Best Practice Phase 1LiquidHub
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewJaguaraci Silva
 
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
 
Vmug it's all about the app
Vmug it's all about the appVmug it's all about the app
Vmug it's all about the appsubtitle
 
Build Your Business Process On A Solid Foundation–Web Sphere Application Server
Build Your Business Process On A Solid Foundation–Web Sphere Application ServerBuild Your Business Process On A Solid Foundation–Web Sphere Application Server
Build Your Business Process On A Solid Foundation–Web Sphere Application ServerCarly Snodgrass
 
Cim smash 500_prog
Cim smash 500_progCim smash 500_prog
Cim smash 500_progDaividdi Morais
 
#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for Efficiency#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for EfficiencyIndex InfoTech
 
Websphere Application Server V8.5
Websphere Application Server V8.5Websphere Application Server V8.5
Websphere Application Server V8.5IBM WebSphereIndia
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbWen Zhu
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPadAptean
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper DiveBIOVIA
 
Kerberos part 2
Kerberos part 2Kerberos part 2
Kerberos part 2Spencer Harbar
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerDigicomp Academy AG
 
Mobile crm installation & configuration details
Mobile crm installation & configuration detailsMobile crm installation & configuration details
Mobile crm installation & configuration detailsArbind Tiwari
 
BlazeDS
BlazeDSBlazeDS
BlazeDSdevaraj ns
 
Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...Digicomp Academy AG
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanQuek Lilian
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...Nancy Thomas
 
Pivotal CRM 6.0 Administration
Pivotal CRM 6.0 AdministrationPivotal CRM 6.0 Administration
Pivotal CRM 6.0 AdministrationAptean
 
IBM Websphere concepts
IBM Websphere conceptsIBM Websphere concepts
IBM Websphere conceptsKuldeep Saxena
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012barnaby1502
 
IBM websphere application server types of profiles
IBM websphere application server types of profilesIBM websphere application server types of profiles
IBM websphere application server types of profilesKuldeep Saxena
 
Ibm web sphere application server interview questions
Ibm web sphere application server interview questionsIbm web sphere application server interview questions
Ibm web sphere application server interview questionspraveen_guda
 
Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7WSO2
 
Websphere Application Server v7
Websphere Application Server v7Websphere Application Server v7
Websphere Application Server v7Chris Sparshott
 
Approaches
ApproachesApproaches
ApproachesJabar Ainal
 
Brown_Working with Teachers Project
Brown_Working with Teachers ProjectBrown_Working with Teachers Project
Brown_Working with Teachers ProjectHall2b13
 

More Related Content

What's hot

#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for Efficiency#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for EfficiencyIndex InfoTech
 
Websphere Application Server V8.5
Websphere Application Server V8.5Websphere Application Server V8.5
Websphere Application Server V8.5IBM WebSphereIndia
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecurityMichael Noel
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbWen Zhu
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPadAptean
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper DiveBIOVIA
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerDigicomp Academy AG
 
Mobile crm installation & configuration details
Mobile crm installation & configuration detailsMobile crm installation & configuration details
Mobile crm installation & configuration detailsArbind Tiwari
 
Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...Digicomp Academy AG
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanQuek Lilian
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...Nancy Thomas
 
Pivotal CRM 6.0 Administration
Pivotal CRM 6.0 AdministrationPivotal CRM 6.0 Administration
Pivotal CRM 6.0 AdministrationAptean
 
IBM Websphere concepts
IBM Websphere conceptsIBM Websphere concepts
IBM Websphere conceptsKuldeep Saxena
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012barnaby1502
 
IBM websphere application server types of profiles
IBM websphere application server types of profilesIBM websphere application server types of profiles
IBM websphere application server types of profilesKuldeep Saxena
 
Ibm web sphere application server interview questions
Ibm web sphere application server interview questionsIbm web sphere application server interview questions
Ibm web sphere application server interview questionspraveen_guda
 
Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7WSO2
 
Websphere Application Server v7
Websphere Application Server v7Websphere Application Server v7
Websphere Application Server v7Chris Sparshott
 

What's hot (20)

#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for Efficiency#Epicor #ERP 10 Architected for Efficiency
#Epicor #ERP 10 Architected for Efficiency
 
Websphere Application Server V8.5
Websphere Application Server V8.5Websphere Application Server V8.5
Websphere Application Server V8.5
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint SecuritySPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
 
Integration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an EsbIntegration of Web Service Stacks in an Esb
Integration of Web Service Stacks in an Esb
 
Pivotal CRM for iPad
Pivotal CRM for iPadPivotal CRM for iPad
Pivotal CRM for iPad
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
 
Kerberos part 2
Kerberos part 2Kerberos part 2
Kerberos part 2
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net ScalerLoad Balancing und Beschleunigung mit Citrix Net Scaler
Load Balancing und Beschleunigung mit Citrix Net Scaler
 
Mobile crm installation & configuration details
Mobile crm installation & configuration detailsMobile crm installation & configuration details
Mobile crm installation & configuration details
 
BlazeDS
BlazeDSBlazeDS
BlazeDS
 
Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...Workshop: Integrating xen App 6 with ms app v and system center configuration...
Workshop: Integrating xen App 6 with ms app v and system center configuration...
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP Padman
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...ibm websphere admin training | websphere admin course | ibm websphere adminis...
ibm websphere admin training | websphere admin course | ibm websphere adminis...
 
Pivotal CRM 6.0 Administration
Pivotal CRM 6.0 AdministrationPivotal CRM 6.0 Administration
Pivotal CRM 6.0 Administration
 
IBM Websphere concepts
IBM Websphere conceptsIBM Websphere concepts
IBM Websphere concepts
 
Cognos Technical Super Session 2012
Cognos Technical Super Session 2012Cognos Technical Super Session 2012
Cognos Technical Super Session 2012
 
IBM websphere application server types of profiles
IBM websphere application server types of profilesIBM websphere application server types of profiles
IBM websphere application server types of profiles
 
Ibm web sphere application server interview questions
Ibm web sphere application server interview questionsIbm web sphere application server interview questions
Ibm web sphere application server interview questions
 
Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7Integrating with SAP FIX and HL7
Integrating with SAP FIX and HL7
 
Websphere Application Server v7
Websphere Application Server v7Websphere Application Server v7
Websphere Application Server v7
 

Viewers also liked

Approaches
ApproachesApproaches
ApproachesJabar Ainal
 
Brown_Working with Teachers Project
Brown_Working with Teachers ProjectBrown_Working with Teachers Project
Brown_Working with Teachers ProjectHall2b13
 
Template 3
Template 3Template 3
Template 3Icostyle
 
SharePoint Saturday STL: SharePoint Powershell Admins
SharePoint Saturday STL: SharePoint Powershell AdminsSharePoint Saturday STL: SharePoint Powershell Admins
SharePoint Saturday STL: SharePoint Powershell AdminsKenneth Maglio
 
William fabricio manual de sistemas sas
William fabricio manual de sistemas sasWilliam fabricio manual de sistemas sas
William fabricio manual de sistemas sasRafael Toro
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen
 
Kerberos and Covert Channels
Kerberos and Covert ChannelsKerberos and Covert Channels
Kerberos and Covert ChannelsRaj Bhatt
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen
 
Plagio por Internet -UFT DIPLOMADO SAIA
Plagio por Internet -UFT DIPLOMADO SAIAPlagio por Internet -UFT DIPLOMADO SAIA
Plagio por Internet -UFT DIPLOMADO SAIARafael Toro
 
SharePoint 2013 App or Not to App
SharePoint 2013 App or Not to AppSharePoint 2013 App or Not to App
SharePoint 2013 App or Not to AppKenneth Maglio
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashAnkit Mehta
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to KerberosShumon Huque
 
mimikatz @ sthack
mimikatz @ sthackmimikatz @ sthack
mimikatz @ sthackBenjamin Delpy
 

Viewers also liked (15)

Approaches
ApproachesApproaches
Approaches
 
Brown_Working with Teachers Project
Brown_Working with Teachers ProjectBrown_Working with Teachers Project
Brown_Working with Teachers Project
 
Raadseltjevoormannen!1
Raadseltjevoormannen!1Raadseltjevoormannen!1
Raadseltjevoormannen!1
 
Template 3
Template 3Template 3
Template 3
 
SharePoint Saturday STL: SharePoint Powershell Admins
SharePoint Saturday STL: SharePoint Powershell AdminsSharePoint Saturday STL: SharePoint Powershell Admins
SharePoint Saturday STL: SharePoint Powershell Admins
 
William fabricio manual de sistemas sas
William fabricio manual de sistemas sasWilliam fabricio manual de sistemas sas
William fabricio manual de sistemas sas
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
 
Kerberos and Covert Channels
Kerberos and Covert ChannelsKerberos and Covert Channels
Kerberos and Covert Channels
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
 
Plagio por Internet -UFT DIPLOMADO SAIA
Plagio por Internet -UFT DIPLOMADO SAIAPlagio por Internet -UFT DIPLOMADO SAIA
Plagio por Internet -UFT DIPLOMADO SAIA
 
SharePoint 2013 App or Not to App
SharePoint 2013 App or Not to AppSharePoint 2013 App or Not to App
SharePoint 2013 App or Not to App
 
Kerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-HashKerberos, NTLM and LM-Hash
Kerberos, NTLM and LM-Hash
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
An Introduction to Kerberos
An Introduction to KerberosAn Introduction to Kerberos
An Introduction to Kerberos
 
mimikatz @ sthack
mimikatz @ sthackmimikatz @ sthack
mimikatz @ sthack
 

Similar to Kerberos: The Four Letter Word

All about Kerberos In Microsoft BI
All about Kerberos In Microsoft BIAll about Kerberos In Microsoft BI
All about Kerberos In Microsoft BIPARIKSHIT SAVJANI
 
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...Knowledge Cue
 
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycJohn Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycSharePoint Saturday NY
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365Microsoft TechNet - Belgium and Luxembourg
 
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...Microsoft TechNet - Belgium and Luxembourg
 
SharePoint 2010 enterprise implementation
SharePoint 2010 enterprise implementationSharePoint 2010 enterprise implementation
SharePoint 2010 enterprise implementationNilesh Mehta
 
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationSql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationInnoTech
 
Embedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationEmbedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationMariano Luna
 
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...eG Innovations
 
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT ProsSharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT ProsDan Usher
 
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...Michael Noel
 
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnicaMicrosoft Argentina y Uruguay [Official Space]
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spoJethro Seghers
 
QC-SharePoint Integration Guide
QC-SharePoint Integration GuideQC-SharePoint Integration Guide
QC-SharePoint Integration GuideKovair
 
Configuring SharePoint 2013 for BI scenarios
Configuring SharePoint 2013 for BI scenariosConfiguring SharePoint 2013 for BI scenarios
Configuring SharePoint 2013 for BI scenariosSPC Adriatics
 

Similar to Kerberos: The Four Letter Word (20)

All about Kerberos In Microsoft BI
All about Kerberos In Microsoft BIAll about Kerberos In Microsoft BI
All about Kerberos In Microsoft BI
 
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
 
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nycJohn Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
John Burkholder: SharePoint 2010 in a multi tenant and hosted environment-nyc
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
 
Adfs azure
Adfs azureAdfs azure
Adfs azure
 
Kerberos part 1
Kerberos part 1Kerberos part 1
Kerberos part 1
 
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...
Office 365: Planning and Automating for Hybrid Identity Scenarios in the Clou...
 
SharePoint 2010 enterprise implementation
SharePoint 2010 enterprise implementationSharePoint 2010 enterprise implementation
SharePoint 2010 enterprise implementation
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationSql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
 
Embedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP applicationEmbedding Jaspersoft into your PHP application
Embedding Jaspersoft into your PHP application
 
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...
Citrix XenApp 6.5 Performance - How To Ensure a Great End User Experience Bef...
 
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT ProsSharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
SharePoint Intersections - SP09 - Introduction to SharePoint 2013 for IT Pros
 
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
SharePoint 2010 High Availability and Disaster Recovery - SharePoint Connecti...
 
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica
(28.04) MOSSCA Invita - Bienvenidos a la casa de Sharepoint - VisiĂłn tĂŠcnica
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
 
QC-SharePoint Integration Guide
QC-SharePoint Integration GuideQC-SharePoint Integration Guide
QC-SharePoint Integration Guide
 
Configuring SharePoint 2013 for BI scenarios
Configuring SharePoint 2013 for BI scenariosConfiguring SharePoint 2013 for BI scenarios
Configuring SharePoint 2013 for BI scenarios
 
3 022
3 0223 022
3 022
 
SharePoint Administration
SharePoint AdministrationSharePoint Administration
SharePoint Administration
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Kerberos: The Four Letter Word

  • 1. Kerberos It’s a real pain in the as The Four Letter Word Kerberos 1
  • 3. Ken Maglio Microsoft Solution Architect World Wide Technology, Inc. @kenmaglio /in/kenmaglio kenmaglio@outlook.com Bio Introdu Kerberos 3
  • 4. Today: •Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode •SQL Server 2012 No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? ) Introduction Benef Kerberos
  • 5. Delegation of client credentials •pass that identity to other network services on the client's behalf •NTLM does not allow this delegation – “double-hop” •Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware Security •AES encryption, mutual authentication, support for data integrity and data privacy Potentially better performance •Less traffic to the domain controllers compared with NTLM Benefits Assum Kerberos
  • 6. You know how to: •install SQL Server 2012 •work with W indows Server 2008 R2 •work with IIS 7 •work with SharePoint 2010 (central admin mainly) Assumptions Kick T Kerberos
  • 7. Getting started Environment: W indows Server 2008 R2 – Active Directory – blah blah blah SharePoint 2010 with Two W Applications eb IntranetPortal ReportingPortal SQL Server 2012 RDBM for SharePoint Databases SQL Server 2012 Analysis Services Kick The Tires Share Kerberos
  • 8. DNS Records Register a DNS A Record for the web application – just don’t use CNames Active Directory Active Kerberos
  • 9. Service Accounts Create a service accounts for the web applications’ IIS application pool Active Directory Active Kerberos
  • 10. SPN Configuration Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}{App Pool Acct} Register SPN the Service Account: SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct} SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct} Example SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet   SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting Active Directory Share Kerberos
  • 11. Configure Managed Accounts Enter in the Name and Password and click OK for both of the Accounts SharePoint Configuration Share Kerberos
  • 12. Portal Creation SharePoint Configuration Share Kerberos
  • 13. Portal Creation SharePoint Configuration Share Kerberos
  • 14. RSS Test Page Setup RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS. Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals. SharePoint Configuration Share Kerberos
  • 15. RSS Test Page Setup The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step. Each of the Web parts can be edited to change the name and the RSS properties. Results: SharePoint Configuration Share Kerberos
  • 16. W Application Configuration – Kerberos On eb Click on the Web Application to select it and then from the ribbon click Authentication Providers Click the Default Zone to setup our authentication Once done click Save and Close the Authentication Provider window. Repeat the other Web Application SharePoint Configuration IIS Co Kerberos
  • 17. IIS Site Authentication Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes. IIS Configuration IIS Co Kerberos
  • 18. Kernel-Mode Authentication Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. In the Right Panel click on Advanced Settings… Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked Verify that Kernel mode authentication is disabled IIS Configuration IIS Co Kerberos 18
  • 19. Providers Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers. IIS Configuration Verify Kerberos 19
  • 20. Checking RSS with Kerberos Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect. One final task is needed to restrict this access. Delegation Verify Active Kerberos
  • 21. Delegation To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. It may seem redundant to configure Shortcut? delegation from a service to itself, Note that when you return to the delegation NO!!! such as the portal service account dialog you do not actually see all the SPNs delegating to the portal service selected. To see all SPNs, check the Expanded application, but this is required in check box in the lower left hand corner. This scenarios where you have multiple restriction will allow SharePoint to only delegate servers running the service. This is it’s credentials to the other User or Computer. to address the scenario where one server may need to delegate to another server running the same Perform these steps for each service account in service; for instance a WFE your environment that requires delegation. processing a request with a RSS viewer which uses the local web application as the data source Active Directory SQL C Kerberos
  • 22. Configure DNS Configure DNS for the SQL Server in your environment. In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on the default instance. SQL CONFIGURATION SQL C Kerberos
  • 23. SPN for SQL For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance. M SQLS v c /< FQDN : p o rt S > Default Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t} S a } a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a }: a c Named Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a ns a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a }: ns a a c In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12SQL12_Engine) with the following SetSPN command: Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S SQL CONFIGURATION SQL C Kerberos
  • 24. SQL Server named instances If you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances: Registering a Service Principal Name http://go.microsoft.com/fwlink/?LinkID=196796 An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=196799 SQL CONFIGURATION Verify Kerberos
  • 25. Verify SQL Server Kerberos configuration Reboot the computers that are running SharePoint Server This action restarts all services and forces them to re-connect and re- authenticate by using Kerberos authentication. Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server. SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; Verify Verify Kerberos
  • 26. Verify SQL Server Kerberos configuration Additionally you can get more information: If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results Verify SQL C Kerberos
  • 27. Create a test SQL Server DB and test table To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later. In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database. CREATE TABLE [dbo].[Sales]( [RowID] [int] IDENTITY(1,1) NOT NULL, [Region] [nvarchar](10) NOT NULL, [Year] [nvarchar](40) NOT NULL, [Amount] [money] NOT NULL Populate with data ) ON [PRIMARY] GO Save the table with the name "Sales". SQL CONFIGURATION Analys Kerberos
  • 28. Setup Analysis Services Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services. I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance. The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance. Analysis Services Configuration Analys Kerberos
  • 29. SSAS SPNs For SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: M O LA S PSvc . 3 /{FQDN } So for a single Analysis Services Data Source the format would be S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t} a a c S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t } a } a c We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12SQL12_SSAS) will require the following SetSPN commands: S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS To Confirm this S e tS PN m y Do m 1 2 SQL1 2 _ SSA -L S Analysis Services Configuration Analys Kerberos
  • 30. SSAS Named Instances If the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. M LA SO PSv c . 3 /{FQDN {I ta nc e N m e } }: ns a When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN commands: Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A S S_ nlSv c Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2 S SQL1 2 _ SSA A S_ nlSv c Analysis Services Configuration Analys Kerberos
  • 31. Verify SSAS Kerberos configuration Once the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010. Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab From the From Other Source drop-down select From Analysis Services Analysis Services Configuration Analys Kerberos
  • 32. Verify SSAS Kerberos configuration In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next. Analysis Services Configuration Analys Kerberos
  • 33. Verify SSAS Kerberos configuration From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos. Analysis Services Configuration C2WT Kerberos
  • 34. Claims to Windows Token Service (C2WTS) The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). C2WTS C2WT Kerberos
  • 35. DNS Create a service account in Active Directory to run the service under. In this example we created myDom12SP10_svcC2WTS. Permission for the Account C2WTS Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. C2WT Kerberos
  • 36. Local Security Policy for the Account In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions: C2WTS C2WT Kerberos
  • 37. Central Administration From Central Administration click on the link to Security Under Security | Configure Managed Service Accounts click on Configure managed Accounts Register managed account for C2WTS service account => Go back to Security | Configure Service Accounts Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account. C2WTS C2WT Kerberos
  • 38. Central Administration Under services, select Application Management | Service Applications click on Manage services on server. Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted C2WTS C2WT Kerberos
  • 39. Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service. Open the Command Prompt window and enter s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc Find the Claims to Windows Token Service in the services console. Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is C2WTS C2WT listed. Kerberos
  • 40. Windows Service for C2WTS Restart the C2WTS from the services console. In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS. This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned. C2WTS C2WT Kerberos
  • 41. SPN for C2WTS Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t} a a c In our example we registered SP10C2WTS/C2WTSsvc to the myDom12SP10_svcC2WTS using the following command: Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS C2WTS SSRS Kerberos
  • 42. REPORTING SERVICES Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source. SSRS SSRS Kerberos 42
  • 43. SQL Reporting Services service account As a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created: Kerberos 43
  • 44. SPNs SPN Format SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account} SQL Reporting Services SPN Configuration SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12 SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12 SSRS SSRS Kerberos 44
  • 45. VERITY SPNS Verification of SPNs Verify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}{Service Account} SQL Reporting Service Account SetSPN -L myDom12SP10_SvcSSRS12 ---- we did these prior to now ---- Data Source Account SetSPN -L myDom12SQL12_Engine C2W Account TS SetSPN -L myDom12SP10_SvcC2WTS SSRS SSRS Kerberos 45
  • 46. Delegation To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS. Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services. Principal Type Principal Name Delegates To Service User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433 User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433 SSRS SSRS Kerberos 46
  • 47. SSRS Constrained Delegation To configure constrained delegation from SQL Reporting Services to the Data Source follow these steps. 1. Open the Active Directory Object’s properties in Active Directory Users and Computers. 2. Navigate to the Delegation tab. 3. Select Trust this user for delegation to specified services only. 4. Select Use any authentication protocol. This enables protocol transition and is required for the service account to use the C2WTS. 5. Click the add button to select the service principal allowed to delegate to. 6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service: myDom12SQL12_Engine 8. Click OK. 9. Select the services for the SQL Server data source 10. Click OK. 11. You should now see the selected SPNS in the services to which this account can presented delegated credentials list. 12. Clicking Expanded will show both the short and long form of the SPNs entered for the data source. 13. Click OK SSRS SSRS Kerberos 47
  • 48. C2WTS Constrained Delegation To configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done: . In this example it is the service account for the SQL Server service. myDom12SQL12_Engine SSRS SSRS Kerberos 48
  • 49. SharePoint Create Managed Account SSRS SSRS Kerberos 49
  • 50. Reporting Services service Start the Reporting Services service Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS. SSRS SSRS Kerberos 50
  • 51. SSRS 12 Service Application Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running. SSRS SSRS Kerberos 51
  • 52. SSRS 12 Service Application In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance When complete the SQL SSRS Reporting Services Service Application will be created SSRS Kerberos 52
  • 53. SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell. Run the following command from the SharePoint 2010 Management Shell: $w = Get-SPWebApplication -Identity http://ReportingPortal $w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12") The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties SSRS SSRS Kerberos 53
  • 54. Testing Create a document library for reports Validate site collection settings for Reporting Services SSRS SSRS Kerberos 54
  • 55. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 55
  • 56. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 56
  • 57. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 57
  • 58. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio Validate in IE SSRS Gotch Kerberos 58
  • 59.  Thing s  to  no te : Mixed Mode Active Directory (2k3/2k8) “The Given Key Was Not Present in the Dictionary” Delegation – No Shortcuts Rushing – Don’t Gotchas Summ Kerberos
  • 60. Summary Setting up Kerberos – Slow – Painful – Time Consuming   If you follow these steps – hopefully you’ll avoid undo pain When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run. Possible to run the tool in an offline mode – hopefully you read between the lines here. Don’t skip steps, don’t take shortcuts, don’t do things out of order. When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.  … You can always call Oakwood too … I guess Kerberos
  • 61. Please fill out the evaluation and turn it in to this session’s host. #GMSQL Kerberos