3. Ken Maglio
Microsoft Solution Architect
World Wide Technology, Inc.
@kenmaglio
/in/kenmaglio
kenmaglio@outlook.com
Bio Introdu
Kerberos 3
4. Today:
â˘Walk through the configuration of Kerberos
â˘Prep for Business Intelligence (BI) solutions
â˘SharePoint 2010
⢠SSRS Integrated Mode
â˘SQL Server 2012
No Demos â Sorry!
( like I want to setup more Kerberos environments â rly? )
Introduction Benef
Kerberos
5. Delegation of client credentials
â˘pass that identity to other network services on the client's behalf
â˘NTLM does not allow this delegation â âdouble-hopâ
â˘Claims authentication, like Kerberos authentication, can be used to delegate
client credentials but requires the back-end application to be claims-aware
Security
â˘AES encryption, mutual authentication, support for data integrity and data privacy
Potentially better performance
â˘Less traffic to the domain controllers compared with NTLM
Benefits Assum
Kerberos
6. You know how to:
â˘install SQL Server 2012
â˘work with W indows Server 2008 R2
â˘work with IIS 7
â˘work with SharePoint 2010 (central admin mainly)
Assumptions Kick T
Kerberos
7. Getting started
Environment:
W indows Server 2008 R2 â Active Directory â blah blah blah
SharePoint 2010 with Two W Applications
eb
IntranetPortal
ReportingPortal
SQL Server 2012 RDBM for SharePoint Databases
SQL Server 2012 Analysis Services
Kick The Tires Share
Kerberos
8. DNS Records
Register a DNS A Record for the web application â just donât use CNames
Active Directory Active
Kerberos
9. Service Accounts
Create a service accounts for the web applicationsâ IIS application pool
Active Directory Active
Kerberos
10. SPN Configuration
Register Service Principal Names (SPN) for the web applications on the service
account created for the web applicationâs IIS application pool
Identify Service Accounts used for Web Application IIS Application Pool : {Domain
Name}{App Pool Acct}
Register SPN the Service Account:
SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct}
SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct}
Example
SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet
SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet
Â
SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting
SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting
Active Directory Share
Kerberos
11. Configure Managed Accounts
Enter in the Name and Password and click OK for both of the Accounts
SharePoint Configuration Share
Kerberos
14. RSS Test Page Setup
RSS Feeds make a good Kerberos test of SharePoint, since SharePoint
generally requires authentication to access its information, even when
accessing RSS.
Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals.
SharePoint Configuration Share
Kerberos
15. RSS Test Page Setup
The RSS Feeds can be enabled from most lists or libraries. Under the
List/Library Tab a button can be seen for RSS Feed. This will launch a
new page containing the RSS Information. Copy the URL for a page on each
site to be used in the next step.
Each of the Web parts can be edited to change the name and the RSS
properties.
Results:
SharePoint Configuration Share
Kerberos
16. W Application Configuration â Kerberos On
eb
Click on the Web Application to select it and then from the
ribbon click Authentication Providers
Click the Default Zone to setup our authentication
Once done click Save and Close the
Authentication Provider window.
Repeat the other Web Application
SharePoint Configuration IIS Co
Kerberos
17. IIS Site Authentication
Since SharePoint sits on top of IIS the settings for the IIS Authentication also
need to be changes.
IIS Configuration IIS Co
Kerberos
18. Kernel-Mode Authentication
Kernel mode authentication is not supported in SharePoint Server 2010. By default, all
SharePoint Server Web Applications should have Kernel Mode Authentication disabled by
default on their corresponding IIS web sites.
In the Right Panel click on Advanced SettingsâŚ
Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked
Verify that Kernel mode authentication is disabled
IIS Configuration IIS Co
Kerberos 18
19. Providers
Under Providers Add Negotiate from Available Providers and move it to the first of the
Enabled Providers.
IIS Configuration Verify
Kerberos 19
20. Checking RSS with Kerberos
Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS
Page will show the results we expect.
One final task is needed to restrict this access. Delegation
Verify Active
Kerberos
21. Delegation
To configure delegation you can use the Active Directory Users and
Computer snap-in. Right-click each service account and open the
properties dialog. It may seem redundant to configure
Shortcut? delegation from a service to itself,
Note that when you return to the delegation
NO!!! such as the portal service account
dialog you do not actually see all the SPNs
delegating to the portal service
selected. To see all SPNs, check the Expanded
application, but this is required in
check box in the lower left hand corner. This
scenarios where you have multiple
restriction will allow SharePoint to only delegate
servers running the service. This is
itâs credentials to the other User or Computer.
to address the scenario where one
server may need to delegate to
another server running the same
Perform these steps for each service account in
service; for instance a WFE
your environment that requires delegation.
processing a request with a RSS
viewer which uses the local web
application as the data source
Active Directory SQL C
Kerberos
22. Configure DNS
Configure DNS for the SQL Server in your environment.
In this example we have one SQL Server, dcSQL12.myDom12.local, running
on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on
the default instance.
SQL CONFIGURATION SQL C
Kerberos
23. SPN for SQL
For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal
name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server
database engine use the following format for configurations that are using the default instance and not a SQL
Server named instance.
M SQLS v c /< FQDN : p o rt
S >
Default Instance
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t}
S a a c
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t}
S a } a c
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t}
S a a c
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t}
S a }: a c
Named Instance
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t}
S a ns a a c
Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t}
S a }: ns a a c
In our example, we configured the SQL Server SPN on the SQL Server database engine service account
(myDom12SQL12_Engine) with the following SetSPN command:
Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine
S
Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine
S
Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine
S
Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine
S
SQL CONFIGURATION SQL C
Kerberos
24. SQL Server named instances
If you use SQL Server named instances instead of the default instance, you
have to register SPNs specific to the SQL Server instance and for the SQL
Server browser service. See the following articles for more information about
configuring Kerberos authentication for names instances:
Registering a Service Principal Name
http://go.microsoft.com/fwlink/?LinkID=196796
An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of
SQL Server 2005
http://go.microsoft.com/fwlink/?LinkId=196799
SQL CONFIGURATION Verify
Kerberos
25. Verify SQL Server Kerberos configuration
Reboot the computers that are running SharePoint Server
This action restarts all services and forces them to re-connect and re-
authenticate by using Kerberos authentication.
Open SQL Server Management Studio and run the following queries from a
server other than the SQL server, since it would not need Kerberos to validate
itself on the same server.
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;
Verify Verify
Kerberos
26. Verify SQL Server Kerberos configuration
Additionally you can get more information:
If Kerberos authentication is configured correctly, you see
Kerberos in the auth_scheme column of the query results
Verify SQL C
Kerberos
27. Create a test SQL Server DB and test table
To test delegation across the various SharePoint Server service applications
covered in the scenarios, you have to configure a test data source for those
services to access. In the final step of this scenario, you configure a test
database called "KerbTest" and a test table called "Sales" to be used later.
In SQL Server Management Studio, create a new database called "KerbTest".
Keep the default settings when creating this database.
CREATE TABLE [dbo].[Sales](
[RowID] [int] IDENTITY(1,1) NOT NULL,
[Region] [nvarchar](10) NOT NULL,
[Year] [nvarchar](40) NOT NULL,
[Amount] [money] NOT NULL Populate with data
) ON [PRIMARY]
GO
Save the table with the name "Sales".
SQL CONFIGURATION Analys
Kerberos
28. Setup Analysis Services
Just like standard RDBM setup, we will need to configure DNS for Analysis
services, and of course install Analysis services.
Iâll spare the additional screen shots and walkthroughs â hoping you know how
to install Analysis services, and setup DNS to point to your instance.
The first step weâll need to ensure is done is Configuring Active Directory for
the SPNs used by the Analysis Services instance.
Analysis Services Configuration Analys
Kerberos
29. SSAS SPNs
For SQL Server Analysis Services to authenticate clients by using Kerberos authentication,
you have to register a service principal name (SPN) on the service account that is running
SQL Server. The SPN for a default Analysis Services instance uses the following format:
M O LA
S PSvc . 3 /{FQDN }
So for a single Analysis Services Data Source the format would be
S e tS PN -S M LA
SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t}
a a c
S e tS PN -S M LA
SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t }
a } a c
We will configure the Analysis Services using the default SQL instance so the SPN on the
Analysis Services service account (myDom12SQL12_SSAS) will require the following
SetSPN commands:
S e tS PN -S M LA
SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S
S e tS PN -S M LA
SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS
To Confirm this
S e tS PN m y Do m 1 2 SQL1 2 _ SSA
-L S
Analysis Services Configuration Analys
Kerberos
30. SSAS Named Instances
If the data source uses a named instance of Analysis Services, you cannot
specify a port after the colon. If you do, it is interpreted as part of the
hostname or domain name. Instead, you must use the actual instance name
for all functionality to work correctly.
M LA
SO PSv c . 3 /{FQDN {I ta nc e N m e }
}: ns a
When we configure the Analysis Services using the default SQL instance so
the SPN on the Analysis Services service account for that Instance
(myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN
commands:
Se tSPN -S M LA
SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A
S S_ nlSv c
Se tSPN -S M LA
SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2
S
SQL1 2 _ SSA A
S_ nlSv c
Analysis Services Configuration Analys
Kerberos
31. Verify SSAS Kerberos configuration
Once the SPN is configured, verify the Kerberos connection to the cluster by
using Excel 2010.
Open Excel 2010 on the client computer using a domain account that has
access to at least one database in the Analysis Services instance and open a
data connection to your Analysis Services instance by selecting the Data tab,
clicking From Other Sources, and then clicking From Analysis Services.
Open Excel and click on the Data Tab
From the From Other Source drop-down select From Analysis
Services
Analysis Services Configuration Analys
Kerberos
32. Verify SSAS Kerberos configuration
In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next.
Analysis Services Configuration Analys
Kerberos
33. Verify SSAS Kerberos configuration
From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that
indicates the access was made using Kerberos.
Analysis Services Configuration C2WT
Kerberos
34. Claims to Windows Token Service (C2WTS)
The Claims to Windows Token Service (C2WTS) is a component of the Windows
Identity Foundation (WIF) which is responsible for converting user claim tokens to
windows tokens.
As a best practice you should run the C2WTS using a dedicated service account and
not as Local System (the default configuration). The C2WTS service account requires
special local permissions on each server the service runs on so be sure to configure
these permissions each time the service is started on a server. Optimally, you should
configure the service accountâs permissions on the local server before starting the
C2WTS, but if done after the fact you can restart the C2WTS from the Windows
services management console (services.msc).
C2WTS C2WT
Kerberos
35. DNS
Create a service account in Active Directory to run the service
under.
In this example we created myDom12SP10_svcC2WTS.
Permission for the Account
C2WTS Next, configure the required local server permissions that the C2WTS requires.
You will need to configure these permissions on each server the C2WTS runs on.
C2WT
Kerberos
36. Local Security Policy for the Account
In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment
give the service account the following permissions:
C2WTS C2WT
Kerberos
37. Central Administration
From Central Administration click on the link to Security
Under Security | Configure Managed Service Accounts click on Configure managed
Accounts
Register managed account for C2WTS service account =>
Go back to Security | Configure Service Accounts
Change the managed account for the Claims to Windows Token Service to use the
newly created C2WTS Managed Account.
C2WTS C2WT
Kerberos
38. Central Administration
Under services, select Application Management | Service Applications click on Manage
services on server.
Verify that you are on the correct server by making any needed change to the server
selection box in the upper right hand corner select the server(s) running excel services
Find the Claims to Windows Token Service start it. If it is already running it will need to
be restarted, and the corresponding Windows Service will need to be restarted
C2WTS C2WT
Kerberos
39. Windows Service for C2WTS
There is a known issue with the C2WTS where it may not automatically startup
successfully on system reboot. A workaround to the issue is to configure a service
dependency on the Cryptographic Services service.
Open the Command Prompt window and enter
s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc
Find the Claims to Windows Token Service in the services console.
Open the properties for the service and click on the
Dependencies tab. Make sure Cryptographic Services is
C2WTS C2WT
listed.
Kerberos
40. Windows Service for C2WTS
Restart the C2WTS from the services console.
In addition, if you experience issues with the C2WTS after restarting the service it may
also be required to reset the IIS application pools that communicate with the C2WTS.
This will complete the transition of the C2WTS from using a local account to a domain
account. And once it is using a domain account an SPN can be assigned.
C2WTS C2WT
Kerberos
41. SPN for C2WTS
Add an arbitrary Service Principal Name (SPN) to the service account to expose the
delegation options for this account in Active Directory Users and Computers. The SPN
can be any format because we do not authenticate to the C2WTS using Kerberos
authentication. It is recommended to not use an HTTP SPN to avoid potentially creating
duplicate SPNs in your environment.
Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t}
a a c
In our example we registered SP10C2WTS/C2WTSsvc to the
myDom12SP10_svcC2WTS using the following command:
Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS
C2WTS SSRS
Kerberos
42. REPORTING SERVICES
Authentication in this scenario begins with the client authenticating with Kerberos
authentication at the web front end. SharePoint Server 2010 will convert the Windows
authentication token into a claims token using the local Security Token Service (STS).
The SQL Reporting service application will accept the claims token and convert it into a
windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS)
that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services
service application will then use the clientâs Kerberos ticket to authenticate with the
backend data source.
SSRS SSRS
Kerberos 42
43. SQL Reporting Services service account
As a best practice, SQL Reporting Services should run under its own domain identity.
To configure the SQL Reporting Service Application, an Active Directory account must
be created. In this example, the following accounts were created:
Kerberos 43
44. SPNs
SPN Format
SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account}
SQL Reporting Services SPN Configuration
SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12
SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12
SSRS SSRS
Kerberos 44
45. VERITY SPNS
Verification of SPNs
Verify the SPN for data source service account exists run the following SetSPN
command. Format: SetSPN -L {Domain Name}{Service Account}
SQL Reporting Service Account
SetSPN -L myDom12SP10_SvcSSRS12
---- we did these prior to now ----
Data Source Account
SetSPN -L myDom12SQL12_Engine
C2W Account
TS
SetSPN -L myDom12SP10_SvcC2WTS
SSRS SSRS
Kerberos 45
46. Delegation
To allow SQL Reporting Services to delegate the clientâs identity Kerberos constrained
delegation must be configured. It is required to configure constrained delegation with
protocol transition for the conversion of claims token to windows token via the WIF
C2WTS.
Each server running SQL Reporting services must be trusted to delegate credentials to
each back-end service SQL Reporting will authenticate with. In additional, the SQL
Reporting services service account must also be configured to allow delegation to the
same back-end services.
Principal Type Principal Name Delegates To Service
User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433
User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433
SSRS SSRS
Kerberos 46
47. SSRS Constrained Delegation
To configure constrained delegation from SQL Reporting Services to the Data Source
follow these steps.
1. Open the Active Directory Objectâs properties in Active Directory Users and
Computers.
2. Navigate to the Delegation tab.
3. Select Trust this user for delegation to specified services only.
4. Select Use any authentication protocol. This enables protocol transition and is
required for the service account to use the C2WTS.
5. Click the add button to select the service principal allowed to delegate to.
6. Select User and Computers.
7. Enter the service account running the service you wish to delegate to. In this
example it is the service account for the SQL Server service:
myDom12SQL12_Engine
8. Click OK.
9. Select the services for the SQL Server data source
10. Click OK.
11. You should now see the selected SPNS in the services to which this account can
presented delegated credentials list.
12. Clicking Expanded will show both the short and long form of the SPNs entered for
the data source.
13. Click OK
SSRS SSRS
Kerberos 47
48. C2WTS Constrained Delegation
To configure constrained delegation from C2WTS to the Data Source follow the same
procedure you just did for SSRS Constrained Delegation â resulting in the following
when done:
.
In this example it is the
service account for the
SQL Server service.
myDom12SQL12_Engine
SSRS SSRS
Kerberos 48
49. SharePoint
Create Managed Account
SSRS SSRS
Kerberos 49
50. Reporting Services service
Start the Reporting Services service
Note: Be sure that the service is NOT running on Servers it
should not be as this can lead to issues with C2WTS.
SSRS SSRS
Kerberos 50
51. SSRS 12 Service Application
Once it has finished it will present you
with a completion message and then
a link to some further configuration,
which will present a message letting
you know if the SQL Server Agent
service is running.
SSRS SSRS
Kerberos 51
52. SSRS 12 Service Application
In order for the service application work as expected certain permissions
need to be assigned to the application pool account. Click the "Download
Script" command to get a dynamically generated script that you must then
run in the SQL
SQL Reporting Services needs to access the SQL
Agent through an account. Enter the SQL Agent
account for the SharePoint SQL Instance
When complete the SQL
SSRS
Reporting Services Service
Application will be created
SSRS
Kerberos 52
53. SSRS Service Account Permissions
A required step in configuring SharePoint Server 2010 Office Web Applications
is allowing the web applicationâs service account access to the content
databases for a given web application. In this example, we will grant the SQL
Reporting Service account access to the portal web applicationâs content
database by using Windows PowerShell.
Run the following command from the SharePoint 2010 Management Shell:
$w = Get-SPWebApplication -Identity http://ReportingPortal
$w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12")
The change to the SQL can be seen
in the SQL Instance used for the
SharePoint Farm by viewing the
SQL Reporting Services Application
Pool account Security Login
Properties
SSRS SSRS
Kerberos 53
54. Testing
Create a document library for reports
Validate site collection settings for Reporting Services
SSRS SSRS
Kerberos 54
55. Testing
Create and publish a test report in SQL Server Business Intelligence Development
Studio
SSRS SSRS
Kerberos 55
56. Testing
Create and publish a test report in SQL Server Business Intelligence Development
Studio
SSRS SSRS
Kerberos 56
57. Testing
Create and publish a test report in SQL Server Business Intelligence Development
Studio
SSRS SSRS
Kerberos 57
58. Testing
Create and publish a test report in SQL Server Business Intelligence Development
Studio
Validate in IE
SSRS Gotch
Kerberos 58
59.  Thing s  to  no te :
Mixed Mode Active Directory (2k3/2k8)
âThe Given Key Was Not Present in the Dictionaryâ
Delegation â No Shortcuts
Rushing â Donât
Gotchas Summ
Kerberos
60. Summary
Setting up Kerberos â Slow â Painful â Time Consuming
Â
If you follow these steps â hopefully youâll avoid undo pain
When in doubt call Microsoft Support â they do have a Kerberos Troubleshooter theyâll have you run.
Possible to run the tool in an offline mode â hopefully you read between the lines here.
Donât skip steps, donât take shortcuts, donât do things out of order.
When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it. ď
⌠You can always call Oakwood too ⌠I guess
Kerberos
61. Please fill out the evaluation and turn
it in to this sessionâs host.
#GMSQL
Kerberos