SlideShare a Scribd company logo

Kerberos: The Four Letter Word

Download as PPT, PDF
Kenneth Maglio, profile picture
Kenneth Maglio

The document provides instructions for configuring Kerberos authentication across SharePoint 2010, SQL Server 2012, and SQL Server Analysis Services. It describes setting up DNS records, registering service principal names (SPNs) in Active Directory for the various service accounts, configuring SharePoint and IIS for Kerberos authentication, testing RSS feeds across web applications, setting up a test SQL database, and verifying the Kerberos configuration for SQL Server and Analysis Services.

Technology
1 of 61
Downloaded 26 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Kerberos It’s a real pain in the as The Four Letter Word Kerberos 1
#GMSQL Kerberos
Ken Maglio Microsoft Solution Architect World Wide Technology, Inc. @kenmaglio /in/kenmaglio kenmaglio@outlook.com Bio Introdu Kerberos 3
Today: •Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode •SQL Server 2012 No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? ) Introduction Benef Kerberos
Delegation of client credentials •pass that identity to other network services on the client's behalf •NTLM does not allow this delegation – “double-hop” •Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware Security •AES encryption, mutual authentication, support for data integrity and data privacy Potentially better performance •Less traffic to the domain controllers compared with NTLM Benefits Assum Kerberos
You know how to: •install SQL Server 2012 •work with W indows Server 2008 R2 •work with IIS 7 •work with SharePoint 2010 (central admin mainly) Assumptions Kick T Kerberos
Getting started Environment: W indows Server 2008 R2 – Active Directory – blah blah blah SharePoint 2010 with Two W Applications eb IntranetPortal ReportingPortal SQL Server 2012 RDBM for SharePoint Databases SQL Server 2012 Analysis Services Kick The Tires Share Kerberos
DNS Records Register a DNS A Record for the web application – just don’t use CNames Active Directory Active Kerberos
Service Accounts Create a service accounts for the web applications’ IIS application pool Active Directory Active Kerberos
SPN Configuration Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}{App Pool Acct} Register SPN the Service Account: SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct} SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct} Example SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet   SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting Active Directory Share Kerberos
Configure Managed Accounts Enter in the Name and Password and click OK for both of the Accounts SharePoint Configuration Share Kerberos
Portal Creation SharePoint Configuration Share Kerberos
Portal Creation SharePoint Configuration Share Kerberos
RSS Test Page Setup RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS. Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals. SharePoint Configuration Share Kerberos
RSS Test Page Setup The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step. Each of the Web parts can be edited to change the name and the RSS properties. Results: SharePoint Configuration Share Kerberos
W Application Configuration – Kerberos On eb Click on the Web Application to select it and then from the ribbon click Authentication Providers Click the Default Zone to setup our authentication Once done click Save and Close the Authentication Provider window. Repeat the other Web Application SharePoint Configuration IIS Co Kerberos
IIS Site Authentication Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes. IIS Configuration IIS Co Kerberos
Kernel-Mode Authentication Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. In the Right Panel click on Advanced Settings… Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked Verify that Kernel mode authentication is disabled IIS Configuration IIS Co Kerberos 18
Providers Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers. IIS Configuration Verify Kerberos 19
Checking RSS with Kerberos Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect. One final task is needed to restrict this access. Delegation Verify Active Kerberos
Delegation To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. It may seem redundant to configure Shortcut? delegation from a service to itself, Note that when you return to the delegation NO!!! such as the portal service account dialog you do not actually see all the SPNs delegating to the portal service selected. To see all SPNs, check the Expanded application, but this is required in check box in the lower left hand corner. This scenarios where you have multiple restriction will allow SharePoint to only delegate servers running the service. This is it’s credentials to the other User or Computer. to address the scenario where one server may need to delegate to another server running the same Perform these steps for each service account in service; for instance a WFE your environment that requires delegation. processing a request with a RSS viewer which uses the local web application as the data source Active Directory SQL C Kerberos
Configure DNS Configure DNS for the SQL Server in your environment. In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on the default instance. SQL CONFIGURATION SQL C Kerberos
SPN for SQL For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance. M SQLS v c /< FQDN : p o rt S > Default Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t} S a } a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a }: a c Named Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a ns a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a }: ns a a c In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12SQL12_Engine) with the following SetSPN command: Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S SQL CONFIGURATION SQL C Kerberos
SQL Server named instances If you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances: Registering a Service Principal Name http://go.microsoft.com/fwlink/?LinkID=196796 An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=196799 SQL CONFIGURATION Verify Kerberos
Verify SQL Server Kerberos configuration Reboot the computers that are running SharePoint Server This action restarts all services and forces them to re-connect and re- authenticate by using Kerberos authentication. Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server. SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; Verify Verify Kerberos
Verify SQL Server Kerberos configuration Additionally you can get more information: If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results Verify SQL C Kerberos
Create a test SQL Server DB and test table To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later. In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database. CREATE TABLE [dbo].[Sales]( [RowID] [int] IDENTITY(1,1) NOT NULL, [Region] [nvarchar](10) NOT NULL, [Year] [nvarchar](40) NOT NULL, [Amount] [money] NOT NULL Populate with data ) ON [PRIMARY] GO Save the table with the name "Sales". SQL CONFIGURATION Analys Kerberos
Setup Analysis Services Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services. I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance. The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance. Analysis Services Configuration Analys Kerberos
SSAS SPNs For SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: M O LA S PSvc . 3 /{FQDN } So for a single Analysis Services Data Source the format would be S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t} a a c S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t } a } a c We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12SQL12_SSAS) will require the following SetSPN commands: S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS To Confirm this S e tS PN m y Do m 1 2 SQL1 2 _ SSA -L S Analysis Services Configuration Analys Kerberos
SSAS Named Instances If the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. M LA SO PSv c . 3 /{FQDN {I ta nc e N m e } }: ns a When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN commands: Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A S S_ nlSv c Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2 S SQL1 2 _ SSA A S_ nlSv c Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration Once the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010. Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab From the From Other Source drop-down select From Analysis Services Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next. Analysis Services Configuration Analys Kerberos
Verify SSAS Kerberos configuration From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos. Analysis Services Configuration C2WT Kerberos
Claims to Windows Token Service (C2WTS) The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). C2WTS C2WT Kerberos
DNS Create a service account in Active Directory to run the service under. In this example we created myDom12SP10_svcC2WTS. Permission for the Account C2WTS Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. C2WT Kerberos
Local Security Policy for the Account In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions: C2WTS C2WT Kerberos
Central Administration From Central Administration click on the link to Security Under Security | Configure Managed Service Accounts click on Configure managed Accounts Register managed account for C2WTS service account => Go back to Security | Configure Service Accounts Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account. C2WTS C2WT Kerberos
Central Administration Under services, select Application Management | Service Applications click on Manage services on server. Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted C2WTS C2WT Kerberos
Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service. Open the Command Prompt window and enter s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc Find the Claims to Windows Token Service in the services console. Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is C2WTS C2WT listed. Kerberos
Windows Service for C2WTS Restart the C2WTS from the services console. In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS. This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned. C2WTS C2WT Kerberos
SPN for C2WTS Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t} a a c In our example we registered SP10C2WTS/C2WTSsvc to the myDom12SP10_svcC2WTS using the following command: Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS C2WTS SSRS Kerberos
REPORTING SERVICES Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source. SSRS SSRS Kerberos 42
SQL Reporting Services service account As a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created: Kerberos 43
SPNs SPN Format SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account} SQL Reporting Services SPN Configuration SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12 SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12 SSRS SSRS Kerberos 44
VERITY SPNS Verification of SPNs Verify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}{Service Account} SQL Reporting Service Account SetSPN -L myDom12SP10_SvcSSRS12 ---- we did these prior to now ---- Data Source Account SetSPN -L myDom12SQL12_Engine C2W Account TS SetSPN -L myDom12SP10_SvcC2WTS SSRS SSRS Kerberos 45
Delegation To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS. Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services. Principal Type Principal Name Delegates To Service User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433 User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433 SSRS SSRS Kerberos 46
SSRS Constrained Delegation To configure constrained delegation from SQL Reporting Services to the Data Source follow these steps. 1. Open the Active Directory Object’s properties in Active Directory Users and Computers. 2. Navigate to the Delegation tab. 3. Select Trust this user for delegation to specified services only. 4. Select Use any authentication protocol. This enables protocol transition and is required for the service account to use the C2WTS. 5. Click the add button to select the service principal allowed to delegate to. 6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service: myDom12SQL12_Engine 8. Click OK. 9. Select the services for the SQL Server data source 10. Click OK. 11. You should now see the selected SPNS in the services to which this account can presented delegated credentials list. 12. Clicking Expanded will show both the short and long form of the SPNs entered for the data source. 13. Click OK SSRS SSRS Kerberos 47
C2WTS Constrained Delegation To configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done: . In this example it is the service account for the SQL Server service. myDom12SQL12_Engine SSRS SSRS Kerberos 48
SharePoint Create Managed Account SSRS SSRS Kerberos 49
Reporting Services service Start the Reporting Services service Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS. SSRS SSRS Kerberos 50
SSRS 12 Service Application Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running. SSRS SSRS Kerberos 51
SSRS 12 Service Application In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance When complete the SQL SSRS Reporting Services Service Application will be created SSRS Kerberos 52
SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell. Run the following command from the SharePoint 2010 Management Shell: $w = Get-SPWebApplication -Identity http://ReportingPortal $w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12") The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties SSRS SSRS Kerberos 53
Testing Create a document library for reports Validate site collection settings for Reporting Services SSRS SSRS Kerberos 54
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 55
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 56
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 57
Testing Create and publish a test report in SQL Server Business Intelligence Development Studio Validate in IE SSRS Gotch Kerberos 58
 Thing s  to  no te : Mixed Mode Active Directory (2k3/2k8) “The Given Key Was Not Present in the Dictionary” Delegation – No Shortcuts Rushing – Don’t Gotchas Summ Kerberos
Summary Setting up Kerberos – Slow – Painful – Time Consuming   If you follow these steps – hopefully you’ll avoid undo pain When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run. Possible to run the tool in an offline mode – hopefully you read between the lines here. Don’t skip steps, don’t take shortcuts, don’t do things out of order. When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.  … You can always call Oakwood too … I guess Kerberos
Please fill out the evaluation and turn it in to this session’s host. #GMSQL Kerberos

More Related Content

PPTX
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
Michael Noel
 
PDF
Oracle OSB Tutorial 2
Rakesh Gujjarlapudi
 
PDF
Sharepoint 2007 Install Best Practice Phase 1
LiquidHub
 
PPTX
Windows Server 2008 R2 Overview
Jaguaraci Silva
 
PPTX
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
Michael Noel
 
PDF
Vmug it's all about the app
subtitle
 
PDF
Build Your Business Process On A Solid Foundation–Web Sphere Application Server
Carly Snodgrass
 
PDF
Cim smash 500_prog
Daividdi Morais
 
SPS Belgium 2012 - End to End Security for SharePoint Farms - Michael Noel
Michael Noel
 
Oracle OSB Tutorial 2
Rakesh Gujjarlapudi
 
Sharepoint 2007 Install Best Practice Phase 1
LiquidHub
 
Windows Server 2008 R2 Overview
Jaguaraci Silva
 
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...
Michael Noel
 
Vmug it's all about the app
subtitle
 
Build Your Business Process On A Solid Foundation–Web Sphere Application Server
Carly Snodgrass
 
Cim smash 500_prog
Daividdi Morais
 

What's hot (20)

PDF
#Epicor #ERP 10 Architected for Efficiency
Index InfoTech
 
PPTX
Websphere Application Server V8.5
IBM WebSphereIndia
 
PPTX
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
Michael Noel
 
PDF
Integration of Web Service Stacks in an Esb
Wen Zhu
 
PPTX
Pivotal CRM for iPad
Aptean
 
PPTX
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
BIOVIA
 
PPTX
Kerberos part 2
Spencer Harbar
 
PDF
Load Balancing und Beschleunigung mit Citrix Net Scaler
Digicomp Academy AG
 
DOCX
Mobile crm installation & configuration details
Arbind Tiwari
 
PDF
BlazeDS
devaraj ns
 
PDF
Workshop: Integrating xen App 6 with ms app v and system center configuration...
Digicomp Academy AG
 
PPTX
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
PPT
ibm websphere admin training | websphere admin course | ibm websphere adminis...
Nancy Thomas
 
PPTX
Pivotal CRM 6.0 Administration
Aptean
 
DOCX
IBM Websphere concepts
Kuldeep Saxena
 
PDF
Cognos Technical Super Session 2012
barnaby1502
 
DOCX
IBM websphere application server types of profiles
Kuldeep Saxena
 
DOCX
Ibm web sphere application server interview questions
praveen_guda
 
PDF
Integrating with SAP FIX and HL7
WSO2
 
PPT
Websphere Application Server v7
Chris Sparshott
 
#Epicor #ERP 10 Architected for Efficiency
Index InfoTech
 
Websphere Application Server V8.5
IBM WebSphereIndia
 
SPTechCon SFO 2012 - Understanding the Five Layers of SharePoint Security
Michael Noel
 
Integration of Web Service Stacks in an Esb
Wen Zhu
 
Pivotal CRM for iPad
Aptean
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
BIOVIA
 
Kerberos part 2
Spencer Harbar
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
Digicomp Academy AG
 
Mobile crm installation & configuration details
Arbind Tiwari
 
BlazeDS
devaraj ns
 
Workshop: Integrating xen App 6 with ms app v and system center configuration...
Digicomp Academy AG
 
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
ibm websphere admin training | websphere admin course | ibm websphere adminis...
Nancy Thomas
 
Pivotal CRM 6.0 Administration
Aptean
 
IBM Websphere concepts
Kuldeep Saxena
 
Cognos Technical Super Session 2012
barnaby1502
 
IBM websphere application server types of profiles
Kuldeep Saxena
 
Ibm web sphere application server interview questions
praveen_guda
 
Integrating with SAP FIX and HL7
WSO2
 
Websphere Application Server v7
Chris Sparshott
 
Ad

Viewers also liked (15)

DOC
Approaches
Jabar Ainal
 
PPTX
Brown_Working with Teachers Project
Hall2b13
 
PPS
Raadseltjevoormannen!1
Richard Ikkes Den Uijl
 
DOC
Template 3
Icostyle
 
PPTX
SharePoint Saturday STL: SharePoint Powershell Admins
Kenneth Maglio
 
PDF
William fabricio manual de sistemas sas
Rafael Toro
 
PDF
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen
 
PPTX
Kerberos and Covert Channels
Raj Bhatt
 
PDF
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen
 
PDF
Plagio por Internet -UFT DIPLOMADO SAIA
Rafael Toro
 
PPTX
SharePoint 2013 App or Not to App
Kenneth Maglio
 
PPTX
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PDF
An Introduction to Kerberos
Shumon Huque
 
PPTX
mimikatz @ sthack
Benjamin Delpy
 
Approaches
Jabar Ainal
 
Brown_Working with Teachers Project
Hall2b13
 
Raadseltjevoormannen!1
Richard Ikkes Den Uijl
 
Template 3
Icostyle
 
SharePoint Saturday STL: SharePoint Powershell Admins
Kenneth Maglio
 
William fabricio manual de sistemas sas
Rafael Toro
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen
 
Kerberos and Covert Channels
Raj Bhatt
 
Fjulkaiseminen.com - Ilmainen, koko sivu Facebook julkaiseminen - Organisaati...
Fjulkaiseminen
 
Plagio por Internet -UFT DIPLOMADO SAIA
Rafael Toro
 
SharePoint 2013 App or Not to App
Kenneth Maglio
 
Kerberos, NTLM and LM-Hash
Ankit Mehta
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
An Introduction to Kerberos
Shumon Huque
 
mimikatz @ sthack
Benjamin Delpy
 
Ad

Similar to Kerberos: The Four Letter Word (20)

PPTX
All about Kerberos In Microsoft BI
PARIKSHIT SAVJANI
 
PPTX
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
PPTX
Kerberos part 1
Spencer Harbar
 
PDF
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
PDF
Kerberos survival guide
J.D. Wade
 
PPTX
Kerberos survival guide SPS Kansas City
J.D. Wade
 
PDF
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
Knowledge Cue
 
PPTX
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
PPTX
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Michael Noel
 
PPTX
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PDF
Kerberos presentation
Chris Geier
 
PPTX
Kerberos survival guide-STL 2015
J.D. Wade
 
PPTX
Kerberos Survival Guide: SharePointalooza
J.D. Wade
 
PPTX
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
PDF
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
Brian Culver
 
PPTX
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
PPTX
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
PDF
2014-05-17 SPS Baltimore - Worst Practices of SharePoint
Dan Usher
 
PPTX
SharePoint 2010 authentications
Wyngate Solutions
 
PPT
Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
Joel Oleson
 
All about Kerberos In Microsoft BI
PARIKSHIT SAVJANI
 
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos part 1
Spencer Harbar
 
Kerberos Survival Guide - St. Louis Day of .Net
J.D. Wade
 
Kerberos survival guide
J.D. Wade
 
Kerberos survival guide SPS Kansas City
J.D. Wade
 
SharePoint 2010 best practices for infrastructure deployments SharePoint Sat...
Knowledge Cue
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
J.D. Wade
 
Security for SharePoint in an Insecure World - SharePoint Connections Amsterd...
Michael Noel
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
Kerberos presentation
Chris Geier
 
Kerberos survival guide-STL 2015
J.D. Wade
 
Kerberos Survival Guide: SharePointalooza
J.D. Wade
 
Kerberos Survival Guide: Columbus 2015
J.D. Wade
 
SharePoint Saturday The Conference 2011 - Extranets & Claims Authentication
Brian Culver
 
Kerberos Survival Guide SPS Chicago
J.D. Wade
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
Michael Noel
 
2014-05-17 SPS Baltimore - Worst Practices of SharePoint
Dan Usher
 
SharePoint 2010 authentications
Wyngate Solutions
 
Tech Ed 2006 South East Asia Security And Compliance by Joel Oleson
Joel Oleson
 

Recently uploaded (20)

PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PDF
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Doc9.....................................
SofiaCollazos
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
Data_Analytics_vs_Data_Science_vs_BI_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
Security features in Dell, HP, and Lenovo PC systems: A research-based compar...
Principled Technologies
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Economic Impact of Data Centres to the Malaysian Economy
flintglobalapac
 

Kerberos: The Four Letter Word

  • 1. Kerberos It’s a real pain in the as The Four Letter Word Kerberos 1
  • 3. Ken Maglio Microsoft Solution Architect World Wide Technology, Inc. @kenmaglio /in/kenmaglio [email protected] Bio Introdu Kerberos 3
  • 4. Today: •Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode •SQL Server 2012 No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? ) Introduction Benef Kerberos
  • 5. Delegation of client credentials •pass that identity to other network services on the client's behalf •NTLM does not allow this delegation – “double-hop” •Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware Security •AES encryption, mutual authentication, support for data integrity and data privacy Potentially better performance •Less traffic to the domain controllers compared with NTLM Benefits Assum Kerberos
  • 6. You know how to: •install SQL Server 2012 •work with W indows Server 2008 R2 •work with IIS 7 •work with SharePoint 2010 (central admin mainly) Assumptions Kick T Kerberos
  • 7. Getting started Environment: W indows Server 2008 R2 – Active Directory – blah blah blah SharePoint 2010 with Two W Applications eb IntranetPortal ReportingPortal SQL Server 2012 RDBM for SharePoint Databases SQL Server 2012 Analysis Services Kick The Tires Share Kerberos
  • 8. DNS Records Register a DNS A Record for the web application – just don’t use CNames Active Directory Active Kerberos
  • 9. Service Accounts Create a service accounts for the web applications’ IIS application pool Active Directory Active Kerberos
  • 10. SPN Configuration Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}{App Pool Acct} Register SPN the Service Account: SetSPN -S HTTP/{Server Host Name} {Domain Name}{App Pool Acct} SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}{App Pool Acct} Example SetSPN -S HTTP/IntranetPortal myDom12sp10_PortalIntranet SetSPN -S HTTP/IntranetPortal.myDom12.local myDom12sp10_PortalIntranet   SetSPN -S HTTP/ReportingPortal myDom12sp10_PortalReporting SetSPN -S HTTP/ReportingPortal.myDom12.local myDom12sp10_PortalReporting Active Directory Share Kerberos
  • 11. Configure Managed Accounts Enter in the Name and Password and click OK for both of the Accounts SharePoint Configuration Share Kerberos
  • 12. Portal Creation SharePoint Configuration Share Kerberos
  • 13. Portal Creation SharePoint Configuration Share Kerberos
  • 14. RSS Test Page Setup RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS. Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals. SharePoint Configuration Share Kerberos
  • 15. RSS Test Page Setup The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step. Each of the Web parts can be edited to change the name and the RSS properties. Results: SharePoint Configuration Share Kerberos
  • 16. W Application Configuration – Kerberos On eb Click on the Web Application to select it and then from the ribbon click Authentication Providers Click the Default Zone to setup our authentication Once done click Save and Close the Authentication Provider window. Repeat the other Web Application SharePoint Configuration IIS Co Kerberos
  • 17. IIS Site Authentication Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes. IIS Configuration IIS Co Kerberos
  • 18. Kernel-Mode Authentication Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites. In the Right Panel click on Advanced Settings… Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checked Verify that Kernel mode authentication is disabled IIS Configuration IIS Co Kerberos 18
  • 19. Providers Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers. IIS Configuration Verify Kerberos 19
  • 20. Checking RSS with Kerberos Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect. One final task is needed to restrict this access. Delegation Verify Active Kerberos
  • 21. Delegation To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. It may seem redundant to configure Shortcut? delegation from a service to itself, Note that when you return to the delegation NO!!! such as the portal service account dialog you do not actually see all the SPNs delegating to the portal service selected. To see all SPNs, check the Expanded application, but this is required in check box in the lower left hand corner. This scenarios where you have multiple restriction will allow SharePoint to only delegate servers running the service. This is it’s credentials to the other User or Computer. to address the scenario where one server may need to delegate to another server running the same Perform these steps for each service account in service; for instance a WFE your environment that requires delegation. processing a request with a RSS viewer which uses the local web application as the data source Active Directory SQL C Kerberos
  • 22. Configure DNS Configure DNS for the SQL Server in your environment. In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on the default instance. SQL CONFIGURATION SQL C Kerberos
  • 23. SPN for SQL For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance. M SQLS v c /< FQDN : p o rt S > Default Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e } {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {Do m a in N m e }{Sq l Sv c A c t} S a } a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN 1 43 3 {Do m a in N m e }{Sq l Sv c A c t} S a }: a c Named Instance Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }: {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a ns a a c Se tSPN -S M SQLS VC/{Ho s t S e rv e r N m e }. {FQDN {I ta nc e N m e } {Do m a in N m e }{Sq l Sv c A c t} S a }: ns a a c In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12SQL12_Engine) with the following SetSPN command: Se tSPN -S M SQLS VC/d c SQL1 2 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 : 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S Se tSPN -S M SQLS VC/d c SQL1 2 . m y Do m 1 2 . lo c a l: 1 43 3 m y Do m 1 2 SQL1 2 _ Eng ine S SQL CONFIGURATION SQL C Kerberos
  • 24. SQL Server named instances If you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances: Registering a Service Principal Name http://go.microsoft.com/fwlink/?LinkID=196796 An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 http://go.microsoft.com/fwlink/?LinkId=196799 SQL CONFIGURATION Verify Kerberos
  • 25. Verify SQL Server Kerberos configuration Reboot the computers that are running SharePoint Server This action restarts all services and forces them to re-connect and re- authenticate by using Kerberos authentication. Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server. SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ; Verify Verify Kerberos
  • 26. Verify SQL Server Kerberos configuration Additionally you can get more information: If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results Verify SQL C Kerberos
  • 27. Create a test SQL Server DB and test table To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later. In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database. CREATE TABLE [dbo].[Sales]( [RowID] [int] IDENTITY(1,1) NOT NULL, [Region] [nvarchar](10) NOT NULL, [Year] [nvarchar](40) NOT NULL, [Amount] [money] NOT NULL Populate with data ) ON [PRIMARY] GO Save the table with the name "Sales". SQL CONFIGURATION Analys Kerberos
  • 28. Setup Analysis Services Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services. I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance. The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance. Analysis Services Configuration Analys Kerberos
  • 29. SSAS SPNs For SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: M O LA S PSvc . 3 /{FQDN } So for a single Analysis Services Data Source the format would be S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e } {Do m a in N m e }{S QL S v c A c t} a a c S e tS PN -S M LA SO PSvc . 3 /{Se rve r Ho s t N m e }. {FQDN {Do m a in N m e }{S QL S vc A c t } a } a c We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12SQL12_SSAS) will require the following SetSPN commands: S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 m y Do m 1 2 SQL1 2 _ SSA S S e tS PN -S M LA SO PSvc . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l m y Do m 1 2 S QL1 2 _ S S AS To Confirm this S e tS PN m y Do m 1 2 SQL1 2 _ SSA -L S Analysis Services Configuration Analys Kerberos
  • 30. SSAS Named Instances If the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. M LA SO PSv c . 3 /{FQDN {I ta nc e N m e } }: ns a When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12 SQL12_SSAS_AnlSvc) will require the following SetSPN commands: Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 : SSA m y Do m 1 2 SQL1 2 _ SSA A S S_ nlSv c Se tSPN -S M LA SO PSv c . 3 /d c SQL1 2 . m y Do m 1 2 . lo c a l: SSA m y Do m 1 2 S SQL1 2 _ SSA A S_ nlSv c Analysis Services Configuration Analys Kerberos
  • 31. Verify SSAS Kerberos configuration Once the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010. Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab From the From Other Source drop-down select From Analysis Services Analysis Services Configuration Analys Kerberos
  • 32. Verify SSAS Kerberos configuration In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next. Analysis Services Configuration Analys Kerberos
  • 33. Verify SSAS Kerberos configuration From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos. Analysis Services Configuration C2WT Kerberos
  • 34. Claims to Windows Token Service (C2WTS) The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc). C2WTS C2WT Kerberos
  • 35. DNS Create a service account in Active Directory to run the service under. In this example we created myDom12SP10_svcC2WTS. Permission for the Account C2WTS Next, configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. C2WT Kerberos
  • 36. Local Security Policy for the Account In Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions: C2WTS C2WT Kerberos
  • 37. Central Administration From Central Administration click on the link to Security Under Security | Configure Managed Service Accounts click on Configure managed Accounts Register managed account for C2WTS service account => Go back to Security | Configure Service Accounts Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account. C2WTS C2WT Kerberos
  • 38. Central Administration Under services, select Application Management | Service Applications click on Manage services on server. Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted C2WTS C2WT Kerberos
  • 39. Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service. Open the Command Prompt window and enter s c c o nfig " c 2 wts " d e p e nd = Cry p tSvc Find the Claims to Windows Token Service in the services console. Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is C2WTS C2WT listed. Kerberos
  • 40. Windows Service for C2WTS Restart the C2WTS from the services console. In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS. This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned. C2WTS C2WT Kerberos
  • 41. SPN for C2WTS Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. Se tSPN -S {A rbitra ry Pro to c o l}/{Arbitra ry N m e } {Do m a in N m e }{C2 WTS Sv c A c t} a a c In our example we registered SP10C2WTS/C2WTSsvc to the myDom12SP10_svcC2WTS using the following command: Se tSPN -S SP1 0 C2 WTS/C2 WTSs vc m y Do m 1 2 SP1 0 _ s vc C2 WTS C2WTS SSRS Kerberos
  • 42. REPORTING SERVICES Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to W indows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source. SSRS SSRS Kerberos 42
  • 43. SQL Reporting Services service account As a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created: Kerberos 43
  • 44. SPNs SPN Format SetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}{Service Account} SQL Reporting Services SPN Configuration SetSPN -S spSSRSSvc/ReportingPortal myDom12sp10_svcSSRS12 SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12sp10_svcSSRS12 SSRS SSRS Kerberos 44
  • 45. VERITY SPNS Verification of SPNs Verify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}{Service Account} SQL Reporting Service Account SetSPN -L myDom12SP10_SvcSSRS12 ---- we did these prior to now ---- Data Source Account SetSPN -L myDom12SQL12_Engine C2W Account TS SetSPN -L myDom12SP10_SvcC2WTS SSRS SSRS Kerberos 45
  • 46. Delegation To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS. Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services. Principal Type Principal Name Delegates To Service User myDom12SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433 User myDom12SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433 SSRS SSRS Kerberos 46
  • 47. SSRS Constrained Delegation To configure constrained delegation from SQL Reporting Services to the Data Source follow these steps. 1. Open the Active Directory Object’s properties in Active Directory Users and Computers. 2. Navigate to the Delegation tab. 3. Select Trust this user for delegation to specified services only. 4. Select Use any authentication protocol. This enables protocol transition and is required for the service account to use the C2WTS. 5. Click the add button to select the service principal allowed to delegate to. 6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service: myDom12SQL12_Engine 8. Click OK. 9. Select the services for the SQL Server data source 10. Click OK. 11. You should now see the selected SPNS in the services to which this account can presented delegated credentials list. 12. Clicking Expanded will show both the short and long form of the SPNs entered for the data source. 13. Click OK SSRS SSRS Kerberos 47
  • 48. C2WTS Constrained Delegation To configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done: . In this example it is the service account for the SQL Server service. myDom12SQL12_Engine SSRS SSRS Kerberos 48
  • 49. SharePoint Create Managed Account SSRS SSRS Kerberos 49
  • 50. Reporting Services service Start the Reporting Services service Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS. SSRS SSRS Kerberos 50
  • 51. SSRS 12 Service Application Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running. SSRS SSRS Kerberos 51
  • 52. SSRS 12 Service Application In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance When complete the SQL SSRS Reporting Services Service Application will be created SSRS Kerberos 52
  • 53. SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell. Run the following command from the SharePoint 2010 Management Shell: $w = Get-SPWebApplication -Identity http://ReportingPortal $w.GrantAccessToProcessIdentity("myDom12SP10_svcSSRS12") The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties SSRS SSRS Kerberos 53
  • 54. Testing Create a document library for reports Validate site collection settings for Reporting Services SSRS SSRS Kerberos 54
  • 55. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 55
  • 56. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 56
  • 57. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio SSRS SSRS Kerberos 57
  • 58. Testing Create and publish a test report in SQL Server Business Intelligence Development Studio Validate in IE SSRS Gotch Kerberos 58
  • 59.  Thing s  to  no te : Mixed Mode Active Directory (2k3/2k8) “The Given Key Was Not Present in the Dictionary” Delegation – No Shortcuts Rushing – Don’t Gotchas Summ Kerberos
  • 60. Summary Setting up Kerberos – Slow – Painful – Time Consuming   If you follow these steps – hopefully you’ll avoid undo pain When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run. Possible to run the tool in an offline mode – hopefully you read between the lines here. Don’t skip steps, don’t take shortcuts, don’t do things out of order. When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.  … You can always call Oakwood too … I guess Kerberos
  • 61. Please fill out the evaluation and turn it in to this session’s host. #GMSQL Kerberos