Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)Chuck HeinzelmanSenior Program Manager – BPD CXMicrosoft Corporation

DBI304

ChuckHeinzelman

chuck.heinzelman@microsoft.com www.sqlcat.com

@SQLBoyWonder

Abstract

A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.

Kerberos – In 7 Easy Steps

Solve 95% Of Your Kerberos Problems…

Kerberos Terminology and Overview

Definitions

KerberosAuthentication Protocol developed at MIT

DelegationGranting your authority to someone else

ImpersonationI can “be” someone else

AuthenticationVerification that I am who I say I am

AuthorizationVerification that I have the rights to do what I want to do

Why Kerberos?

Delegate user credentials to a back end data source (double-hop issue)Service Applications that would leverage Kerberos:

PerformancePointExcel ServicesReporting Services (SQL Server 2012 change)

Breakdown of 7 Steps

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

7 Easy Steps!

Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine

Kerberos in the Real World

Real-World Scenarios

Multiple Web Front EndsLoad Balanced URLsMultiple Application ServersMultiple Service Application AccountsSQL Server Services

Multiple Web Front EndsLoad Balanced URLs

Set an HTTP SPN for Every URLEach WFE (and FQDN)Load Balancer URLDon’t Forget Alternate Access Mappings

Remember to check for additional CNAME entries

Multiple Application ServersMultiple Service Application Accounts

No service-specific SPN is required for the service applicationsYou will need to set up constrained delegation on the service account

You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers

Enable C2WTS on each server

SQL Server Services

Clustered SQL ServerSet the SPN on the VNN

Non-Default Instance of Analysis ServicesSQL Browser service needs to be runningAn SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3Standard MSOLAPSvc.3 SPN required as well

Related Content

Breakout Sessions (session codes and titles)OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the EnterpriseDBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012DBI301 – Building Self-Service BI Applications Using PowerPivotOSP339 – Advanced Microsoft SharePoint 2010 Upgrade TroubleshootingDBI332 – Running Reporting Services in SharePoint Integrated Mode: How and WhyDBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BIDBI327 – How to Extend Your SharePoint BI Dashboard to ALL DevicesOSP431 – Security Design with Claims-Based AuthenticationFind Me Later At…SQL Server TLC Area – I’ll be there quite often!

Track Resources

@sqlserver@TechEd_NA#msTechEd

mvaMicrosoft Virtual Academy

SQL Server 2012 Eval Copy

Get Certified!

Hands-On Labs

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

Appendix

Breakout – Step 1

Enable Kerberos on your SharePoint Web Application

Central Administration | Application Management | Manage Web Applications | Authentication Providers

Breakout – Step 2

Enable Claims to Windows Token Service in SharePoint

Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service

Breakout – Step 3

Create an HTTP SPN for the account that is running the Portal application pool

Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server)Create HTTP SPN for all applicable URLs

SetSPN –S HTTP/<Server> Domain\<Service Account>SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account>Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)

Breakout – Step 4

Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account

Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create 1 Dummy SPN per Service

SetSPN –S PPS/<Server> Domain\<Service Account>SetSPN –S RS/<Server> Domain\<Service Account>

Breakout – Step 5

Create an MSOLAPSvc.3 SPN for the service account running Analysis Services

Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create MSOLAPSvc.3 SPNs

SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account>SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>

Breakout – Step 6

Configure Constrained Delegation for the Service Application account to Analysis Services

Log onto the Domain Controller and open Active Directory Users and ComputersLocate the Service Application Account and edit the propertiesFind the Delegation Tab

Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK

Breakout – Step 7

Configure Constrained Delegation from the Application Server machine

Log onto the Domain Controller and open Active Directory Users and ComputersLocate the computer account for the Application ServerFind the Delegation Tab

Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK