Kerberos: The Four Letter Word

Kerberos

Kerberos

The Four Letter Word

1

It’s a real pain in the as

Kerberos

#GMSQL

KerberosBio

Ken MaglioMicrosoft Solution ArchitectWorld Wide Technology, Inc.

@kenmaglio/in/[email protected]

3

Introduct

KerberosIntroduction

Today:•Walk through the configuration of Kerberos •Prep for Business Intelligence (BI) solutions •SharePoint 2010 • SSRS Integrated Mode

•SQL Server 2012

No Demos – Sorry! ( like I want to setup more Kerberos environments – rly? )

Benefits

KerberosBenefits

Delegation of client credentials •pass that identity to other network services on the client's behalf•NTLM does not allow this delegation – “double-hop”•Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware

Security •AES encryption, mutual authentication, support for data integrity and data privacy

Potentially better performance•Less traffic to the domain controllers compared with NTLM

Assump

KerberosAssumptions

You know how to:

•install SQL Server 2012•work with Windows Server 2008 R2•work with IIS 7•work with SharePoint 2010 (central admin mainly)

Kick T

KerberosKick The Tires

Getting started

Environment:Windows Server 2008 R2 – Active Directory – blah blah blah

SharePoint 2010 with Two Web ApplicationsIntranetPortalReportingPortal

SQL Server 2012 RDBM for SharePoint Databases

SQL Server 2012 Analysis Services

ShareP

KerberosActive Directory

DNS Records

Register a DNS A Record for the web application – just don’t use CNames

Active


Service Accounts

Create a service accounts for the web applications’ IIS application pool

Active


SPN Configuration

Register Service Principal Names (SPN) for the web applications on the service account created for the web application’s IIS application pool

Identify Service Accounts used for Web Application IIS Application Pool : {Domain Name}\{App Pool Acct}

Register SPN the Service Account:SetSPN -S HTTP/{Server Host Name} {Domain Name}\{App Pool Acct}SetSPN -S HTTP/{Server Host Name}.{FQDN} {Domain Name}\{App Pool Acct}

ExampleSetSPN -S HTTP/IntranetPortal myDom12\sp10_PortalIntranetSetSPN -S HTTP/IntranetPortal.myDom12.local myDom12\sp10_PortalIntranet SetSPN -S HTTP/ReportingPortal myDom12\sp10_PortalReportingSetSPN -S HTTP/ReportingPortal.myDom12.local myDom12\sp10_PortalReporting

Share

KerberosSharePoint Configuration

Configure Managed Accounts

SharePoint

Enter in the Name and Password and click OK for both of the Accounts


Portal Creation

SharePoint


Portal Creation

SharePoint


RSS Test Page Setup

RSS Feeds make a good Kerberos test of SharePoint, since SharePoint generally requires authentication to access its information, even when accessing RSS.

SharePoint

Add 2 RSS Web Parts to the new TestRSS pages in the Reporting and the Intranet Portals.


RSS Test Page Setup

The RSS Feeds can be enabled from most lists or libraries. Under the List/Library Tab a button can be seen for RSS Feed. This will launch a new page containing the RSS Information. Copy the URL for a page on each site to be used in the next step.

Each of the Web parts can be edited to change the name and the RSS properties.

Results:

SharePoint


Web Application Configuration – Kerberos On

IIS Con

Click on the Web Application to select it and then from the ribbon click Authentication Providers

Click the Default Zone to setup our authentication

Once done click Save and Close the Authentication Provider window.

Repeat the other Web Application

KerberosIIS Configuration

IIS Site Authentication

Since SharePoint sits on top of IIS the settings for the IIS Authentication also need to be changes.

IIS Con


Kernel-Mode Authentication

18

IIS Conf

In the Right Panel click on Advanced Settings…Verify that in Advanced Settings the Enable Kernel-mode authentication is NOT checkedVerify that Kernel mode authentication is disabled

Kernel mode authentication is not supported in SharePoint Server 2010. By default, all SharePoint Server Web Applications should have Kernel Mode Authentication disabled by default on their corresponding IIS web sites.


Providers

19

Verify

Under Providers Add Negotiate from Available Providers and move it to the first of the Enabled Providers.

KerberosVerify

Checking RSS with Kerberos

Once Kerberos is in place in AD, SharePoint, and IIS a refresh of the RSS Page will show the results we expect.

Active

One final task is needed to restrict this access. Delegation

Kerberos

It may seem redundant to configure delegation from a service to itself, such as the portal service account delegating to the portal service application, but this is required in scenarios where you have multiple servers running the service. This is to address the scenario where one server may need to delegate to another server running the same service; for instance a WFE processing a request with a RSS viewer which uses the local web application as the data source

Active Directory

Delegation

SQL C

To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog.

Shortcut?NO!!!Note that when you return to the delegation

dialog you do not actually see all the SPNs selected. To see all SPNs, check the Expanded check box in the lower left hand corner. This restriction will allow SharePoint to only delegate it’s credentials to the other User or Computer.

Perform these steps for each service account in your environment that requires delegation.

KerberosSQL CONFIGURATION

Configure DNS

Configure DNS for the SQL Server in your environment.

In this example we have one SQL Server, dcSQL12.myDom12.local, running on port 1433 at IP 10.0.0.4. The SQL Server database engine is running on the default instance.

SQL C


SPN for SQL

For SQL Server to authenticate clients using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. Service principal names for the SQL Server database engine use the following format for configurations that are using the default instance and not a SQL Server named instance.MSSQLSvc/<FQDN>:port

Default InstanceSetSPN -S MSSQLSVC/{Host Server Name} {Domain Name}\{Sql Svc Acct}SetSPN -S MSSQLSVC/{Host Server Name}.{FQDN} {Domain Name}\{Sql Svc Acct}SetSPN -S MSSQLSVC/{Host Server Name}:1433 {Domain Name}\{Sql Svc Acct}SetSPN -S MSSQLSVC/{Host Server Name}.{FQDN}:1433 {Domain Name}\{Sql Svc Acct}

Named Instance SetSPN -S MSSQLSVC/{Host Server Name}:{Instance Name} {Domain Name}\{Sql Svc Acct}SetSPN -S MSSQLSVC/{Host Server Name}.{FQDN}:{Instance Name} {Domain Name}\{Sql Svc Acct}

In our example, we configured the SQL Server SPN on the SQL Server database engine service account (myDom12\SQL12_Engine) with the following SetSPN command:SetSPN -S MSSQLSVC/dcSQL12 myDom12\SQL12_EngineSetSPN -S MSSQLSVC/dcSQL12.myDom12.local myDom12\SQL12_EngineSetSPN -S MSSQLSVC/dcSQL12:1433 myDom12\SQL12_EngineSetSPN -S MSSQLSVC/dcSQL12.myDom12.local:1433 myDom12\SQL12_Engine

SQL C


SQL Server named instancesIf you use SQL Server named instances instead of the default instance, you have to register SPNs specific to the SQL Server instance and for the SQL Server browser service. See the following articles for more information about configuring Kerberos authentication for names instances:

Registering a Service Principal Namehttp://go.microsoft.com/fwlink/?LinkID=196796

An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005http://go.microsoft.com/fwlink/?LinkId=196799

Verify

KerberosVerify

Verify SQL Server Kerberos configuration

Reboot the computers that are running SharePoint ServerThis action restarts all services and forces them to re-connect and re-authenticate by using Kerberos authentication.

Open SQL Server Management Studio and run the following queries from a server other than the SQL server, since it would not need Kerberos to validate itself on the same server.

SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@spid ;

Verify

KerberosVerify

Verify SQL Server Kerberos configuration

Additionally you can get more information:

SQL C

If Kerberos authentication is configured correctly, you see Kerberos in the auth_scheme column of the query results


Create a test SQL Server DB and test table

To test delegation across the various SharePoint Server service applications covered in the scenarios, you have to configure a test data source for those services to access. In the final step of this scenario, you configure a test database called "KerbTest" and a test table called "Sales" to be used later.

In SQL Server Management Studio, create a new database called "KerbTest". Keep the default settings when creating this database.

CREATE TABLE [dbo].[Sales]([RowID] [int] IDENTITY(1,1) NOT NULL,[Region] [nvarchar](10) NOT NULL,[Year] [nvarchar](40) NOT NULL,[Amount] [money] NOT NULL

) ON [PRIMARY]GO

AnalysisSave the table with the name "Sales".

Populate with data

Kerberos

Analysis Services Configuration

Setup Analysis Services

Just like standard RDBM setup, we will need to configure DNS for Analysis services, and of course install Analysis services.

I’ll spare the additional screen shots and walkthroughs – hoping you know how to install Analysis services, and setup DNS to point to your instance.

The first step we’ll need to ensure is done is Configuring Active Directory for the SPNs used by the Analysis Services instance.

Analysis

Kerberos


SSAS SPNsFor SQL Server Analysis Services to authenticate clients by using Kerberos authentication, you have to register a service principal name (SPN) on the service account that is running SQL Server. The SPN for a default Analysis Services instance uses the following format: MSOLAPSvc.3/{FQDN}

So for a single Analysis Services Data Source the format would beSetSPN -S MSOLAPSvc.3/{Server Host Name} {Domain Name}\{SQL Svc Acct}SetSPN -S MSOLAPSvc.3/{Server Host Name}.{FQDN} {Domain Name}\{SQL Svc Acct }

We will configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account (myDom12\SQL12_SSAS) will require the following SetSPN commands:SetSPN -S MSOLAPSvc.3/dcSQL12 myDom12\SQL12_SSASSetSPN -S MSOLAPSvc.3/dcSQL12.myDom12.local myDom12\SQL12_SSAS

To Confirm thisSetSPN-L myDom12\SQL12_SSAS

Analysis

Kerberos


SSAS Named InstancesIf the data source uses a named instance of Analysis Services, you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly. MSOLAPSvc.3/{FQDN}:{Instance Name}

When we configure the Analysis Services using the default SQL instance so the SPN on the Analysis Services service account for that Instance (myDom12\ SQL12_SSAS_AnlSvc) will require the following SetSPN commands:SetSPN -S MSOLAPSvc.3/dcSQL12:SSAS myDom12\SQL12_SSAS_AnlSvcSetSPN -S MSOLAPSvc.3/dcSQL12.myDom12.local:SSAS myDom12\ SQL12_SSAS_AnlSvc

Analysis

Kerberos


Verify SSAS Kerberos configurationOnce the SPN is configured, verify the Kerberos connection to the cluster by using Excel 2010.Open Excel 2010 on the client computer using a domain account that has access to at least one database in the Analysis Services instance and open a data connection to your Analysis Services instance by selecting the Data tab, clicking From Other Sources, and then clicking From Analysis Services. Open Excel and click on the Data Tab

Analysis

From the From Other Source drop-down select From Analysis Services

Kerberos


Verify SSAS Kerberos configuration

Analysis

In the Data Connection Wizard, type dcSQL12 in the Server name box, then click Next.

Kerberos


Verify SSAS Kerberos configuration

C2WTS

From the SQL Server, dcSQL12, Check the Windows Security Log to see an entry that indicates the access was made using Kerberos.

KerberosC2WTS

Claims to Windows Token Service (C2WTS)

The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens.

As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally, you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc).

C2WTS

KerberosC2WTS

DNS

C2WTSPermission for the AccountNext, configure the required local server permissions that the C2WTS

requires. You will need to configure these permissions on each server the C2WTS runs on.

Create a service account in Active Directory to run the service under. In this example we created myDom12\SP10_svcC2WTS.

KerberosC2WTS

Local Security Policy for the AccountIn Local Security Policy (secpol.msc) under Local Policies | User Rights Assignment give the service account the following permissions:

C2WTS

KerberosC2WTS

Central AdministrationFrom Central Administration click on the link to SecurityUnder Security | Configure Managed Service Accounts click on Configure managed Accounts

Register managed account for C2WTS service account =>Go back to Security | Configure Service Accounts

Change the managed account for the Claims to Windows Token Service to use the newly created C2WTS Managed Account.

C2WTS

KerberosC2WTS

Central AdministrationUnder services, select Application Management | Service Applications click on Manage services on server.

Verify that you are on the correct server by making any needed change to the server selection box in the upper right hand corner select the server(s) running excel services

Find the Claims to Windows Token Service start it. If it is already running it will need to be restarted, and the corresponding Windows Service will need to be restarted

C2WTS

KerberosC2WTS

Windows Service for C2WTS There is a known issue with the C2WTS where it may not automatically startup successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service.

Open the Command Prompt window and entersc config "c2wts" depend= CryptSvc

Find the Claims to Windows Token Service in the services console.

C2WTS

Open the properties for the service and click on the Dependencies tab. Make sure Cryptographic Services is listed.

KerberosC2WTS

Windows Service for C2WTS

Restart the C2WTS from the services console.

In addition, if you experience issues with the C2WTS after restarting the service it may also be required to reset the IIS application pools that communicate with the C2WTS.

This will complete the transition of the C2WTS from using a local account to a domain account. And once it is using a domain account an SPN can be assigned.

C2WTS

KerberosC2WTS

SPN for C2WTS

Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment.SetSPN -S {Arbitrary Protocol}/{Arbitrary Name} {Domain Name}\{C2WTS Svc Acct}

In our example we registered SP10C2WTS/C2WTSsvc to the myDom12\SP10_svcC2WTS using the following command:SetSPN -S SP10C2WTS/C2WTSsvc myDom12\SP10_svcC2WTS

SSRS

KerberosSSRS

REPORTING SERVICES

Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The SQL Reporting service application will accept the claims token and convert it into a windows token (Kerberos) using the local Claims to Windows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The SQL Reporting Services service application will then use the client’s Kerberos ticket to authenticate with the backend data source.

42

SSRS

Kerberos

SQL Reporting Services service accountAs a best practice, SQL Reporting Services should run under its own domain identity. To configure the SQL Reporting Service Application, an Active Directory account must be created. In this example, the following accounts were created:

43

KerberosSSRS

SPNs

SPN FormatSetSPN -S {Arbitrary Protocol}/{Host Server Name} {Domain Name}\{Service Account}

SQL Reporting Services SPN ConfigurationSetSPN -S spSSRSSvc/ReportingPortal myDom12\sp10_svcSSRS12SetSPN -S spSSRSSvc/ReportingPortal.myDom12.local myDom12\sp10_svcSSRS12

44

SSRS

KerberosSSRS

VERITY SPNS

Verification of SPNsVerify the SPN for data source service account exists run the following SetSPN command. Format: SetSPN -L {Domain Name}\{Service Account}

SQL Reporting Service AccountSetSPN -L myDom12\SP10_SvcSSRS12

---- we did these prior to now ----Data Source Account SetSPN -L myDom12\SQL12_Engine

C2WTS Account SetSPN -L myDom12\SP10_SvcC2WTS

45

SSRS

KerberosSSRS

Delegation

To allow SQL Reporting Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS.Each server running SQL Reporting services must be trusted to delegate credentials to each back-end service SQL Reporting will authenticate with. In additional, the SQL Reporting services service account must also be configured to allow delegation to the same back-end services.

46

SSRS

Principal Type Principal Name Delegates To ServiceUser myDom12\SP10_SvcSSRS12 MSSQLSVC/dcSQL12.myDom12.local:1433

User myDom12\SP10_SvcC2WTS MSSQLSVC/ dcSQL12.myDom12.local:1433

Kerberos

1. Open the Active Directory Object’s properties in Active Directory Users and Computers.

2. Navigate to the Delegation tab.3. Select Trust this user for delegation to specified services only.4. Select Use any authentication protocol. This enables protocol transition

and is required for the service account to use the C2WTS.5. Click the add button to select the service principal allowed to delegate to.6. Select User and Computers. 7. Enter the service account running the service you wish to delegate to. In

this example it is the service account for the SQL Server service: myDom12\SQL12_Engine

8. Click OK. 9. Select the services for the SQL Server data source10.Click OK.11.You should now see the selected SPNS in the services to which this

account can presented delegated credentials list. 12.Clicking Expanded will show both the short and long form of the SPNs

entered for the data source.13.Click OK

SSRS Constrained DelegationTo configure constrained delegation from SQL Reporting Services to the Data Source follow these steps.

SSRS47

SSRS

KerberosSSRS

C2WTS Constrained DelegationTo configure constrained delegation from C2WTS to the Data Source follow the same procedure you just did for SSRS Constrained Delegation – resulting in the following when done:

.

48

SSRS

In this example it is the service account for the SQL Server service. myDom12\SQL12_Engine

KerberosSSRS

SharePoint Create Managed Account

49

SSRS

KerberosSSRS

Reporting Services service Start the Reporting Services service

50

SSRS

Note: Be sure that the service is NOT running on Servers it should not be as this can lead to issues with C2WTS.

KerberosSSRS

SSRS 12 Service Application

51

SSRS

Once it has finished it will present you with a completion message and then a link to some further configuration, which will present a message letting you know if the SQL Server Agent service is running.

KerberosSSRS

SSRS 12 Service Application

52

SSRS

In order for the service application work as expected certain permissions need to be assigned to the application pool account. Click the "Download Script" command to get a dynamically generated script that you must then run in the SQL

SQL Reporting Services needs to access the SQL Agent through an account. Enter the SQL Agent account for the SharePoint SQL Instance

When complete the SQL Reporting Services Service Application will be created

KerberosSSRS

SSRS Service Account Permissions A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the SQL Reporting Service account access to the portal web application’s content database by using Windows PowerShell.

53

SSRS

Run the following command from the SharePoint 2010 Management Shell:$w = Get-SPWebApplication -Identity http://ReportingPortal$w.GrantAccessToProcessIdentity("myDom12\SP10_svcSSRS12")

The change to the SQL can be seen in the SQL Instance used for the SharePoint Farm by viewing the SQL Reporting Services Application Pool account Security Login Properties

KerberosSSRS

Testing Create a document library for reports

Validate site collection settings for Reporting Services

54

SSRS

KerberosSSRS

Testing Create and publish a test report in SQL Server Business Intelligence Development Studio

55

SSRS

KerberosSSRS


56

SSRS

KerberosSSRS


57

SSRS

KerberosSSRS


Validate in IE

58

Gotchas

KerberosGotchas

Things to note:

Mixed Mode Active Directory (2k3/2k8)“The Given Key Was Not Present in the Dictionary”

Delegation – No Shortcuts

Rushing – Don’t

Summary

Kerberos

Summary

If you follow these steps – hopefully you’ll avoid undo pain

When in doubt call Microsoft Support – they do have a Kerberos Troubleshooter they’ll have you run.Possible to run the tool in an offline mode – hopefully you read between the lines here.

Don’t skip steps, don’t take shortcuts, don’t do things out of order.

When all else fails, find a hard wall, pound your head against wall, call in sick and have someone else do it.

… You can always call Oakwood too … I guess

Setting up Kerberos – Slow – Painful – Time Consuming

Kerberos

Please fill out the evaluation and turn it in to this session’s host.

#GMSQL

Date post:	12-May-2015
Category:	Technology
Upload:	kenneth-maglio
View:	1,018 times
Download:	0 times