In Microsoft CSS, Setting up and Configuring Kerberos for MSBI is one of the top call volume generators which makes us realize there is definitely some gap in Understanding on how to setup and configure Kerberos for MSBI stack in a multi-server farm environment. In the session, we intend to explain and more importantly simplify the steps to setup Kerberos for SQL Server, SSAS, SSRS & Sharepoint along with the Demo of the issues which can occur based on real live experiences with troubleshooting and configuring for Customers.
2. 1. Introduction : Who am I?
Parikshit Savjani is a Premier Field Engineer with Microsoft with specialization on SQL Server
and Business Intelligence (SSAS,SSIS and SSRS).His role involves consulting,performance
PFE in Korea
tuning,delivering workshops,chalk talks to Premier Customers of Microsoft environment. He
SQL co BI, PDW
has 4.5 years of experience with Microsoft & SQL Server. He contributes to the community
by Blogging his learnings on this site, www.sqlserverfaq.net & MSDN Blogs
2
3. 1. Facts around Kerberos
Agenda
2. The Double Hop Scenario
3. Kerberos 101
4. Kerberos Concepts
5. Constrained v/s Unconstrained Delegation
6. Steps to setup Kerberos
7. Configuring Kerberos for SQL Server
8. Configuring Kerberos for SSAS
9. Configuring Kerberos for SSRS
10. Configuring Kerberos for SharePoint Shared Services
3
4. Facts Around Kerberos
Microsoft adopted Kerberos
Open Source Project v5 as a default
Developed By MIT as part of authentication protocol
Project Athena which starting Windows 2000 &
started in 1983 XP
Kerberos is one of the top call volume
generators for Microsoft CSS for MSBI
Products
Kerberos fits the bill with It is not hard to configure
the SSO and Secure Remote Kerberos but it is easy to
Authentication misconfigure it
4
6. The Double Hop Scenario
(Why Kerberos?)
IIS Web Server DataSource
Web Application
Delegation
Data Security Defined
per User Identity via
Roles
6
7. Kerberos 101
1. User sends Ticket request
2. AS in KDC authenticates the Ticket
Request and Grants the TGT
3. User needs access to Remote Service
4. User sends the TGT to the KDC
authenticated by TGS and issues
service ticket
5. Users sends the service ticket to
remote server which decrypts the
service tickets and authenticates the
user.
6. Client/Server session is established
7
8. Kerberos Concepts
SPNs
• SPN identifies a given service on a given server on a given port running under a given
account in the network
• Service Ticket is issued only for those service which has SPNs registered
• Kerberos Authentication fails if SPNs is not registered for a service.
• SPNs are required for Constrained Delegation introduced with Windows 2003
Delegation
• Kerberos Authentication supports Delegation using forward able TGTs forwarded to
Delegated Services.
• Windows 2003 introduced Constrained Delegation to allow forwarding of tickets to specified
remote services(SPNs) only.
8
9. Constrained Delegation v/s
Unconstrained Delegation
Constrained Delegation Unconstrained Delegation
• Kerberos delegation is used to pass • Kerberos delegation is used to pass
end-user credentials to specified back- end-user credentials to any services
end services only on any destination computer.
• Introduced in Windows 2003 • Introduced starting Windows 2000
• Secure • Less Secure
• An SPN is required to delegate to the • No SPNs are required
target service
• Protocol transitioning is supported only
in Constrained Delegation
9
10. Steps to configure Kerberos
1. Configure clients & server to use Windows Integrated Security at every tier in a
Multi-tier environment
2. Configure Service to use Negotiate Authentication Protocol
3. Register SPNs for every service involved
4. Identify Intermediate Computers and Service Accounts which require Delegation
5. Enable Constrained Delegation For Intermediate Computer and Service accounts
6. Restart the intermediate services for refreshed tokens
7. Purge any issued Kerberos tickets on the clients
10
12. Configuring Kerberos for SQL Server
Automatic SPN Registration
• SQL Server registers the SPNs automatically each time it starts and deletes it when it stops
• Service Account should have Read ServicePrincipalName and Write ServicePrincipalName or
Allowed access to Validated Write Service Prinicipal Name.
• By Default, Machine Accounts have these permissions.
• SQL 2012 uses Managed Service Account which are virtual machine accounts and posses
these permissions
Manual SPN registration
• Required Manual registration of SPN for SQL Service using setspn which requires Domain
Admin privileges
• Requires Deletion and Re-registration if service account or port changes for SQL Service.
12
14. Validate Automatic SPN Registration
SQL Error Log registers the success or failure of Automatic SPN
registration.
Validate Manual SPN Registration
From a remote client, Fire the following TSQL Query
SELECT auth_scheme FROM sys.dm_exec_connections WHERE session_id =
@@spid ;
14
17. Configuring Kerberos for SSAS
• No Automatic SPN Registration
• Manual SPN registration
• SPN Formats
Default Instance
MSOLAPSvc.3/FQDN
Setspn.exe -S MSOLAPSvc.3/Fully_Qualified_domainName OLAP_Service_Startup_Account
Setspn.exe -S MSOLAPSvc.3/serverHostName OLAP_Service_Startup_Account
Named Instance (Unlike SQL Server Named Instance, Port cannot be used)
MSOLAPSvc.3/FQDN:instancename
Setspn.exe -S MSOLAPSvc.3/Fully_Qualified_domainName:instancename OLAP_Service_Startup_ccount
Setspn.exe -S MSOLAPSvc.3/serverHostName:instancename OLAP_Service_Startup_Account
17
18. Considerations for SSAS Named
Instance
Named instance
SPNs for SQL Browser Service is required for Named Instance
SQL Browser SPN Formats
MSOLAPDisco.3/FQDN
Setspn.exe -a MSOLAPDisco.3/serverHostName.Fully_Qualified_domainName BrowserServiceStartupAccount
Setspn.exe -a MSOLAPDisco.3/serverHostName BrowserServiceStartupAccount
Named SSAS SPN doesn’t list in the Delegation Tab
Known Issue for Windows 2003 AD & Windows 2003 Functional Level
http://support.microsoft.com/kb/959202
Requires Manual update to msDS-AllowedToDelegateTo Attribute
18
19. Demo
Configuring Kerberos for SQL Server SQL Server Linked Server SSAS
(Default Instance)) (Named Instance)
Linked Server Query to SSAS (Delegate to
SSAS SPN)
Client
19
20. Steps to configure Kerberos
• Configure clients to use Windows Integrated Security at every tier in a Multi-tier
environment
• Configure Service to use Negotiate Authentication Protocol
• Register SPNs for every service involved
• Identify Intermediate Computers and Service Accounts which require Delegation
• Enable Constrained Delegation For Intermediate Computer and Service accounts
• Restart the intermediate services for refreshed tokens
• Purge any issued Kerberos tickets on the clients
20
22. Configuring Kerberos for SSRS
• Requires Server to support Kerberos Authentication Protocol
(RSWindowsNegotiate, RSWindowsKerberos)
• ASP.NET must be configured for Windows Authentication
Web.Config for Report Web Service and Report Manager
<authentication mode="Windows">
<identity impersonate= "true" />
• Client Application or Browser should support Windows Authentication
• SPN should be registered for every Host Header Name
• Requires HTTP SPN
Default Instance/Named Instance
Setspn -s http/<computername>.<domainname>:<port> <domain-user-account>
Setspn -s http/<hostheader> <domain-user-account>
22
23. Demo
Configuring Kerberos for SSRS Report SQL Server
(Default Instance)
SSRS)
using Integrated Windows Security to (Delegate to SQL
fetch the data from Data Source Server)
Browser
Client
23
24. Steps to configure Kerberos
• Configure clients to use Windows Integrated Security at every tier in a Multi-tier
environment
• Configure Service to use Negotiate Authentication Protocol
• Register SPNs for every service involved
• Identify Intermediate Computers and Service Accounts which require Delegation
• Enable Constrained Delegation For Intermediate Computer and Service accounts
• Restart the intermediate services for refreshed tokens
• Purge any issued Kerberos tickets on the clients
24
26. Configuring Kerberos for Sharepoint
• Sharepoint Web Application must configured for Negotiate
Authentication Protocol
• Required HTTP SPN
Setspn -s http/<computername>.<domainname>:<port> <domain-user-account>
Setspn -s http/<hostheader> <domain-user-account>
• HTTP SPNs are required for any alternate access mapping
• Delegation should be configured on Default App pool to the Integrated
Services
• Delegation should be configured from the Integrated Services to Data
Source
26
27. Kerberos for SSRS 2008 R2 Sharepoint
Integrated Mode
SQL 2008 R2 Reporting Service Integration with SharePoint
1. HTTP SPNs for
Sharepoint Web app
2. HTTP SPNs for SSRS
3. MSSQLSvc SPNs for
SQL
4. Delegation from
Sharepoint to SSRS
5. Delegation from
SSRS to SQL
27
28. Kerberos for Shared Services (Excel/RS
2012/PPS) in SharePoint 1. HTTP SPNs for Sharepoint
Web app
SQL 2012 Reporting Service/Excel Integration with SharePoint 2. Dummy SPNs for SSRSExcel
(Shared Services) 3. Dummy SPNs for C2WTS
4. MSSQLSvc SPNs for SQL
5. Delegation from Sharepoint to
SSRSExcel Account
6. Delegation from SSRSExcel to
SQL Server
7. Delegation from C2WTS to
SQL Server
28
29. Demo
Configuring Kerberos for SSRS 2012 Sharepoint) SQL Server
RS 2012 Shared (Default Instance)
Reports integrated with SharePoint Service
C2WTS
2010 with SQL Data source
Browser
Client
29
30. Steps to configure Kerberos
• Configure clients to use Windows Integrated Security at every tier in a Multi-tier
environment
• Configure Service to use Negotiate Authentication Protocol
• Register SPNs for every service involved
• Identify Intermediate Computers and Service Accounts which require Delegation
• Enable Constrained Delegation For Intermediate Computer and Service accounts
• Restart the intermediate services for refreshed tokens
• Purge any issued Kerberos tickets on the clients
30
31. Summary
It is not hard to configure Kerberos but it is
easy to misconfigure it
31
32. References
Kerberos for Microsoft BI
http://social.technet.microsoft.com/wiki/contents/articles/1406.kerberos-for-microsoft-bi-en-us.aspx
Configuring Kerberos for Sharepoint 2010 – Chuck Heinzelman
http://northamerica.msteched.com/topic/details/2012/DBI304#fbid=odHBKGXHWp9
Configure Kerberos authentication for SharePoint 2010 Products (white paper)
http://technet.microsoft.com/en-us/library/gg502594.aspx
32
Additional Instructions: Where applicable, tell which Workloads this Session is mapped to. In some cases, it may map to more than one. Explain how and why this Session fits into the workload, it’s importance as a building block to the solution for our customers.Provide any additional Workload and Product/Technology resources you feel important and relevant to the audience.
Additional Instructions: Where applicable, tell which Workloads this Session is mapped to. In some cases, it may map to more than one. Explain how and why this Session fits into the workload, it’s importance as a building block to the solution for our customers.Provide any additional Workload and Product/Technology resources you feel important and relevant to the audience.