configuring kerberos for microsoft sharepoint 2010 bi in 7 steps (sql server 2012) chuck heinzelman...
TRANSCRIPT
Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)Chuck HeinzelmanSenior Program Manager – BPD CXMicrosoft Corporation
DBI304
Abstract
A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.
Kerberos – In 7 Easy Steps
Solve 95% Of Your Kerberos Problems…
Kerberos Terminology and Overview
Definitions
KerberosAuthentication Protocol developed at MIT
DelegationGranting your authority to someone else
ImpersonationI can “be” someone else
AuthenticationVerification that I am who I say I am
AuthorizationVerification that I have the rights to do what I want to do
Why Kerberos?
Delegate user credentials to a back end data source (double-hop issue)Service Applications that would leverage Kerberos:
PerformancePointExcel ServicesReporting Services (SQL Server 2012 change)
Breakdown of 7 Steps
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
Kerberos in the Real World
Real-World Scenarios
Multiple Web Front EndsLoad Balanced URLsMultiple Application ServersMultiple Service Application AccountsSQL Server Services
Multiple Web Front EndsLoad Balanced URLs
Set an HTTP SPN for Every URLEach WFE (and FQDN)Load Balancer URLDon’t Forget Alternate Access Mappings
Remember to check for additional CNAME entries
Multiple Application ServersMultiple Service Application Accounts
No service-specific SPN is required for the service applicationsYou will need to set up constrained delegation on the service account
You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers
Enable C2WTS on each server
SQL Server Services
Clustered SQL ServerSet the SPN on the VNN
Non-Default Instance of Analysis ServicesSQL Browser service needs to be runningAn SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3Standard MSOLAPSvc.3 SPN required as well
Related Content
Breakout Sessions (session codes and titles)OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the EnterpriseDBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012DBI301 – Building Self-Service BI Applications Using PowerPivotOSP339 – Advanced Microsoft SharePoint 2010 Upgrade TroubleshootingDBI332 – Running Reporting Services in SharePoint Integrated Mode: How and WhyDBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BIDBI327 – How to Extend Your SharePoint BI Dashboard to ALL DevicesOSP431 – Security Design with Claims-Based AuthenticationFind Me Later At…SQL Server TLC Area – I’ll be there quite often!
Track Resources
@sqlserver@TechEd_NA#msTechEd
mvaMicrosoft Virtual Academy
SQL Server 2012 Eval Copy
Get Certified!
Hands-On Labs
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Appendix
Breakout – Step 1
Enable Kerberos on your SharePoint Web Application
Central Administration | Application Management | Manage Web Applications | Authentication Providers
Breakout – Step 2
Enable Claims to Windows Token Service in SharePoint
Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service
Breakout – Step 3
Create an HTTP SPN for the account that is running the Portal application pool
Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server)Create HTTP SPN for all applicable URLs
SetSPN –S HTTP/<Server> Domain\<Service Account>SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account>Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)
Breakout – Step 4
Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account
Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create 1 Dummy SPN per Service
SetSPN –S PPS/<Server> Domain\<Service Account>SetSPN –S RS/<Server> Domain\<Service Account>
Breakout – Step 5
Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create MSOLAPSvc.3 SPNs
SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account>SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>
Breakout – Step 6
Configure Constrained Delegation for the Service Application account to Analysis Services
Log onto the Domain Controller and open Active Directory Users and ComputersLocate the Service Application Account and edit the propertiesFind the Delegation Tab
Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK
Breakout – Step 7
Configure Constrained Delegation from the Application Server machine
Log onto the Domain Controller and open Active Directory Users and ComputersLocate the computer account for the Application ServerFind the Delegation Tab
Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK