Post on 17-Dec-2015
Kerberosfor SQL Serverand Sharepoint
… the easy way!
Image © Wikimedia CC
Platinum Sponsor
Gold SponsorsPlease visit our Gold Sponsor stands,we couldn't do it without you…
MCTS in SQL Server and SharePoint Over a decade of Microsoft solution development and
architecture Lately focused on SQL Server 2012 BI in SharePoint
Integrated Mode I like dogs, especially big ones
About me
Focus on SharePoint + SQL Server Why Kerberos Service Principal Names Delegation options Claims & Kerberos Testing &Troubleshooting Live Demo!
What’s it going to be?
DON’TPANIC
More secure, Less DC load, interoperability...
Enables Delegation!◦Unified Security at data source level◦Data driven security◦Personalised reports
Kerberos: why bother?
NTLM orKerberos
SP Farmor DB server
KerberosDelegation
Data Source
Kerberos delegation
NTLM orKerberos
SP Farm Data Source
1st “hop”Any protocol
2nd “hop”Kerberos only!
Impersonateuser
Identify your data sourcesService Principle Names
Decide on your delegationConstrained or not?
Set delegation type
Allow data sources to be delegated to
This is all it takes:
Easy, right?
Service Principal Name◦ What (Service) and◦ Where (Computer or “Principal”) to connect to
Identifies the target ◦ Not the delegating service ◦ Certainly not the client◦ The Data Source Service!
SPN: where is my service? 1
Service Principal Name <service class>/<NetBIOS>[:<port or instance>]
or/and <service class>/<FQDN>[:<port or instance>]
So how you gonna do it?
setspn.exe -S <SPN> <AccountName>
Service identity: Service account as <domain\
username> or Host Account if running as Local
System
Host identity
1
NetBIOS:BI-SQL
SetSpn1: SQL server Database Engine
FQDN:Hades.Local
Port: 49753
SQL-DB
Domain
Database serviceaccount identity
SETSPN -S MSSQLSVC/BI-SQL:49753 HADES\SQL-DB
BI-SQL.HADES.LOCAL
Databaseservice class
Host server
OR
SETSPN -S MSOLAPSVC.3/BI-SQL:UDM HADES\SQL-SSAS
SetSpn2: SQL Analysis Services
NetBIOS:BI-SQL
FQDN:Hades.Local SQL-SSAS
Domain
SSAS serviceaccount identity
Analysis ServicesService class
Host server
OR
Instance:UDM
BI-SQL.HADES.LOCAL
SetSpn3: SharePoint Portal Site
IIS serverSP-WFE FQDN:
Hades.Local SP-PORTAL
SharePoint Portal Application Pool identity
SharePoint WFEHost server
OR
OLYMPUS.HADES.LOCAL
SETSPN -S HTTP/OLYMPUS HADES\SP-PORTAL
DNS “A” record: OLYMPUSPort: 80
Now I can see Delegation tab!
SETSPN -S DUMMYSPN HADES\SP-XLS-SVC
SetSpn4: Arbitrary SPN
? FQDN:Hades.Local
SP-XLS-SVC
Domain Delegating accountArbitrary string
Non-existing service
Identifies the target Stored against target’s identity Instance name for Analysis Services Arbitrary SPN to show delegation tab Don’t forget discovery services for SQL2005
SPN: lessons learned 1
Basic (unconstrained)◦ To any Service
Constrained◦ Only if allowed
Delegation options 2
Constrained or basic? 2
SSRS
SSRS
Basic◦ Delegates to any service◦ Cross-domain delegation◦ No protocol transition◦ Can precede constrained
Constrained ◦ Any service can use◦ Most require ◦ More secure◦ Only delegates if
allowed!◦ Only within a domain
... speaking of domain boundaries
ClientSharePoint Farm Kerberos Data
SourceNTLM
NoTrust is OK!
MSFT.com
pintoso.MSFT.com
contoso.MSFT.com
Constrained delegationworks!
Trust is a must:
Client SharePoint Farm
BasicKerbero
sData
Source
NTLMor Basic Kerberos
Must haveTwo Way
Trust
MSFT.com
pintoso.MSFT.comcontoso.MSFT.com
Use Basic for◦ SSRS (SQL Reporting Services) to connect to another domain◦ When security is not critical
Use Constrained for◦ Any other case!
So, which one then? 2
Setting Up Delegation
NTLM orKerberos
SP Farm Data Source
Delegating Account SPN Account
Add a dummy SPN to the Delegating account to bring up delegation tab in ADUC:
Allows trustfor constraineddelegation
Enables protocoltransitionfor SharePoint
Constrained Delegation
3
Select allowed SPNs: Use ADUC delegation tab Locate SPN’s account Click to select SPNs to add
Add Allowed services (2008 AD)
SPN’s account
4
ADSIEdit (easier):◦ Same string as in
SETSPN statement PowerShell:
◦ Not for wimps◦ Active Directory Module:
Set-ADObject Get-ADObject Set-KCD
CMD (document):◦ ldifde
Add Allowed services (pre 2008AD)
Set your SPNs (inc Dummy and Browser 2005) Use “KerberosHelper.xslx” from www.data-united.co.uk
Decide: Basic or Constrained?
Set delegation type
Add Allowed SPNs (for constrained)
So, What Do I Do Again?
Test working, Sit back and relax!
Let me know if it doesn't work www.data-united.co.uk
Claims to Windows Token Service (C2WTS)◦ SharePoint protocol transition:
.. and don’t just blame Kerberos
KerberosDelegation!
NTLMorKerberos
SharePoint Web
Frontend
SharePoint Application
Server
Data Sourc
e
STS
Claims
C2WTS
?UPNClaimWindowsToken
Starts automatically Depends on Cryptographic Service
◦ sc config c2wts depend= CryptSvc Service Identity is trusted for delegation
◦ Local System by default (and should stay that way)◦ If changed to Windows Identity, must be a local admin
Claims-aware services are allowedCaller s◦ c2wtshost.exe.config
Use Rodney Viana's little tool c2WTSTest.exe
C2WTS checklist
“NT Authority/Anonymous” is no more! Profiler shows Your login Test every service against every data source
Testing Kerberos
SSRS
15 character limit on Windows NetBIOS
Open Port 88 on Firewall SPN for SQL 2005
browser/discovery services Sensitive Client Account
Gotcha!
Enable Kerberos logging (don’t forget about it!) Registry hack http://support.microsoft.com/kb/262177 Check Kerberos errors in Event log on SP App server and client
ULS log (SP App server with Verbose) Use Event log, Kerbtray and Kerberos helper tools to check
for common errors Use Klist –purge to re-test Kerberos Use dcdiag to check SPNs
Troubleshooting Kerberos
Demo time!
Sponsor Competition Draws in the Exhibition Hall 17:15
After…
Community Events
SQL Saturday Edinburgh 7/8 June www.sqlsaturday.com/202/SQL Relay 17/27 June www.sqlrelay.co.ukSQL Saturday Dublin 21/22 June www.sqlsaturday.com/229/SQL Saturday Cambridge 27 September www.sqlsaturday.com/228/UK User Groups All the time www.sqlserverfaq.com
Feedback
Please complete feedback
http://sqlbits.com/SQLBitsXIThursday http://sqlbits.com/SQLBitsXIFriday http://sqlbits.com/SQLBitsXISaturday http://sqlbits.com/SQLBitsXI (General feedback)
We hope you had a great conference day!Keep checking
www.sqlbits.com for slides, videos and news of
the next conference
#SQLBITS
Kerberos: authentication protocol Principal – a computer in the Kerberos protocol, usually the
target UPN: user principal name FQDN: Fully Qualified Domain Name WCF: Windows Communication Foundation (.NET) C2WTS: WCF service granting windows token for a UPN claim
Glossary
How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
http://technet.microsoft.com/en-us/library/gg502594.aspx
Kerberos Guide for SharePoint 2013http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/
Kerberos Blog and Resourceswww.data-united.co.uk
Links: getting started
Kerberos using PowerShellhttp://blog.msresource.net/2012/07/12/fim-service-principal-names-and-kerberos-delegation/
Troubleshooting C2WTS by Rodney Vianahttp://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx
Kerberos Professional Serviceswww.data-united.co.uk
Links: serious business
Command Prompt◦ List all Kerberos Tickets on the principal (a ticket must be present for
the URL, otherwise NTLM is used) Klist
◦ Purge Kerberos Tickets (run on all principals to avoid reboot/wait) Klist –purge
◦ List all msDS-AllowedToDelegateTo properties for a single account (only computers with ) ldifde -f c:\temp\filename.txt -d "CN=SA_SVC_C2WTS,OU=Service
Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo◦ List all msDS-AllowedToDelegateTo properties all accounts in an OU:
ldifde -f c:\temp\filename.txt -d "OU=Service Accounts, DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo
Scripting tips: Command Prompt