Kerberosfor SQL Serverand Sharepoint

… the easy way!

Image © Wikimedia CC

Platinum Sponsor

Gold SponsorsPlease visit our Gold Sponsor stands,we couldn't do it without you…

MCTS in SQL Server and SharePoint Over a decade of Microsoft solution development and

architecture Lately focused on SQL Server 2012 BI in SharePoint

Integrated Mode I like dogs, especially big ones

About me

Focus on SharePoint + SQL Server Why Kerberos Service Principal Names Delegation options Claims & Kerberos Testing &Troubleshooting Live Demo!

What’s it going to be?

DON’TPANIC

More secure, Less DC load, interoperability...

Enables Delegation!◦Unified Security at data source level◦Data driven security◦Personalised reports

Kerberos: why bother?

NTLM orKerberos

SP Farmor DB server

KerberosDelegation

Data Source

Kerberos delegation

NTLM orKerberos

SP Farm Data Source

1st “hop”Any protocol

2nd “hop”Kerberos only!

Impersonateuser

Identify your data sourcesService Principle Names

Decide on your delegationConstrained or not?

Set delegation type

Allow data sources to be delegated to

This is all it takes:

Easy, right?

Service Principal Name◦ What (Service) and◦ Where (Computer or “Principal”) to connect to

Identifies the target ◦ Not the delegating service ◦ Certainly not the client◦ The Data Source Service!

SPN: where is my service? 1

Service Principal Name <service class>/<NetBIOS>[:<port or instance>]

or/and <service class>/<FQDN>[:<port or instance>]

So how you gonna do it?

setspn.exe -S <SPN> <AccountName>

Service identity: Service account as <domain\

username> or Host Account if running as Local

System

Host identity

1

NetBIOS:BI-SQL

SetSpn1: SQL server Database Engine

FQDN:Hades.Local

Port: 49753

SQL-DB

Domain

Database serviceaccount identity

SETSPN -S MSSQLSVC/BI-SQL:49753 HADES\SQL-DB

BI-SQL.HADES.LOCAL

Databaseservice class

Host server

OR

SETSPN -S MSOLAPSVC.3/BI-SQL:UDM HADES\SQL-SSAS

SetSpn2: SQL Analysis Services

NetBIOS:BI-SQL

FQDN:Hades.Local SQL-SSAS

Domain

SSAS serviceaccount identity

Analysis ServicesService class

Host server

OR

Instance:UDM

BI-SQL.HADES.LOCAL

SetSpn3: SharePoint Portal Site

IIS serverSP-WFE FQDN:

Hades.Local SP-PORTAL

SharePoint Portal Application Pool identity

SharePoint WFEHost server

OR

OLYMPUS.HADES.LOCAL

SETSPN -S HTTP/OLYMPUS HADES\SP-PORTAL

DNS “A” record: OLYMPUSPort: 80

Now I can see Delegation tab!

SETSPN -S DUMMYSPN HADES\SP-XLS-SVC

SetSpn4: Arbitrary SPN

? FQDN:Hades.Local

SP-XLS-SVC

Domain Delegating accountArbitrary string

Non-existing service

Identifies the target Stored against target’s identity Instance name for Analysis Services Arbitrary SPN to show delegation tab Don’t forget discovery services for SQL2005

SPN: lessons learned 1

Basic (unconstrained)◦ To any Service

Constrained◦ Only if allowed

Delegation options 2

Constrained or basic? 2

SSRS

SSRS

Basic◦ Delegates to any service◦ Cross-domain delegation◦ No protocol transition◦ Can precede constrained

Constrained ◦ Any service can use◦ Most require ◦ More secure◦ Only delegates if

allowed!◦ Only within a domain

... speaking of domain boundaries

ClientSharePoint Farm Kerberos Data

SourceNTLM

NoTrust is OK!

MSFT.com

pintoso.MSFT.com

contoso.MSFT.com

Constrained delegationworks!

Trust is a must:

Client SharePoint Farm

BasicKerbero

sData

Source

NTLMor Basic Kerberos

Must haveTwo Way

Trust

MSFT.com

pintoso.MSFT.comcontoso.MSFT.com

Use Basic for◦ SSRS (SQL Reporting Services) to connect to another domain◦ When security is not critical

Use Constrained for◦ Any other case!

So, which one then? 2

Setting Up Delegation

NTLM orKerberos

SP Farm Data Source

Delegating Account SPN Account

Add a dummy SPN to the Delegating account to bring up delegation tab in ADUC:

Allows trustfor constraineddelegation

Enables protocoltransitionfor SharePoint

Constrained Delegation

3

Select allowed SPNs: Use ADUC delegation tab Locate SPN’s account Click to select SPNs to add

Add Allowed services (2008 AD)

SPN’s account

4

ADSIEdit (easier):◦ Same string as in

SETSPN statement PowerShell:

◦ Not for wimps◦ Active Directory Module:

Set-ADObject Get-ADObject Set-KCD

CMD (document):◦ ldifde

Add Allowed services (pre 2008AD)

Set your SPNs (inc Dummy and Browser 2005) Use “KerberosHelper.xslx” from www.data-united.co.uk

Decide: Basic or Constrained?

Set delegation type

Add Allowed SPNs (for constrained)

So, What Do I Do Again?

Test working, Sit back and relax!

Let me know if it doesn't work www.data-united.co.uk

Claims to Windows Token Service (C2WTS)◦ SharePoint protocol transition:

.. and don’t just blame Kerberos

KerberosDelegation!

NTLMorKerberos

SharePoint Web

Frontend

SharePoint Application

Server

Data Sourc

e

STS

Claims

C2WTS

?UPNClaimWindowsToken

Starts automatically Depends on Cryptographic Service

◦ sc config c2wts depend= CryptSvc Service Identity is trusted for delegation

◦ Local System by default (and should stay that way)◦ If changed to Windows Identity, must be a local admin

Claims-aware services are allowedCaller s◦ c2wtshost.exe.config

Use Rodney Viana's little tool c2WTSTest.exe

C2WTS checklist

“NT Authority/Anonymous” is no more! Profiler shows Your login Test every service against every data source

Testing Kerberos

SSRS

15 character limit on Windows NetBIOS

Open Port 88 on Firewall SPN for SQL 2005

browser/discovery services Sensitive Client Account

Gotcha!

Enable Kerberos logging (don’t forget about it!) Registry hack http://support.microsoft.com/kb/262177 Check Kerberos errors in Event log on SP App server and client

ULS log (SP App server with Verbose) Use Event log, Kerbtray and Kerberos helper tools to check

for common errors Use Klist –purge to re-test Kerberos Use dcdiag to check SPNs

Troubleshooting Kerberos

Demo time!

Sponsor Competition Draws in the Exhibition Hall 17:15

After…

Community Events

SQL Saturday Edinburgh 7/8 June www.sqlsaturday.com/202/SQL Relay 17/27 June www.sqlrelay.co.ukSQL Saturday Dublin 21/22 June www.sqlsaturday.com/229/SQL Saturday Cambridge 27 September www.sqlsaturday.com/228/UK User Groups All the time www.sqlserverfaq.com

Feedback

Please complete feedback

http://sqlbits.com/SQLBitsXIThursday http://sqlbits.com/SQLBitsXIFriday http://sqlbits.com/SQLBitsXISaturday http://sqlbits.com/SQLBitsXI (General feedback)

We hope you had a great conference day!Keep checking

www.sqlbits.com for slides, videos and news of

the next conference

#SQLBITS

Kerberos: authentication protocol Principal – a computer in the Kerberos protocol, usually the

target UPN: user principal name FQDN: Fully Qualified Domain Name WCF: Windows Communication Foundation (.NET) C2WTS: WCF service granting windows token for a UPN claim

Glossary

How the Kerberos Version 5 Authentication Protocol Workshttp://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

http://technet.microsoft.com/en-us/library/gg502594.aspx

Kerberos Guide for SharePoint 2013http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/

Kerberos Blog and Resourceswww.data-united.co.uk

Links: getting started

Kerberos using PowerShellhttp://blog.msresource.net/2012/07/12/fim-service-principal-names-and-kerberos-delegation/

Troubleshooting C2WTS by Rodney Vianahttp://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx

Kerberos Professional Serviceswww.data-united.co.uk

Links: serious business

Command Prompt◦ List all Kerberos Tickets on the principal (a ticket must be present for

the URL, otherwise NTLM is used) Klist

◦ Purge Kerberos Tickets (run on all principals to avoid reboot/wait) Klist –purge

◦ List all msDS-AllowedToDelegateTo properties for a single account (only computers with ) ldifde -f c:\temp\filename.txt -d "CN=SA_SVC_C2WTS,OU=Service

Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo◦ List all msDS-AllowedToDelegateTo properties all accounts in an OU:

ldifde -f c:\temp\filename.txt -d "OU=Service Accounts, DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo

Scripting tips: Command Prompt