Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman...
-
Upload
julie-morris -
Category
Documents
-
view
212 -
download
0
Transcript of Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman...
![Page 1: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/1.jpg)
Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)Chuck HeinzelmanSenior Program Manager – BPD CXMicrosoft Corporation
DBI304
![Page 3: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/3.jpg)
Abstract
A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.
![Page 4: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/4.jpg)
Kerberos – In 7 Easy Steps
![Page 5: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/5.jpg)
Solve 95% Of Your Kerberos Problems…
![Page 6: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/6.jpg)
![Page 7: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/7.jpg)
Kerberos Terminology and Overview
![Page 8: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/8.jpg)
Definitions
KerberosAuthentication Protocol developed at MIT
DelegationGranting your authority to someone else
ImpersonationI can “be” someone else
AuthenticationVerification that I am who I say I am
AuthorizationVerification that I have the rights to do what I want to do
![Page 9: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/9.jpg)
Why Kerberos?
Delegate user credentials to a back end data source (double-hop issue)Service Applications that would leverage Kerberos:
PerformancePointExcel ServicesReporting Services (SQL Server 2012 change)
![Page 10: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/10.jpg)
Breakdown of 7 Steps
![Page 11: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/11.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 12: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/12.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 13: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/13.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 14: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/14.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 15: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/15.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 16: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/16.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 17: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/17.jpg)
7 Easy Steps!
Enable Kerberos on your SharePoint Web ApplicationEnable the Claims to Windows Token Service in SharePointCreate an HTTP SPN for the account that is running Portal application PoolCreate a dummy SPN for the account that is running the service applicationCreate an MSOLAPSvc.3 SPN for the service account running Analysis ServicesConfigure Constrained Delegation for the Service Application account to Analysis ServicesConfigure Constrained Delegation for the Application Server machine
![Page 18: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/18.jpg)
Kerberos in the Real World
![Page 19: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/19.jpg)
Real-World Scenarios
Multiple Web Front EndsLoad Balanced URLsMultiple Application ServersMultiple Service Application AccountsSQL Server Services
![Page 20: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/20.jpg)
Multiple Web Front EndsLoad Balanced URLs
Set an HTTP SPN for Every URLEach WFE (and FQDN)Load Balancer URLDon’t Forget Alternate Access Mappings
Remember to check for additional CNAME entries
![Page 21: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/21.jpg)
Multiple Application ServersMultiple Service Application Accounts
No service-specific SPN is required for the service applicationsYou will need to set up constrained delegation on the service account
You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers
Enable C2WTS on each server
![Page 22: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/22.jpg)
SQL Server Services
Clustered SQL ServerSet the SPN on the VNN
Non-Default Instance of Analysis ServicesSQL Browser service needs to be runningAn SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3Standard MSOLAPSvc.3 SPN required as well
![Page 23: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/23.jpg)
Related Content
Breakout Sessions (session codes and titles)OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the EnterpriseDBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012DBI301 – Building Self-Service BI Applications Using PowerPivotOSP339 – Advanced Microsoft SharePoint 2010 Upgrade TroubleshootingDBI332 – Running Reporting Services in SharePoint Integrated Mode: How and WhyDBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BIDBI327 – How to Extend Your SharePoint BI Dashboard to ALL DevicesOSP431 – Security Design with Claims-Based AuthenticationFind Me Later At…SQL Server TLC Area – I’ll be there quite often!
![Page 24: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/24.jpg)
Track Resources
@sqlserver@TechEd_NA#msTechEd
mvaMicrosoft Virtual Academy
SQL Server 2012 Eval Copy
Get Certified!
Hands-On Labs
![Page 25: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/25.jpg)
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
![Page 26: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/26.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 27: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/27.jpg)
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
![Page 28: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/28.jpg)
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
![Page 29: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/29.jpg)
Appendix
![Page 30: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/30.jpg)
Breakout – Step 1
Enable Kerberos on your SharePoint Web Application
Central Administration | Application Management | Manage Web Applications | Authentication Providers
![Page 31: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/31.jpg)
Breakout – Step 2
Enable Claims to Windows Token Service in SharePoint
Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service
![Page 32: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/32.jpg)
Breakout – Step 3
Create an HTTP SPN for the account that is running the Portal application pool
Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server)Create HTTP SPN for all applicable URLs
SetSPN –S HTTP/<Server> Domain\<Service Account>SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account>Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)
![Page 33: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/33.jpg)
Breakout – Step 4
Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account
Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create 1 Dummy SPN per Service
SetSPN –S PPS/<Server> Domain\<Service Account>SetSPN –S RS/<Server> Domain\<Service Account>
![Page 34: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/34.jpg)
Breakout – Step 5
Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)Create MSOLAPSvc.3 SPNs
SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account>SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>
![Page 35: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/35.jpg)
Breakout – Step 6
Configure Constrained Delegation for the Service Application account to Analysis Services
Log onto the Domain Controller and open Active Directory Users and ComputersLocate the Service Application Account and edit the propertiesFind the Delegation Tab
Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK
![Page 36: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/36.jpg)
Breakout – Step 7
Configure Constrained Delegation from the Application Server machine
Log onto the Domain Controller and open Active Directory Users and ComputersLocate the computer account for the Application ServerFind the Delegation Tab
Select the Option Trust this user for delegation to specified services onlySelect Use any authentication protocolClick on the Add buttonIn the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis ServicesHighlight the service and select OK
![Page 37: Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation.](https://reader035.fdocuments.us/reader035/viewer/2022070323/56649dba5503460f94aaaf0c/html5/thumbnails/37.jpg)