Configure Kerberos Authentication For SharePoint 2010 Products PDF

Configure Kerberos Authentication
for SharePoint 2010 Products

Tom Wisnowski
Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan,

PejJavaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler,
PrashShirolkar, Norm Warren, Josh Zimmerman
Summary: This document covers the concepts of identity in SharePoint 2010 products,
how Kerberos authentication plays a critical role in authentication and delegation in
business intelligence scenarios, and the situations where Kerberos authentication should
be leveraged or may be required in solution designs. It also covers how to configure
Kerberos authentication end-to-end within your environment, including scenarios which
use various service applications in SharePoint Server. Additional tools and resources are
described to help you test and validate Kerberos configuration.
Category: Guide
Applies to: SharePoint 2010
Source: White paper (link to source content)
E-book publication date: May 2012
220 pages
Copyright 2012 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Microsoft and the trademarks listed at

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the
Microsoft group of companies. All other marks are property of their respective owners.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and events
depicted herein are fictitious. No association with any real company, organization, product, domain name, email address,
logo, person, place, or event is intended or should be inferred.
This book expresses the authors views and opinions. The information contained in this book is provided without any
express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will
be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.

TableofContents
ConfigureKerberosAuthenticationforSharePoint2010Products..........................1
Configure Kerberos authentication for SharePoint 2010 Products...........................7
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.....8
Who should read these articles about Kerberos authentication?..........................9
Identity scenarios in SharePoint 2010 Products....................................................11
Claims primer..............................................................................................................19
Kerberos protocol primer...........................................................................................20
Benefits of the Kerberos protocol.............................................................................20
Kerberos delegation, constrained delegation, and protocol transition................21
Kerberos authentication changes in Windows 2008R2 and Windows 7............22
Kerberos configuration changes in SharePoint 2010 Products...........................23
Considerations when you are upgrading from Office SharePoint Server 200723
Configuring Kerberos authentication: Step-by-step configuration (SharePoint

Server 2010)................................................................................................................24
Environment and farm topology................................................................................24
Web Application specification...................................................................................27
SQL aliasing................................................................................................................29
SharePoint Server Services and service accounts...............................................30
C2WTS Service Identity.............................................................................................31

Tips for working through the scenarios...................................................................31
Configuring Kerberos authentication: Core configuration (SharePoint Server

2010).............................................................................................................................33
Configuration checklist...............................................................................................34
Step-by-step configuration instructions...................................................................35
Kerberos authentication for SQL OLTP (SharePoint Server 2010)........................81
Scenario environment details....................................................................................83
Kerberos authentication for SQL Server Analysis Services (SharePoint Server

2010).............................................................................................................................89
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
.......................................................................................................................................94
Scenario dependencies.............................................................................................94
Scenario environment details....................................................................................96
Cross-domain Kerberos delegation.........................................................................96
SSL configuration for Reporting Services.............................................................122
Identity delegation for Excel Services (SharePoint Server 2010).........................124
Scenario dependencies...........................................................................................124
4
Configuration checklist.............................................................................................124
Step-by-step configuration instructions.................................................................127
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
.....................................................................................................................................151
Scenarios requiring Kerberos authentication.......................................................152
Configuration instructions........................................................................................154
Identity delegation for Visio Services (SharePoint Server 2010)..........................155
Scenario environment details..................................................................................157
Identity delegation for PerformancePoint Services (SharePoint Server 2010)...183
Scenario environment details..................................................................................185
Step-by-step Configuration instructions................................................................187
Identity delegation for Business Connectivity Services (SharePoint Server 2010)

.....................................................................................................................................213
Scenario Environment Details................................................................................215

Kerberos configuration known issues (SharePoint Server 2010).........................238
Kerberos authentication and non-default ports....................................................238
Kerberos authentication and DNS CNAMEs........................................................239
Kerberos authentication and Kernel Mode Authentication.................................240
Kerberos authentication and session-based authentication..............................241
Kerberos authentication and duplicate/missing SPN issues..............................242
Kerberos Max Token Size.......................................................................................243
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista
..................................................................................................................................243
How to reset the Claims to Windows Token Service account (SharePoint Server
2010)...........................................................................................................................245
Solution.......................................................................................................................245
6
Configure Kerberos authentication for SharePoint 2010 Products
Configure Kerberos authentication for

SharePoint 2010 Products
Published:July15,2010
Thisdocumentgivesyouinformationthatwillhelpyouunderstandtheconceptsof
identityinMicrosoftSharePoint2010Products,howKerberosauthenticationplaysa
veryimportantroleinauthenticationanddelegationscenarios,andthesituations
whereKerberosauthenticationshouldbeusedormayberequiredinsolutiondesigns.
Scenariosincludebusinessintelligenceimplementationswhichsecureaccesstoexternal
datasourcessuchasSQLServer.
ThedocumentalsoshowshowtoconfigureKerberosauthenticationendtoendwithin
yourenvironment,includingscenariosthatusevariousserviceapplicationsinMicrosoft
SharePointServer.Additionaltoolsandresourcesaredescribedtohelpyoutestand
validateKerberosconfiguration.The"StepbyStepConfiguration"sectionsofthis
documentcoverthefollowingscenariosforSharePointServer2010.
Scenario1:CoreConfiguration
Scenario2:KerberosAuthenticationforSQLOLTP
Scenario3:IdentityDelegationforSQLAnalysisServices
Scenario4:IdentityDelegationforSQLReportingServices
Scenario5:IdentityDelegationforExcelServices
Scenario6:IdentityDelegationforPowerPivotforSharePoint
Scenario7:IdentityDelegationforVisioServices
Scenario8:IdentityDelegationforPerformancePointServices
Scenario9:IdentityDelegationforBusinessConnectivityServices
ThesameinformationaboutConfiguringKerberosauthenticationforSharePoint2010
ProductsisavailableisalsoavailableasasetofarticleshereintheTechNetLibrary.It
beginshere:Overview of Kerberos authentication for Microsoft SharePoint 2010
Products.
7
Configure Kerberos Authentication for SharePoint 2010 Products
Overview of Kerberos authentication for

Microsoft SharePoint 2010 Products
Published:December2,2010
MicrosoftSharePoint2010Productsintroducesignificantimprovementsinhowidentity
ismanagedintheplatform.Itisveryimporttounderstandhowthesechangesaffect
solutiondesignandplatformconfigurationtoenablescenariosthatrequireuseridentity
tobedelegatedtointegratedsystems.TheKerberosversion5protocolplaysakeyrole
inenablingdelegationandsometimesmayberequiredinthesescenarios.
Thissetofarticlesgivesyouinformationthathelpsyoudothefollowing:
UnderstandtheconceptsofidentityinSharePoint2010Products
LearnhowKerberosauthenticationplaysaveryimportantroleinauthentication
anddelegationscenarios
IdentifythesituationswhereKerberosauthenticationshouldbeleveragedormay
berequiredinsolutiondesigns
ConfigureKerberosauthenticationendtoendwithinyourenvironment,including
scenariosthatusevariousserviceapplicationsinSharePointServer
TestandvalidatethatKerberosauthenticationisconfiguredcorrectlyandworking
asexpected
FindadditionaltoolsandresourcestohelpyouconfigureKerberosauthenticationin
yourenvironment
Thissetofarticlesisdividedintwomajorsections:
ThisoverviewofKerberosauthenticationinSharePoint2010Products
Thisarticlecontainsconceptualinformationabouthowtomanageidentityin
SharePoint2010Products,theKerberosprotocol,andhowKerberosauthentication
playsakeyroleinSharePoint2010solutions.
Step-by-step configuration
ThisgroupofarticlesdiscussesthestepsthatarerequiredtoconfigureKerberos
authenticationanddelegationinvariousSharePointsolutionscenarios.
8
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
Who should read these articles about

Kerberos authentication?
IdentityanddelegationinSharePoint2010Productsisabroadtopic,withmanyfacets
anddepthsofunderstanding.Thissetofarticlesaddressesthetopicfromboth
conceptualandtechnicallevelsandiswrittentoaddresstheneedsofvarious
audiences:
Beginning to end
"TellmeeverythingthereistoknowaboutIdentityandKerberosauthenticationin
SharePoint2010Products"
IfyouareonlystartingoutandlearningaboutSharePoint2010Products,Kerberos
authentication,andclaimsauthentication,youwillwanttothereadthefirstsectionof
thisdocument.Itcoversthebasicconceptsofidentityanddelegationandoffersprimers
aboutClaimsandKerberosauthentication.Besuretofollowthelinkstoexternal
articlesandadditionalinformationtobuildasolidfoundationofknowledgebefore
continuingontothestepbystepconfigurationarticles.
Upgrading from Office SharePoint Server 2007

"Tellmewhatischangedfrom2007andwhatIshouldprepareforinupgradingto2010"
IfyouhaveanexistingMicrosoftOfficeSharePointServer2007environmentalready
configuredtouseKerberosauthenticationandKerberosdelegation,youshouldreadthe
followingarticles:
Identity scenarios in SharePoint 2010 Products
Claims primer
Kerberos authentication changes in Windows 2008 R2 and Windows 7
Kerberos configuration changes in SharePoint 2010 Products
Considerations when you are upgrading from Office SharePoint Server 2007
Ifyouhaveadditionalquestionsabouthowtoconfigurationdelegationforaparticular
featureorscenario,readthestepbystepconfigurationarticles,especiallythe
configurationchecklists.Thiswillhelpyouensurethatyourenvironmentisconfigured
correctlyafterupgrade.
9
Step-by-step walkthrough
"IwantdetailedstepbystepinstructionsonhowtoconfigureKerberosdelegationin
SharePointServerandapplicableSharePointServerserviceapplications"
ThestepbystepconfigurationarticlescoverseveralSharePoint2010Products
scenarioswhichcanbeconfiguredtouseKerberosdelegation.Eachscenarioiscovered
indetail,includingaconfigurationchecklistandstepbystepinstructionstohelpyou
successfullyconfigureKerberosauthenticationinyourenvironment.Thescenarios
coveredincludethefollowing:
Scenario1:Core Configuration
Scenario2:Kerberos Authentication for SQL OLTP

Scenario3:Kerberos Authentication for SQL Analysis Services
Scenario4:Identity Delegation for SQL Reporting Services
Scenario5:Identity Delegation for Excel Services

Scenario6:Identity Delegation for PowerPivot for SharePoint 2010
Scenario7:Identity Delegation for Visio Services
Scenario8:Identity Delegation for Performance Point Services

Scenario9:Identity Delegation for Business Connectivity Services
Besuretothoroughlyreviewthefirstcoreconfigurationscenario,becauseitisa
prerequisiteforallthescenariosthatfollow.
10
Note:
Thescenariosinclude"SetSPN"commandsthatyoumaychoosetocopyfromthis
documentandpasteinaCommandPromptwindow.Thesecommandsincludehyphen
characters.MicrosoftWordhasanAutoFormatfeaturethattendstoconverthyphensto
dashcharacters.IfyouhavethisfeatureturnedoninWordandthendoacopyand
pasteoperation,thecommandswillnotworkcorrectly.Changethedashestohyphens
tofixthiserror.ToturnoffthisAutoFormatfeatureinWord,selectOptionsfromthe
Filemenu,clicktheProofingtab,andthenopentheAutoCorrectdialogbox.
Existing SharePoint 2010 Product environments

"IhaveanexistingSharePoint2010ProductenvironmentandIcannotseemtoget
Kerberosauthenticationworking.HowdoIvalidateanddebugmyconfiguration?"
TheStep-by-step configurationarticlescontainseveralcheckliststohelptriageyour
environmentinvariousscenarios.PayspecialattentionstoScenario1,Core
configuration,whichcoversbasictoolsandtechniquestotriageKerberosconfiguration.
Identity scenarios in SharePoint 2010

Products
WhenlearningaboutidentityinthecontextofauthenticationinSharePoint2010
Products,youcanconceptuallylookathowtheplatformhandlesidentityinthreekey
scenarios:Incomingauthentication,inter/intrafarmauthenticationandoutgoing
authentication.
11
Incoming Identity
Theincomingauthenticationscenariorepresentsthemeansinwhichaclientpresents
itsidentitytotheplatform,orinotherwordsauthenticateswiththewebapplicationor
webservice.SharePointServerwillusetheclient'sidentitytoauthorizetheclientto
accessSharePointServersecuredresourcessuchaswebpages,documents,andsoon.
SharePoint2010Productssupporttwomodesinwhichaclientcanauthenticatewith
theplatform:ClassicmodeandClaimsmode.
Classic mode
ClassicmodeallowsthetypicalInternetInformationServices(IIS)authentication
methodsthatyoumayalreadybefamiliarwithfrompreviousversionsofSharePoint
Server.WhenaSharePointServer2010WebApplicationisconfiguredtouseclassic
mode,youhavetheoptionofusingthefollowingIISauthenticationmethods:
IntegratedWindowsauthentication
IntegratedWindowsauthenticationenablesWindowsclientstoseamlesslyauthenticate
withSharePointServerwithouthavingtomanuallyprovidecredentials(user
name/password).UsersaccessingSharePointServerfromInternetExplorerwill
authenticatebyusingthecredentialsthattheInternetExplorerprocessisrunning
underbydefaultthecredentialsthattheuserusedtologontothedesktop.Services
orapplicationsthataccessSharePointServerinWindowsintegratedmodeattemptto
authenticatebyusingthecredentialsoftherunningthread,which,bydefault,isthe
identityoftheprocess.
12
NTLM
NTLANManager(NTLM)isthedefaultprotocoltypewhenIntegratedWindows
authenticationisselected.Thisprotocoltakesadvantageofathreepartchallenge
responsesequencetoauthenticateclients.FormoreinformationaboutNTLM,see
Microsoft NTLM(http://go.microsoft.com/fwlink/?LinkId=196643).
Pros:
Itiseasytoconfigureandtypicallyrequiresnoadditional
infrastructure/environmentconfigurationtofunction
Itworkswhentheclientisnotpartofthedomain,orisnotinadomaintrustedby
thedomainthatSharePointServerresidesin
Cons:
ItrequiresSharePointServertocontactthedomaincontrollereverytimethata
clientauthenticationresponseneedsvalidation,increasingtraffictothedomain
controllers.
Itdoesnotallowdelegationofclientcredentialstobackendsystems,otherwise
knownasthedoublehoprule.Itisaproprietaryprotocol.
Itisaproprietaryprotocol.
Itdoesnotsupportserverauthentication.
ItisconsideredlesssecurethanKerberosauthentication
Kerberosprotocol
TheKerberosprotocolisamoresecureprotocolthatsupportsticketingauthentication.
AKerberosauthenticationservergrantsaticketinresponsetoaclientcomputer
authenticationrequest,iftherequestcontainsvalidusercredentialsandavalidService
PrincipalName(SPN).Theclientcomputerthenusesthetickettoaccessnetwork
resources.ToenableKerberosauthentication,theclientandservercomputersmust
haveatrustedconnectiontothedomainKeyDistributionCenter(KDC).TheKDC
distributessharedsecretkeystoenableencryption.Theclientandservercomputers
mustalsobeabletoaccessActiveDirectorydirectoryservices.ForActiveDirectory,the
forestrootdomainisthecenterofKerberosauthenticationreferrals.Formore
informationabouttheKerberosprotocol,seeHow the Kerberos Version 5
Authentication Protocol Works(http://go.microsoft.com/fwlink/?LinkId=196644)and
Microsoft Kerberos.(http://go.microsoft.com/fwlink/?LinkId=196645)
13
Pros:
MostsecureIntegratedWindowsauthenticationprotocol
Allowsdelegationofclientcredentials
Supportsmutualauthenticationofclientsandservers
Produceslesstraffictodomaincontrollers
Openprotocolsupportedbymanyplatformsandvendors
Cons:
Requiresadditionalconfigurationofinfrastructureandenvironmenttofunction
correctly
RequiresclientshaveconnectivitytotheKDC(ActiveDirectorydomaincontrollerin
Windowsenvironments)overTCP/UDPport88(Kerberos),andTCP/UDPport464
(KerberosChangePasswordWindows)
Othermethods
InadditiontoNTLMandKerberosauthentication,SharePointServersupportsother
kindsofIISauthenticationsuchasbasic,digest,andcertificatebasedauthentication,
whicharenotcoveredinthisdocument.Formoreinformationabouthowthese
protocolsfunction,seeAuthentication Methods Supported in IIS 6.0 (IIS 6.0)
(http://go.microsoft.com/fwlink/?LinkId=196646).
Claims-based authentication
SupportforclaimsauthenticationisanewfeatureinSharePoint2010Productsandis
builtonWindowsIdentityFoundation(WIF).Inaclaimsmodel,SharePointServer
acceptsoneormoreclaimsaboutanauthenticatingclienttoidentifyandauthorizethe
client.TheclaimscomeintheformofSAMLtokensandarefactsabouttheclientstated
byatrustedauthority.Forexample,aclaimcouldstate,"Bobisamemberofthe
EnterpriseAdminsgroupforthedomainContoso.com."Ifthisclaimcamefroma
providertrustedbySharePointServer,theplatformcouldusethisinformationto
authenticateBobandtoauthorizehimtoaccessSharePointServerresources.Formore
informationaboutclaimsauthentication,seeA Guide to Claims-based Identity and
Access Control(http://go.microsoft.com/fwlink/?LinkID=187911).
ThekindofclaimsthatSharePoint2010Productssupportforincomingauthentication
areWindowsClaims,formsbasedauthenticationClaims,andSAMLClaims.
14
WindowsClaims
IntheWindowsclaimsmodesignin,SharePointServerauthenticatestheclientusing
standardIntegratedWindowsauthentication(NTLM/Kerberos),andthentranslatesthe
resultingWindowsIdentityintoaClaimsIdentity.
FormsbasedauthenticationClaims
InFormsbasedauthenticationclaimsmode,SharePointServerredirectstheclienttoa
logonpagethathoststhestandardASP.NETlogoncontrols.Thepageauthenticatesthe
clientbyusingASP.NETmembershipandroleproviders,similartohowformsbased
authenticationfunctionedinOfficeSharePointServer2007.Aftertheidentityobject
thatrepresentstheuseriscreated,SharePointServerthentranslatesthisidentityintoa
claimsidentityobject.
SAMLClaims
InSAMLClaimsmode,SharePointServeracceptsSAMLtokensfromatrustedexternal
SecurityTokenProvider(STS).Whentheuserattemptstologon,seecommentis
directedtoanexternalclaimsprovider(forexample,WindowsLiveIDclaimsprovider)
whichauthenticatestheuserandproducesaSAMLtoken.SharePointServeraccepts
andprocessesthistoken,augmentingtheclaimsandcreatingaclaimsidentityobject
fortheuser.
FormoreinformationaboutclaimsbasedauthenticationinSharePoint2010Products,
seeSharePoint Claims-Based Identity.
Note about incoming claims authentication and the Claims to

Windows Token Service (C2WTS)
SomeserviceapplicationsrequirethatyouusetheWindowsIdentityFoundation(WIF)
ClaimstoWindowsTokenService(C2WTS)totranslateclaimswithinthefarmto
Windowscredentialsforoutboundauthentication.Itisimportanttounderstandthat
C2WTSonlyfunctionsiftheincomingauthenticationmethodiseitherclassicmodeor
Windowsclaims.Ifclaimsisconfigured,theC2WTSrequiresonlyWindowsclaims;the
webapplicationcannotusemultipleformsofclaimsonthewebapplication,otherwise
theC2WTSwillnotfunction.
Identity within a SharePoint 2010 Products environment

SharePoint2010Productsenvironmentsuseclaimsauthenticationforintraandinter
farmcommunicationswithmostSharePointserviceapplicationsandSharePoint
15
integratedproductsregardlessoftheincomingauthenticationmechanismused.This
meansthatevenwhereclassicauthenticationisusedtoauthenticatewithaparticular
webapplication,SharePointProductsconverttheincomingidentityintoaclaims
identitytoauthenticatewithSharePointServiceApplicationsandproductsthatare
claimsaware.Bystandardizingontheclaimsmodelforintra/interfarm
communications,theplatformcanabstractitselffromtheincomingprotocolsthatare
used.
Note:
SomeproductsintegratedwithSharePointServer,suchasSQLServerReporting
Services,arenotclaimsawareanddonottakeadvantageoftheintrafarmclaims
authenticationarchitecture.SharePointServermayalsorelyonclassicKerberos
delegationandclaimsinotherscenarios,forexamplewhentheRSSviewerwebpartis
configuredtoconsumeanauthenticatedfeed.Refertoeachproductorservice
application'sdocumentationtodeterminewhetheritcansupportclaimsbased
authenticationandidentitydelegation.
Outbound identity
OutboundidentityinSharePoint2010Productsrepresentsthescenarioswhereservices
withinthefarmhavetoauthenticatewithexternallineofbusinesssystemsand
services.Dependingonthescenario,authenticationcanbeperformedinoneoftwo
basicconceptualmodels:
Trusted subsystem
Inthetrustedsubsystem,thefrontendserviceauthenticatesandauthorizestheclient,
andthenauthenticateswithadditionalbackendserviceswithoutpassingtheclient
identitytothebackendsystem.Thebackendsystemtruststhefrontendservicetodo
authenticationandauthorizationonitsbehalf.Themostcommonwaytoimplement
thismodelistousesharedserviceaccounttoauthenticatewiththeexternalsystem:
16

InSharePointServer,thismodelcanbeimplementedinvariousways:
UsingtheIISapplicationpoolidentityusuallyachievedbyrunningcodeinthe
webapplicationthatelevatespermissionswhilemakingacalltoanexternalsystem.
OthermethodssuchasusingRevertToSelfcanalsousetheapplicationpool's
identitytoauthenticatewithexternalsystems.
Usingaserviceaccounttypicallyachievedbystoringapplicationcredentialsinthe
SecureStorethenusingthosecredentialstoauthenticatewithanexternalsystem.
Othermethodsincludestoringtheserviceaccountcredentialsinotherwayssuchas
embeddedconnectionstrings.
AnonymousAuthenticationthisiswheretheexternalsystemrequiresno
authentication.ThereforethefrontendSharePointServerservicedoesnothaveto
passanyidentitytothebackendsystem.
Delegation
IntheDelegationmodel,thefrontendservicefirstauthenticatestheclient,andthen
usestheclient'sidentitytoauthenticatewithanotherbackendsystemthatperformsits
ownauthenticationandauthorization:
17

InSharePoint2010Products,thismodelcanbeimplementedinvariousways:
KerberosdelegationIftheclientauthenticateswiththefrontendservicebyusing
Kerberosauthentication,Kerberosdelegationcanbeusedtopasstheclient's
identitytothebackendsystem.
Claimsclaimsauthenticationallowstheclient'sclaimstobepassedbetween
servicesaslongasthereistrustbetweenthetwoservicesandbothareclaims
aware.
Note:
Currently,mostoftheserviceapplicationsthatareincludedwithSharePointServerdo
notallowforoutboundclaimsauthentication,butoutboundclaimsisaplatform
capabilitythatwillbetakenadvantageofinthefuture.Further,manyofthemost
commonlineofbusinesssystemstodaydonotsupportincomingclaimsauthentication,
whichmeansthatusingoutboundclaimsauthenticationmaynotbepossibleorwill
requireadditionaldevelopmenttoworkcorrectly.
Delegation across domain and forest boundaries

ThescenariosinthissetofarticlesaboutKerberosauthenticationrequirethatthe
SharePointServerserviceandexternaldatasourcesresideinthesameWindows
domain,whichisrequiredforKerberosconstraineddelegation.TheKerberosprotocol
supportstwokindsofdelegation,basic(unconstrained)andconstrained.BasicKerberos
delegationcancrossdomainboundariesinasingleforest,butcannotcrossaforest
18
boundaryregardlessoftrustrelationship.Kerberosconstraineddelegationcannotcross
domainorforestboundariesinanyscenario.
SomeSharePointServerservicescanbeconfiguredtousebasicKerberosdelegation,
butotherservicesrequirethatyouuseconstraineddelegation.Anyservicethatrelies
ontheClaimstoWindowstokenservice(C2WTS)mustuseKerberosconstrained
delegationtoallowtheC2WTStouseKerberosprotocoltransitiontotranslateclaims
intoWindowscredentials.
ThefollowingserviceapplicationsandproductsrequiretheC2WTSandKerberos
constraineddelegation:
ExcelServices
PerformancePointServices
VisioServices
Thefollowingserviceapplicationsandproductsarenotaffectedbytheserequirements,
andthereforecanusebasicdelegation,ifitisrequired:
BusinessDataConnectivityserviceandMicrosoftBusinessConnectivityServices
InfoPathFormsServices
AccessServices
MicrosoftSQLServerReportingServices(SSRS)
MicrosoftProjectServer2010
Thefollowingserviceapplicationdoesnotallowdelegationofclientcredentialsand
thereforeisnotaffectedbytheserequirements:
MicrosoftSQLServerPowerPivotforMicrosoftSharePoint
Claims primer
ForanintroductiontoClaimsconceptsandClaimsbaseauthentication,seeAn
Introduction to Claims(http://go.microsoft.com/fwlink/?LinkId=196648)andSharePoint
Claims-Based Identity(http://go.microsoft.com/fwlink/?LinkID=196647).
19
Kerberos protocol primer

ForaconceptualoverviewoftheKerberosprotocol,seeMicrosoft Kerberos (Windows)
(http://go.microsoft.com/fwlink/?LinkID=196645),Kerberos Explained
(http://go.microsoft.com/fwlink/?LinkId=196649),andAsk the Directory Services Team:
Kerberos for the Busy Admin(http://go.microsoft.com/fwlink/?LinkId=196650).
Benefits of the Kerberos protocol

BeforeexaminingthedetailsofhowoneconfiguresSharePointServer(oranyweb
application)tousetheKerberosprotocol,let'stalkabouttheKerberosprotocol
generallyandwhyyoumightwanttouseit.
TypicallytherearethreemainreasonstousetheKerberosprotocol:
1. DelegationofclientcredentialsTheKerberosprotocolallowsaclient'sidentityto
beimpersonatedbyaservicetoallowtheimpersonatingservicetopassthat
identitytoothernetworkservicesontheclient'sbehalf.NTLMdoesnotallowthis
delegation.(ThislimitationNTLMiscalledthe"doublehoprule").Claims
authentication,likeKerberosauthentication,canbeusedtodelegateclient
credentialsbutrequiresthebackendapplicationtobeclaimsaware.
2. SecurityFeaturessuchasAESencryption,mutualauthentication,supportfordata
integrityanddataprivacy,justtonameafew,maketheKerberosprotocolmore
securethanitsNTLMcounterpart.
3. PotentiallybetterperformanceKerberosauthenticationrequireslesstrafficto
thedomaincontrollerscomparedwithNTLM(dependingonPACverification,see
Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos
PAC Validation).IfPACverificationisdisabledornotneeded,theservicethat
authenticatestheclientdoesnothavetomakeanRPCcalltotheDC(see:You
experience a delay in the user-authentication process when you run a high-volume
server program on a domain member in Windows 2000 or Windows Server 2003).
Kerberosauthenticationalsorequireslesstrafficbetweenclientandserver
comparedwithNTLM.Clientscanauthenticatewithwebserversintwo
request/responsesvs.thetypicalthreeleghandshakewithNTLM.However,this
improvementistypicallynotnoticedonlowlatencynetworksonapertransaction
basis,butcantypicallybenoticedinoverallsystemthroughput.Rememberthat
manyenvironmentalfactorscanaffectauthenticationperformance;therefore
KerberosauthenticationandNTLMshouldbeperformancetestedinyourown
environmentbeforeyoudeterminewhetheronemethodperformsbetterthanthe
other.
20
ThisisanincompletelistoftheadvantagesofusingtheKerberosprotocol.Thereare
otherreasonslikemutualauthentication,crossplatforminteroperability,andtransitive
crossdomaintrust,tonameafew.However,inmostcasesonetypicallyfinds
delegationandsecuritytobetheprimarydriversinadoptionoftheKerberosprotocol.
Kerberos delegation, constrained delegation,

and protocol transition
TheKerberosversion5protocolontheWindowsplatformsupportstwokindsofidentity
delegation:basic(unconstrained)delegationandconstraineddelegation:
Type Advantages Disadvantages
Basic Cancrossdomainboundariesina Doesnotsupportprotocol

delegation singleforest transition
Requireslessconfigurationthan Secure.Ifthefrontendservice
constraineddelegation. iscompromised,clientidentity
canbedelegatedtoany
serviceintheforestthat
acceptsKerberos
authentication.
Constrained CantransitionnonKerberos Cannotcrossdomain

delegation incomingauthenticationprotocol boundaries
toKerberos(example:NTLMto
Kerberos,ClaimstoKerberos) Requiresadditionalsetup
configuration
Moresecure.Identitiescanonly
bedelegatedtospecifiedservice.
Kerberosenabledservicescandelegateidentitymultipletimesacrossmultipleservices
andmultiplehops.Asanidentitytravelsfromservicetoservice,thedelegationmethod
canchangefromBasictoConstrainedbutnotinreverse.Thisisanimportantdesign
detailtounderstand:ifabackendservicerequiresBasicdelegation(forexampleto
21
delegateacrossadomainboundary),allservicesinfrontofthebackendservicemust
usebasicdelegation.Ifanyfrontendserviceusesconstraineddelegation,thebackend
servicecannotchangetheconstrainedtokenintoanunconstrainedtokentocrossa
domainboundary.
ProtocoltransitionallowsaKerberosenabledauthenticatingservice(frontendservice)
toconvertanonKerberosidentityintoaKerberosidentitythatcanbedelegatedto
otherKerberosenabledservices(backendservice).Protocoltransitionrequires
Kerberosconstraineddelegationandthereforeprotocoltransitionedidentitiescannot
crossdomainboundaries.Dependingontheuserrightsofthefrontendservice,the
Kerberosticketreturnedbyprotocoltransitioncanbeanidentificationtokenoran
impersonationtoken.Formoreinformationaboutconstraineddelegationandprotocol
transition,seethefollowingarticles:
Kerberos Protocol Transition and Constrained Delegation

(http://technet.microsoft.com/enus/library/cc739587(WS.10).aspx)
Protocol Transition with Constrained Delegation Technical Supplement

(http://msdn.microsoft.com/enus/library/ff650469.aspx)
Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop

Scenarios(http://support.microsoft.com/kb/2005838)
Asageneralbestpractice,ifKerberosdelegationisrequired,oneshoulduse
constraineddelegation,ifitispossible.Ifdelegationacrossdomainboundariesis
required,thenallservicesinthedelegationpathmustusebasicdelegation.
Kerberos authentication changes in Windows

2008R2 and Windows 7
WindowsServer2008R2andWindows7introducenewfeaturestoKerberos
authentication.Foranoverviewofthechanges,seeChanges in Kerberos Authentication
(http://go.microsoft.com/fwlink/?LinkId=196655)andKerberos
Enhancements(http://go.microsoft.com/fwlink/?LinkId=196656).Inaddition,youshould
makeyourselffamiliarwithIIS7.0KernelModeauthentication(Internet Information
Services (IIS) 7.0 Kernel Mode Authentication Settings,
(http://go.microsoft.com/fwlink/?LinkId=196657))eventhoughitisnotsupportedin
SharePointServerfarms.
22
Kerberos configuration changes in

SharePoint 2010 Products
MostofthebasicconceptsofconfiguringKerberosauthenticationinSharePoint2010
Productshavenotchanged.Youstillhavetoconfigureserviceprincipalnamesandyou
stillhavetoconfiguredelegationsettingsoncomputerandserviceaccounts.However
thereareseveralchangesthatyoushouldbeawareof:
ConstrainedDelegationrequiredforserviceswhichusetheClaimstoWindows
TokenService.Constraineddelegationisrequiredtoallowprotocoltransitionto
convertclaimstoWindowstokens.
ServiceApplicationsInOfficeSharePointServer2007,theSSPservicesrequired
specialSPNsandserverregistrychangestoenabledelegation.InSharePoint2010
Products,serviceapplicationsuseclaimsauthenticationandtheClaimstoWindows
Tokenservice,sothesechangesarenolongerneeded.
WindowsIdentityFoundation(WIF)theWIFClaimstoWindowsTokenService
(C2WTS)isanewserviceleveragedbySharePoint2010Productstoconvertclaims
toWindowstokensfordelegationscenarios.
Considerations when you are upgrading from

Office SharePoint Server 2007
IfyouareupgradinganOfficeSharePointServer2007farmtoSharePointServer2010,
thereareseveralthingsyoushouldconsiderasyoucompletetheupgrade:
IfwebapplicationsarechangingURLs,makesurethatyouupdatetheService
PrincipleNamestoreflecttheDNSnames.
DeletetheSSPserviceprincipalnames,becausetheyarenolongerneededin
SharePointServer2010.
StarttheClaimstoWindowsTokenServiceontheserversthatarerunningservice
applicationsthatrequiredelegation(forexample,ExcelServices,VisioGraphics
Service).
ConfigureKerberosconstraineddelegationwith"useanyauthenticationprotocol"
toallowKerberosconstraineddelegationwiththeC2WTS.
EnsureKernelmodeauthenticationisdisabledinIIS.
23
Configuring Kerberos authentication:

Step-by-step configuration (SharePoint
Server 2010)
Inthescenarioarticlesthatfollow,webuildoutaSharePointServer2010environment
todemonstratehowtoconfiguredelegationinanumberofcommonscenariosyou
mightencounterintheenterprise.Thewalkthroughsassumeyouarebuildingouta
scaledoutSharePointfarmsimilartowhatisdescribedinthefollowingsection.
Note:
Someoftheconfigurationstepsmaychange,ormaynotworkincertainfarm
topologies.Forinstance,asingleserverinstalldoesnotsupporttheWindowsIdentity
FoundationC2WTSservicessoclaimstowindowstokendelegationscenariosarenot
possiblewiththisfarmconfiguration.
Environment and farm topology

Thefollowingdiagramillustratesthefarmtopologyusedwhenconfiguringthescenarios
inthesectionsbelow.Thefarmtopologyisloadbalancedandscaledoutbetween
multipletierstodemonstratehowidentitydelegationwouldworkinmultiserver,multi
hopscenarios.
24
Server 2010)
Note:
Thefarmconfigurationinthedemonstrationsisnotmeanttobeareference
architectureoranexampleofhowtodesignatopologyforproductionenvironments.
Forexample,thedemotopologyrunsallSharePointServer2010serviceapplicationson
asingleserverwhichcreatesasinglepointoffailurefortheseservices.Formore
informationonhowtodesignandbuildaproductionSharePointServerenvironment,
seeSharePoint Server 2010 Physical and Logical ArchitectureandTopologies for
SharePoint Server 2010.
25
Note:
ThescenariowalkthroughsassumethatallcomputersthatarerunningSharePoint
Serverandthedatasourcesusedinthescenariobelowresideinasingledomain.An
explanationandwalkthroughofmultidomain/multiforestconfigurationisnotcovered
inthisdocument.
Environment specification
AllcomputersinthedemonstrationenvironmentarevirtualizedrunningonWindows
Server2008R2HyperV.ThecomputersarejoinedtoasingleWindowsdomain,
vmlab.local,runninginWindowsServer2008ForestandDomainfunctionlevels.
ClientComputer
Windows7Professional,64bit
SharePointServerfrontendWebs
WindowsServer2008R2Enterprise,64bit
Services:
WebApplicationService
LoadbalancedwithWindowsNLB
SharePointServerApplicationServer
WindowsServer2008R2Enterprise,64bit
MicrosoftSharePointServer2010(RTM)
Services:
WIFClaimstoWindowsTokenService
ManagedMetadataService
SharePointIndex
SharePointQuery
ExcelServices
VisioGraphicsService
26
Server 2010)
BusinessConnectivityServices
PerformancePointServices
SQLServices
WindowsSever2008R2Enterprise,64bit
MicrosoftSQLServer2008R2Enterprise,64bit
Active/PassiveConfiguration
SQLServerServices:
SQLDataEngine
SQLServerAnalysisServices
SQLAgent
SQLBrowser
SQLReportingServer
WindowsServer2008R2Enterprise,64bit(RTM)
MicrosoftSQL2008R2Enterprise,64bit(RTM)
MicrosoftSharePointServer2010(RTM)
WindowsNLB,Loadbalanced
ReportingServicesSharePointintegrationmode
ReportingServices,scaledoutmode
Web Application specification

ThescenariosinthewalkthroughreferenceasetofSharePointServer2010web
applicationsyouwillconfigureinScenario1.Thefollowingwebapplicationsareload
balancedusingWindowsNLBacrossthetwoSharePointServerwebfrontendsinthe
demonstrationenvironment:
http://sp10CATheCentralAdministrationwebapplicationforthefarm.Scenario1
willnotwalkthroughtheconfigurationofthiswebapplication.
27
http://portalandhttps://portalWebapplicationwithdemonstrationpublishing
portal.Itisusedtodemonstratehowtoconfiguredelegationforwebapplications
runningonstandardports(HTTP80,HTTPS443)
http://teams:5555Webapplicationwithdemonstrationteamsite.Itisusedto
demonstratehowtoconfiguredelegationforwebapplicationsrunningonnon
standardports,inthisexampleport5555.

28
Server 2010)
SSL configuration
SomeofthewalkthroughscenarioswilluseSSLtodemonstratehowtoconfigure
delegationwithHTTPS.Itisassumedthatthecertificatesbeingusedcomefroma
trustedrootcertificateauthority,eitherinternalorpublic,oryouhaveconfiguredall
computerstotrustthecertificatesbeingused.Thedocumentwillnotcoverhowto
properlyconfigurecertificatetrustnorwillitprovideguidanceaboutdebuggingissues
relatedtoSSLcertificateinstallation.Itishighlyrecommendedtoreviewthesetopics
andtestyourSSLconfigurationbeforeconfiguringKerberosconstraineddelegationwith
SSLprotectedservices.Formoreinformationsee:
Active Directory Certificate Services Overview

(http://go.microsoft.com/fwlink/?LinkId=196660)
Active Directory Certificate Services Step-by-Step Guide

Configuring Server Certificates in IIS 7

How to Set Up SSL on IIS 7: Configuring Security : Installing and Configuring IIS 7 :
The Official Microsoft IIS Site(http://go.microsoft.com/fwlink/?LinkID=193447)
Add a Binding to a Site (IIS 7)(http://go.microsoft.com/fwlink/?LinkId=196663)
Configure a Host Header for a Web Site (IIS 7)

(http://go.microsoft.com/fwlink/?LinkId=196664)(HowtouseSSLwithhost
headers)
Create a Self-Signed Server Certificate in IIS 7

Load balancing
LoadbalancingontheSharePointServerfrontendWebsandSQLServerReporting
ServicesserverswasimplementedbyusingWindowsServer2008NetworkLoad
Balancing(NLB).HowtoconfigureNLBandNLBbestpracticesarenotcoveredinthis
document.FormoreinformationonNLB,refertoOverview of Network Load Balancing.
SQL aliasing
ThefarmwasbuiltusingaSQLclientaliastoconnecttotheSQLcluster.Thisistypically
abestpracticeandwasdonetodemonstratehowKerberosauthenticationisconfigured
29
whenSQLaliasingisused.Scenario2assumestheenvironmentisconfiguredinthis
manner,butitisnotrequiredtouseSQLaliasestocompleteanyofthescenariosbelow.
FormoreinformationonhowtoconfigureSQLaliasesseeHow to: Create a Server Alias
for Use by a Client (SQL Server Configuration Manager).
SharePoint Server Services and service

accounts
Thescenariosbelowimplementaleastprivilegemodelwhereeachserviceinthe
SharePointfarmleveragesaseparate,distinctActiveDirectoryaccountforitsservice
identity.Usingaleastprivilegemodelhasadvantagesanddisadvantages:
Advantages:
Theadministratorcancontrolthepermissionsofeachserviceinafinegrained
wayThisincludesdomainpermissions,localpermissionsandprivileges,delegation
rightsandothersettings.
BetterauditingandtraceabilityByensuringeachserviceleveragesitsown
identity,anadministratorcantracknetworkandsystemactivitybacktothespecific
servicebasedontheidentitycapturedinauditfiles.Forexample,ifaserveraudit
logshowslogonactivityforaparticularaccount,theaccountcouldbeusedtotrace
theactivitytoaparticularservice.
BettersecurityByleveragingseparateaccountsforeachservice,anadministrator
assuresthatifoneaccountiscompromiseditpotentiallylimitsthedamagedueto
thesecurityissuebecauseonlytheservicethatisusingthecompromisedaccountis
affected.Notethatifanyaccountbecomescompromised,aholisticsecurity
assessmentoftheentireenvironmentshouldbeperformedtodeterminethemost
appropriateactiontoaddressthesecurityissue.
Disadvantages:
IncreasedaccountmanagementcomplexityHavingmoreserviceaccounts
translatestomoreActiveDirectoryconfigurationandmorepasswordmanagement
policiestoenforce.
30
Server 2010)
AdditionalconfigurationAsseeninthestepbystepguidebelow,oncea
SharePointServeradministratormakesthedecisiontoleveragealeastprivilege
model,thereareadditionalstepssheorhemustperformtoconfigurethe
environmentcorrectly.
IncreasedadministrationcomplexityTheprobabilityofmisconfigurationincreases
asthecomplexityoftheenvironmentincreases.Whenyouleveragemultiple
accounts,thereisachancethatcertainserviceswillbemisconfigured,whichcan
leadtofunctionalityissuesandtriageneededtocorrecttheissues.
BeawarethatusingseparateserviceaccountsisnotarequirementofSharePointServer
butageneralrecommendationforproductionenvironments.Thestepsintherestof
thispaperoutlinehowtoconfigureSharePointServerwhenyouareusingseparate
accounts;someofthesestepsmaynotapplywhenyouareusingsharedaccounts.
C2WTS Service Identity

Thestepsbelowassumealeastprivilegesecuritymodelandleveragediscreteservice
accountsforeachSharePointServerservice.TheC2WTSisconfiguredtouseaseparate
ActiveDirectoryaccountinsteadofthedefaultlocalsystemaccounttofollowthis
designtenant.Whenyouuseadistinctaccount,theindividualdelegationrightsgranted
totheC2WTScanbemanagedseparatelyfromotherservicesontheserverthatarealso
usingthelocalsystemaccount.Notethatthisisnotaproductrequirement,buta
recommendedpractice.
Tips for working through the scenarios

ThescenariosbelowwalkthroughvariousactivitiesneededtoconfigureKerberos
delegationacrossdifferentfunctionsoftheSharePointServerplatform.Asyougo
througheachsection:
Allthescenariosassumeyouhaveyourwebapplicationsconfiguredforincomingclassic
authentication(Kerberos).Somescenariosbelowrequireclassicauthenticationandwill
notfunctionasdocumentedwithincomingclaimsauthentication.
GettheSharePointServerservicesworkingfirstwithoutdelegationtoensurethe
serviceapplicationsareconfiguredcorrectlybeforemovingontomorechallenging
configurationswithdelegation.
31
Trytopayspecialattentiontoeachstepandavoidskippinganysteps
Workthroughscenario1andspendtimeusingthedebuggingtoolsmentionedin
thescenarioastheycanbeusedinotherscenariostotriageconfigurationissues.
Remembertoworkthroughscenario2.YoullneedacomputerrunningSQLServer
thatisconfiguredtoacceptKerberosauthenticationandwillrequirethetest
databasethatyousetupinthisscenarioforsomeofthelaterscenarios.
AlwaysdoublecheckSPNconfigurationineachscenariobyusingSetSPNXand
SetSPNQ.Seetheappendixformoreinformation.
AlwaysbesuretochecktheservereventlogsandULSlogswhenattemptingto
debugaconfigurationissue.Therearetypicallygoodpointersintheselogswhich
canquicklypointouttheissuesyouareencountering.
TurnupdiagnosticloggingforSharePointFoundation>ClaimsAuthenticationand
anyserviceapplicationsthatyouareattemptingtotriageifissuesoccur.
Rememberthateachscenariomaybeaffectedbyserviceapplicationcaching.Ifyou
makeconfigurationchangesbutdonotseechangesinplatformbehavior,try
restartingtheservicesapplicationpoolorwindowsservice.Ifthishasnoeffect,
sometimesasystemrebootwillhelp.
RememberthatKerberosticketsarecachedoncerequested.Ifyouareusingatool
likeNetMontoviewTGTandTGSrequests,youmayneedtoemptytheticketcache
ifyoudontseetherequesttrafficyouexpect.Scenario1,Configuring Kerberos
authentication: Core configuration (SharePoint Server 2010)explainshowtodothis
withtheKLISTandKerbTrayutilities.
RemembertorunNetMonwithAdministrativeprivilegestocaptureKerberos
traffic.
ForadvanceddebuggingscenariosyoumaywanttoturnonWIFtracingforthe
ClaimstoWindowsTokenServiceandWCFtracingfortheSharePointService
Applications(WCFservices).See:
WIF Tracing
How to: Enable Tracing
Configuring Tracing
32
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Configuring Kerberos authentication:

Core configuration (SharePoint Server
2010)
InthefirstscenarioyouwillconfiguretwoSharePointServer2010webapplicationsto
usetheKerberosprotocolforauthenticatingincomingclientrequests.For
demonstrationpurposes,onewebapplicationwillbeconfiguredtousestandardports
(80/443)andtheotherwilluseanondefaultport(5555).Thisscenariowillbethebasis
ofallthefollowingscenarioswhichassumetheactivitiesbelowhavebeencompleted.
Important:
ItisarequirementtoconfigureyourwebapplicationswithclassicWindows
authenticationusingKerberosauthenticationtoensurethatthescenariosworkas
expected.WindowsClaimsauthenticationcanbeusedinsomescenariosbutmaynot
producetheresultsdetailedinthescenariosbelow.
Note:
IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Inthisscenarioyoudothefollowingthings:
ConfiguretwowebapplicationswithdefaultzonesthatusetheKerberosprotocol
forauthentication
Createtwotestsitecollections,oneineachwebapplication
VerifytheIISconfigurationofthewebapplication
33
Verifythatclientscanauthenticatewiththewebapplicationandensurethatthe
Kerberosprotocolisusedforauthentication
ConfiguretheRSSViewerwebparttodisplayRSSfeedsinalocalandremoteweb
application
Crawleachwebapplicationandtestsearchingcontentineachtestsitecollection
Configuration checklist
AreaofConfiguration Description
DNS RegisteraDNSARecordforthewebapplicationsnetworked
loadedbalanced(NLB)virtualIP(VIP)
ActiveDirectory CreateaserviceaccountsforthewebapplicationsIIS
applicationpool
RegisterServicePrincipalNames(SPN)fortheweb
applicationsontheserviceaccountcreatedfortheweb
applicationsIISapplicationpool
ConfigureKerberosconstraineddelegationforservice
accounts
SharePointWebAppCreateSharePointServermanagedaccounts
CreatetheSharePointSearchServiceApplication
CreatetheSharePointwebapplications
IIS ValidatethatKerberosauthenticationisEnabled
VerifyKernelmodeauthenticationisdisabled
InstallcertificatesforSSL
Windows7Client EnsurewebapplicationURLsareintheintranetzone,ora
zoneconfiguredtoautomaticallyauthenticatewith
integratedWindowsauthentication
Firewall OpenfirewallportstoallowHTTPtrafficinondefaultand
34
Configuration nondefaultports
EnsureclientscanconnecttoKerberosPortsontheActive
Directory
TestBrowser Verifyauthenticationworkscorrectlyinthebrowser
Authentication
VerifyLogoninformationonthewebserverssecurityevent
log
UsethirdpartytoolstoconfirmKerberosauthenticationis
configuredcorrectly
TestSharePoint Verifybrowseraccessfromtheindexserver(s)
ServerSearchIndex
andQuery Uploadsamplecontentandperformacrawl
Testsearch
TestWFEDelegation ConfigureRSSFeedsourcesoneachsitecollection
AddRSSviewwebpartstothehomepageofeachsite
collection
Step-by-step configuration instructions

Configure DNS
ConfigureDNSforthewebapplicationsinyourenvironment.Inthisexamplewehave2
webapplications,http://portalandhttp://teams:5555,whichbothresolvetothesame
NLBVIP(192.168.24.140/24)
ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records.
SharePoint Server Web apps

http://portalConfigureanewDNSARecordfortheportalwebapplication.Inthis
examplewehaveahost"portal"configuredtoresolvetotheloadbalancedVIP.
35

http://teams:5555ConfigureanewDNSARecordforthefortheteam'sweb
application
36
Note:
ItisimportanttoensuretheDNSentriesareARecordsandnotCNAMEaliasesfor
Kerberosauthenticationtoworksuccessfullyinenvironmentswithmorethanoneweb
applicationrunningwithhostheadersandseparatededicatedserviceaccounts.See
Kerberos configuration known issues (SharePoint Server 2010)foranexplanationofthe
knownissuewithusingCNAMEwithKerberosenabledwebapplications.
Configure Active Directory

NextyouwillconfiguretheActiveDirectoryaccountsforthewebapplicationsinyour
environment.Asabestpracticeyoushouldconfigureeachwebapplicationtoruninits
ownIISapplicationpoolwithitsownsecuritycontext(applicationpoolidentity).
SharePoint Service Application Service Accounts

InourexamplewehavetwoSharePointServerwebapplicationsrunningintwo
separateIISapplicationpoolsrunningwiththeirownapplicationpoolidentities.
WebApplication(defaultzone) IIS AppPoolIdentity
http://portal vmlab\svcPortal10App
http://teams:5555 vmlab\svcTeams10App
Service Principal Names (SPNs)

Foreachserviceaccount,configureasetofserviceprincipalnamesthatmaptotheDNS
hostnamesassignedtoeachwebapplication.
UseSetSPN,acommandlinetoolinWindowsServer2008,toconfigureanewservice
principalname.ForafullexplanationofhowtouseSetSPN,seeSetspn.Tolearnabout
SetSPNimprovementsinWindowsServer2008,seeCare, Share and Grow! : New
features in SETSPN.EXE on Windows Server 2008.
37
AllSharePointServerwebapplications,regardlessofportnumber,usethefollowing
SPNformat:
HTTP/<DNSHOSTname>
HTTP/<DNSFQDN>
Example:
HTTP/portal
HTTP/portal.vmlab.local
ForWebapplicationsrunningonnondefaultports(portsotherthan80/443)register
additionalSPNswithportnumber:
HTTP/<DNSHostName>:<port>
HTTP/<DNSFQDN>:<port>
Example:
HTTP/teams:5555
HTTP/teams.vmlab.local:5555
Note:
SeetheappendixforanexplanationofwhyitisrecommendedtoconfigureSPNswith
andwithoutportnumberforHTTPservicesrunningonnondefaultports(80,443).
TechnicallythecorrectwaytorefertoaHTTPservicethatrunsonanondefaultportis
toincludetheportnumberintheSPNbutbecauseofknownissuesdescribedinthe
appendixweneedtoconfigureSPNswithoutportaswell.NotethattheSPNswithout
portfortheteamswebapplicationdoesnotmeanserviceswillbeaccessedusingthe
defaultports(80,443)inourexample.
Inourexampleweconfiguredthefollowingserviceprincipalnamesforthetwo
accountswecreatedinthepreviousstep:
38
DNSHost IISAppPoolIdentity ServicePrincipalNames
Portal.vmlab.local vmlab\svcPortal10App HTTP/portal
HTTP/portal.vmlab.local
Teams.vmlab.local vmlab\svcTeams10App HTTP/Teams
HTTP/Teams.vmlab.local
HTTP/Teams:5555
HTTP/Teams.vmlab.local:5555
Tocreatetheserviceprincipalnamesthefollowingcommandswereexecuted:
SetSPNSHTTP/Portalvmlab\svcportal10App
SetSPNSHTTP/Portal.vmlab.localvmlab\svcportal10App
SetSPNSHTTP/Teamsvmlab\svcTeams10App
SetSPNSHTTP/Teams.vmlab.localvmlab\svcTeams10App
SetSPNSHTTP/Teams:5555vmlab\svcTeams10App
SetSPNSHTTP/Teams.vmlab.local:5555vmlab\svcTeams10App
Important:
DonotconfigureserviceprincipalnameswithHTTPSevenifthewebapplicationuses
SSL.
Inourexampleweusedanewcommandlineswitch,S,introducedinWindowsServer
2008thatchecksfortheexistenceoftheSPNbeforecreatingtheSPNontheaccount.If
theSPNalreadyexists,thenewSPNisnotcreatedandyouseeanerrormessage.
39
IfduplicateSPNsarefound,youhavetoresolvetheissuebyeitherusingadifferentDNS
nameforthewebapplication,therebychangingtheSPN,orbyremovingtheexisting
SPNfromtheaccountitwasdiscoveredon.
Important:
BeforedeletinganexistingSPN,besureitisnolongerneeded,otherwiseyoumaybreak
Kerberosauthenticationforanotherapplicationinyourenvironment.
Service Principal Names and SSL

ItiscommontoconfuseKerberosServicePrincipalNameswithURLsforhttpweb
applicationsbecausetheSPNandURIformatsareverysimilarinsyntax,butits
importanttounderstandthattheyaretwoveryseparateanduniquethings.Kerberos
serviceprincipalnamesareusedtoidentifyaservice,andwhenthatserviceisanhttp
application,theserviceschemeis"HTTP"regardlessiftheserviceisaccesswithSSLor
not.Thismeansthatevenifyouaccessthewebapplicationusing"https://someapp"you
donot,andshouldnot,configureaserviceprincipalnamewithHTTPS,forexample
"HTTPS/someapp".
Configure Kerberos constrained delegation for computers and

service accounts
Dependingonthescenario,somefunctionalityinSharePointServer2010mayrequire
constraineddelegationtofunctionproperly.Forexample,iftheRSSviewerwebpartis
configuredtodisplayaRSSfeedfromanauthenticatedsourceitwillrequiredelegation
toconsumethesourcefeed.Inothersituationsitmayberequiredtoconfigure
constraineddelegationtoallowserviceapplications(suchasExcelServices)todelegate
theclientsidentitytobackendsystems.
InthisscenariowewillconfigureKerberosconstraineddelegationtoallowtheRSSview
webparttoreadasecuredlocalRSSfeedandsecuredremoteRSSfeedfromaremote
40
webapplication.InlaterscenarioswewillconfigureKerberosconstraineddelegationfor
otherSharePointServer2010serviceapplications.
Thefollowingdiagramconceptuallydescribeswhatwillbeconfiguredinthisscenario:

Wehavetwowebapplications,eachwiththeirownsitecollectionwithasitepage
hosingtwoRSSviewerwebparts.Thewebapplicationseachhaveasingledefaultzone
configuredtouseKerberosauthenticationsoallfeedscomingfromthesewebsiteswill
requireauthentication.IneachsiteoneRSSviewerwillbeconfiguredtoreadalocalRSS
feedfromalistandtheotherwillbeconfiguredtoreadanauthenticationfeedinthe
remotesite.
Toaccomplishthis,Kerberosconstraineddelegationwillbeconfiguredtoallow
delegationbetweentheIISapplicationpoolserviceaccounts.Thefollowingdiagram
conceptuallydescribestheconstraineddelegationpathsneeded:
41

RememberthatweidentifythewebapplicationbyservicenameusingtheService
PrincipalName(SPN)assignedtotheidentityoftheIISapplicationpool.Theservice
accountsprocessingrequestsmustbeallowedtodelegatetheclientidentitytothe
designatedservices.Alltogetherwehavethefollowingconstraineddelegationpathsto
configure:
PrincipalType PrincipalName DelegatesToService
User svcPortal10App HTTP/Portal
HTTP/Portal.vmlab.local
HTTP/Teams
HTTP/Teams:5555
42
User svcTeams10App HTTP/Portal
HTTP/Portal.vmlab.local
HTTP/Teams
HTTP/Teams:5555
Note:
Itmayseemredundanttoconfiguredelegationfromaservicetoitself,suchasthe
portalserviceaccountdelegatingtotheportalserviceapplication,butthisisrequiredin
scenarioswhereyouhavemultipleserversrunningtheservice.Thisistoaddressthe
scenariowhereoneservermayneedtodelegatetoanotherserverrunningthesame
service;forinstanceaWFEprocessingarequestwithaRSSviewerwhichusesthelocal
webapplicationasthedatasource.Dependingonfarmtopologyandconfiguration
thereisapossibilitythattheRSSrequestmaybeservicedbyadifferentserverwhich
wouldrequiredelegationtoworkcorrectly.
ToconfiguredelegationyoucanusetheActiveDirectoryUsersandComputersnapin.
Rightclickeachserviceaccountandopenthepropertiesdialog.Inthedialogyouwill
seeatabfordelegation(notethatthistabonlyappearsiftheobjecthasanSPN
assignedtoit;computershaveanSPNbydefault).Onthedelegationtab,selectTrust
thisuserfordelegationtospecifiedservicesonly,thenselectUseanyauthentication
protocol.
43
ClicktheAddbuttontoaddtheservicestheuser(serviceaccount)willbeallowedto
delegateto.ToselectaSPN,youwilllookuptheobjecttheSPNisappliedto.Inour
instance,wearetryingtodelegatetoaHTTPservicewhichmeanswesearchforthe
serviceaccountoftheIISapplicationpoolthattheSPNwasassignedtointheprevious
step.
44
OntheSelectUsersorComputersdialogbox,clickUsersandComputers,searchforthe
IISapplicationpoolserviceaccounts(inourexamplevmlab\svcPortal10Appand
vmlab\svcTeams10AppandthenclickOK:
Youwillthenbepromptedtoselecttheservicesassignedtotheobjectsbyservice
principalname.
45
OntheAddServicesdialogbox,clickSelectAllthenclickOK.Notethatwhenyoureturn
tothedelegationdialogyoudonotactuallyseealltheSPNsselected.ToseeallSPNs,
checktheExpandedcheckboxinthelowerlefthandcorner.
46
Performthesestepsforeachserviceaccountinyourenvironmentthatrequires
delegation.Inourexamplethisistheserviceaccountslist
Configure SharePoint Server

OnceActiveDirectoryandDNSareconfigured,itstimetocreatethewebapplicationin
yourSharePointServer2010Farm.Thispaperassumesthattheinstallationof
47
SharePointServeriscompleteatthispointandthefarmtopologyandsupporting
infrastructure,forinstanceloadbalancing,isconfigured.Formoreinformationabout
howtoinstallandconfigureyourSharePointfarm,see:Deployment for SharePoint
Server 2010.
Configure managed service accounts

Beforecreatingyourwebapplications,configuretheservicesaccountscreatedinthe
previousstepsasmanagedserviceaccountsinSharePointServer.Doingsoaheadof
timewillallowyoutoskipthisstepwhencreatingthewebapplicationsthemselves.
Toconfigureamanagedaccount
1. InSharePointCentralAdministration,clickSecurity.

2. UnderGeneralSecurityclickConfiguremanagedaccounts:

3. ClickRegisterManagedAccountandcreateamanagedaccountforeachservice
account.Inthisexamplewecreatedfivemanagedserviceaccounts:
Account Purpose
VMLAB\svcSP10Search SharePointSearchServiceAccount
VMLAB\svcSearchAdmin SharePointSearchAdministrationServiceAccount
48
Account Purpose
VMLAB\svcSearchQuery SharePointSearchQueryServiceAccount
VMLAB\svcPortal10App PortalWebAppIISApplicationPoolAccount
VMLAB\svcTeams10App TeamsWebAppIISApplicationPoolAccount
Note:
ManagedaccountsinSharePointServer2010arenotthesameasmanaged
serviceaccountsinWindowsServer2008R2ActiveDirectory.
Create the SharePoint Server Search Service Application

InthisexamplewewillconfiguretheSharePointServerSearchServiceApplicationto
ensurethenewlycreatewebapplicationcanbecrawledandsearchedupon
successfully.CreateanewSharePointServerSearchWebApplicationandplacethe
Search,QueryandAdministrationServicesontheapplicationserver,inourexample
vmSP10App01.ForadetailedexplanationonhowtoconfiguretheSearchService
Application,seeStep-by-Step: Provisioning the Search Service Application.
Note:
TheplacementofallSearchServicesonasingleapplicationserverisfordemonstration
purposesonly.AcompletediscussionaboutSharePointServer2010SearchTopology
optionsandbestpracticesisoutofscopeforthisdocument.
Create the Web Application

BrowsetoCentralAdministrationandnavigatetoManageWebApplicationsinthe
ApplicationManagementsection.Inthetoolbar,selectNewandcreateyourweb
application.Ensurethatthefollowingisconfigured:
SelectClassicModeAuthentication.
Configuretheportandhostheaderforeachwebapplication.
49
SelectNegotiateastheAuthenticationProvider.
Underapplicationpool,selectCreatenewapplicationpoolandselectthemanaged
accountcreatedinthepreviousstep.
Inthisexample,twowebapplicationswerecreatedwiththefollowingsettings:
Setting http://PortalWebApplication http://TeamsWebApplication
Authentication ClassicMode ClassicMode
IISWebSite Name:SharePointPortal80 Name:SharePointTeams5555
Port:80 Port:80
HostHeader:Portal HostHeader:Teams
Security AuthProvider:Negotiate AuthProvider:Negotiate

Configuration
AllowAnonymous:No AllowAnonymous:No
UseSecureSocketLayer:No UseSecureSocketLayer:No
PublicURL http://Portal:80 http://Teams:5555
ApplicationPoolName:SharePointPortal80 Name:SharePointTeams5555
SecurityAccount: SecurityAccount:
vmlab\svcPortal10App vmlab\svcTeams10App
Whencreatingthenewwebapplicationyouarealsocreateanewzone,thedefault
zone,configuredtousetheWindowsauthenticationprovider.Youcanseetheprovider
anditssettingsforthezoneinwebapplicationmanagementbyfirstselectingtheweb
application,thenclickingAuthenticationProvidersinthetoolbar.Theauthentication
providersdialogboxlistsallthezonesfortheselectedwebapplicationalongwiththe
authenticationproviderforeachzone.Byselectingthezone,youwillseethe
authenticationoptionsforthatzone.
50
Theauthenticationprovidersdialogwilllistallthezonesfortheselectedweb
applicationalongwiththeauthenticationproviderforeachzone:
Byselectingthezone,youwillseetheauthenticationoptionsforthatzone:
51
IfyoumisconfiguredtheWindowssettingsandselectedNTLMwhentheweb
applicationwascreated,youcanusetheeditauthenticationdialogforthezoneto
switchthezonefromNTLMtoNegotiate.Ifclassicmodewasnotselectedasthe
authenticationmode,youmusteithercreateanewzonebyextendingtheweb
applicationtoanewIISwebsiteordeleteandrecreatethewebapplication.
52
Create site collections

Totestwhetherauthenticationisworkingcorrectly,youwillneedtocreateatleastone
sitecollectionineachwebapplication.Thecreationandconfigurationofthesite
collectionwillnotaffectKerberosfunctionality,sofollowexistingguidanceonhowto
createasitecollectioninCreate a site collection (SharePoint Foundation 2010).
Forthisexample,twositecollectionswereconfigured:
WebApplication SiteCollectionPath SiteCollectionTemplate
http://portal / PublishingPortal
http://teams:5555 / TeamSite
Create alternate access mappings

TheportalwebapplicationwillbeconfiguredtouseHTTPSaswellasHTTPto
demonstratehowdelegationworkswithSSLprotectedservices.ToconfigureSSL,the
portalwebapplicationwillneedasecondSharePointServeralternateaccessmapping
(AAM)fortheHTTPSendpoint.
Toconfigurealternateaccessmappings
1. InCentralAdministration,clickApplicationManagement.
2. UnderWebApplicationsclickconfigurealternateaccessmappings.

53
3. IntheSelectAlternateAccessMappingCollectiondropdown,selecttheChange
AlternateAccessMappingCollection.

4. Selecttheportalwebapplication.

5. ClickEditPublicUrlsinthetoptoolbar.

6. Inafreezone,addthehttpsURLforthewebapplication.ThisURLwillbethename
ontheSSLcertificateyouwillcreateinthenextsteps.

7. ClickSave.
YoushouldnowseetheHTTPSURLinthezonelistforthewebapplication.
54
IIS configuration
Install SSL certificates

YouwillneedtoconfigureanSSLcertificateoneachSharePointServerhostingtheweb
applicationserviceforeachwebapplicationthatusesSSL.Again,thetopicofhowto
configureanSSLcertificateandcertificatetrustisoutofscopeforthisdocument.See
theSSLConfigurationsectioninthisdocumentforreferencestomaterialabout
configuringSSLcertificatesinIIS.
Verify that Kerberos authentication is enabled
ToverifythatKerberosauthenticationisenabledonthewebsite
1. OpenIISmanager.
2. SelecttheIISwebsitetoverify.
3. InFeaturesView,underIIS,doubleclickAuthentication.
55

4. SelectWindowsAuthenticationwhichshouldbeenabled.

5. OntherighthandsideunderActions,selectProviders.VerifyNegotiateisatthetop
ofthelist.
56
Verify that Kernel mode authentication is disabled

KernelmodeauthenticationisnotsupportedinSharePointServer2010.Bydefault,all
SharePointServerWebApplicationsshouldhaveKernelModeAuthenticationdisabled
bydefaultontheircorrespondingIISwebsites.Eveninsituationswheretheweb
applicationwasconfiguredonanexistingIISwebsite,SharePointServerdisableskernel
modeauthenticationasitprovisionsanewwebapplicationontheexistingIISsite.
Toverifythatkernelmodeauthenticationisdisabled
1. OpenIISmanager.
2. SelecttheIISwebsitetoverify.
3. InFeaturesView,underIIS,doubleclickAuthentication.
4. SelectWindowsAuthentication,whichshouldbeenabled.
5. ClickAdvancedSettings.
6. VerifybothEAPandKernelModeAuthenticationaredisabled.
57
Configure the firewall

Beforetestingauthentication,ensureclientscanaccesstheSharePointServerweb
applicationsontheconfiguredHTTPports.Inaddition,ensureclientscanauthenticate
withActiveDirectoryandrequestKerberosticketsfromtheKDCoverthestandard
Kerberosports.
Open firewall ports to allow HTTP traffic in on default and non-default

ports
TypicallyyouhavetoconfigurethefirewalloneachfrontendWebtoallowincoming
requestsoverportsTCP80andTCP443.OpenWindowsFirewallwithAdvanced
SecurityandbrowsetothefollowingInboundRules:

WorldWideWebServices(HTTPTrafficIn)
WorldWideWebServices(HTTPSTrafficIn)
58
Makesuretheappropriateportsareopeninyourenvironment.Inourexample,we
accessSharePointServeroverHTTP(port80),sothisrulewasenabled.
Inaddition,wehavetoopenthenondefaultportusedinourexample(TCP5555).If
youhavewebsitesrunningonnondefaultports,youalsohavetoconfigurecustom
rulestoallowHTTPtrafficonthoseports.
Ensure that clients can connect to Kerberos ports on the Active

Directory role
TouseKerberosauthentication,clientswillhavetorequestticketgrantingtickets(TGT)
andservicetickets(ST)fromtheKeyDistributionCenter(KDC)overUDPorTCPport88.
Bydefault,whenyouinstalltheActiveDirectoryRoleinWindowsServer2008andlater,
therolewillconfigurethefollowingincomingrulestoallowthiscommunicationby
default:

KerberosKeyDistributionCenterPCR(TCPIn)
KerberosKeyDistributionCenterPCR(UDPIn)
KerberosKeyDistributionCenter(TCPIn)
KerberosKeyDistributionCenter(UDPIn)
Inyourenvironmentensuretheserulesareenabledandthatclientscanconnecttothe
KDC(domaincontroller)overport88.
Test browser authentication

AfterconfiguringActiveDirectory,DNSandSharePointServeryoucannowtestwhether
Kerberosauthenticationisconfiguredcorrectlybybrowsingtoyourwebapplications.
Whentestinginthebrowser,ensurethefollowingconditionsaremet:
1. ThetestuserisloggedintoaWindowsXP,Vista,orWindows7computerjoinedto
thedomainthatSharePointServerisinstalledin,orisloggedintoadomaintrusted
bytheSharePointServerdomain.
59
2. ThetestuserisusingInternetExplorer7.0orlater(InternetExplorer6.0isno
longersupportedinSharePointServer2010;seePlan browser support (SharePoint
Server 2010)).
3. IntegratedWindowsauthenticationisenabledinthebrowser.UnderInternet
OptionsintheAdvancedtab,makesureEnableIntegratedWindows
Authentication*isenabledintheSecuritysection:

4. Localintranetisconfiguredtoautomaticallylogonclients.UnderInternetexplorer
option,intheSecuritytab,selectLocalIntranetandclicktheCustomlevelbutton.
ScrolldownandmakesurethatAutomaticlogononlyinIntranetzoneisselected.
60

ScrolldownandmakesureAutomaticlogononlyinIntranetzoneisselected:
61
Note:
ItispossibletoconfigureautomaticlogononotherzonesbutthetopicofIEsecurity
zonesbestpracticesitoutsidethescopeofthispaper.Forthisdemonstrationthe
intranetzonewillbeusedforalltests.
5. EnsurethatAutomaticallydetectintranetnetworkisselectedinInternetoptions
>Security>IntranetZone>Sites.
62

6. IfyouareusingfullyqualifieddomainnamestoaccesstheSharePointServerweb
applications,ensurethattheFQDNsareincludedintheintranetzone,either
explicitlyorbywildcardinclusion(forexample,*.vmlab.local).
63
TheeasiestwaytodetermineifKerberosauthenticationisbeingusedisbylogginginto
atestworkstationandnavigatingtothewebsiteinquestion.Iftheuserisntprompted
forcredentialsandthesiteisrenderedcorrectly,youcanassumeIntegratedWindows
authenticationisworking.Thenextstepistodetermineifthenegotiateprotocolwas
usedtonegotiateKerberosauthenticationastheauthenticationproviderforthe
request.Thiscanbedoneinthefollowingways:
Front-end Web security logs

IfKerberosauthenticationisworkingcorrectlyyouwillseeLogoneventsinthesecurity
eventlogsonthefrontendwebswitheventID=4624.
64
InthegeneralinformationfortheseeventsyoushouldseethesecurityIDbeinglogged
ontothecomputerandtheLogonProcessused,whichshouldbeKerberos.
KList
KListisacommandlineutilityincludedinthedefaultinstallationofWindowsServer
2008andWindowsServer2008R2whichcanbeusedtolistandpurgeKerberostickets
65
onagivencomputer.TorunKLIST,openacommandpromptinWindowsServer2008
andtypeKlist.
Ifyouwanttopurgetheticketcache,runKlistwiththeoptionalpurgeparameter:Klist
purge
KerbTray
KerbTrayisafreeutilityincludedwiththeWindowsServer2000ResourceKitToolthat
canbeinstalledonyourclientcomputertoviewtheKerberosticketcache.Download
andinstallfromWindows 2000 Resource Kit Tool: Kerbtray.exe.Onceyouhaveit
installed,performthefollowingactions:
1. NavigatetothewebsitesthatuseKerberosAuthentication.
2. RunKerbTray.exe.
3. ViewtheKerberosTicketcachebyrightclickingonthekerbtrayiconinthesystem
trayandselectingListTickets.
66

4. Validatetheserviceticketsforthewebapplicationsyouauthenticatedareinthelist
ofcachedtickets.Inourexamplewenavigatedtothefollowingwebsiteswhich
havethefollowingSPNsregistered:

WebSiteURL SPN
http://portal HTTP/Portal.vmlab.local
http://teams:5555 HTTP/Teams.vmlab.local
67
68
Fiddler
FiddlerisafreeHTTPtrafficanalyzerthatcanbedownloadedfromthefollowing
location:http://www.fiddlertool.com/.Infiddleryouwillseetheclientandserver
negotiateKerberosauthenticationandyouwillbeabletoseetheclientsendthe
KerberosServiceTicketstotheserverintheHTTPheadersofeachrequest.Tovalidate
thatKerberosauthenticationisworkingcorrectlyusingfiddlerperformthefollowing
actions:
1. DownloadandinstallFiddler(www.fiddlertool.com)ontheclientcomputer.
2. Logoutofthedesktopandlogbackintoflushanycachedconnectionstotheweb
serverandforcethebrowsertonegotiateKerberosauthenticationandperformthe
authenticationhandshake.
3. StartFiddler.
4. OpenInternetExplorerandbrowsetothewebapplication(http://portalinour
example).
YoushouldseetherequestsandresponsestotheSharePointServerfrontendwebin
Fiddler.
ThefirstHTTP401isthebrowserattempttodotheGETrequestwithoutauthentication.
69
Inresponse,theserversendsbackan"HTTP401unauthorized"andinthisresponse
indicateswhatauthenticationmethodsitsupports:
Inthenextrequest,theclientresendsthepreviousrequest,butthistimesendsthe
serviceticketforthewebapplicationintheheadersoftherequest:
70
IfyouselecttheAuthviewwithintheFiddlerinspectorwindowyouwillalsoseethe
KerberosticketintherequestandtheKerberosresponse:
71
Ifauthenticatedsuccessfully,theserverwillsendbacktherequestedresource.
NetMon 3.4
NetMon3.4isafreenetworkpacketanalyzerfromMicrosoftthatcanbedownloaded
fromtheMicrosoftDownloadCenter:Microsoft Network Monitor 3.4.
InNetMonyouseeallTCPrequestandresponsestotheKDCandtheSharePointServer
webservers,givingyouacompleteviewoftrafficthatmakesupacomplete
authenticationrequest.TovalidatethatKerberosauthenticationisworkingbyusing
netmon,performthefollowingactions:
72
1. DownloadandinstallNetMon3.4(Microsoft Network Monitor 3.4).
2. LogoutoftheclientthenlogbackintoflushtheKerberosticketcache.Optionally
youcanuseKerbTraytopurgetheticketcachebyrightclickingonKerbTrayand
selectingPurgeTickets.
3. StartNetMoninadministratormode.RightclicktheNetMonshortcut,andselect
RunasAdministrator.
4. Startanewcaptureontheinterfacesthatconnecttotheactivedirectorycontroller
inyourenvironmentandthewebfrontends.
5. Openinternetexplorerandbrowsetothewebapplication.
6. Afterthewebsiterenders,stopthecaptureandaddadisplayfiltertoshowthe
framesforKerberosauthenticationandHTTPtraffic.
7. IntheframeswindowyoushouldseebothHTTPandKerberosV5traffic.

73

a. Thefirsttwoframesaretheoriginalrequest/responsewheretheclient
andservernegotiatetheuseofKerberosforauthentication
b. ThefollowingKerberosV5framesaretheclientrequestsforTicket
GrantingTicketfortheVMLAL.LocalRealmandtheKerberosservice
ticketsfortheSPNHTTP/portal.VMLAB.local
c. FinallythelastHTTPframesaretheclientusingtheserviceticketsto
authenticatewiththewebserverandtheserversuccessfully
authenticatingtheclientandreturningtheresponse
Test Kerberos Authentication over SSL

ToclearlydemonstratetheSPNsrequestedwhenaclientaccessesanSSLprotected
resource,youcanuseatoollikeNetmontocapturethetrafficbetweenclientand
serverandexaminetheKerberosserviceticketrequests.
1. Eitherlogoutandthenreloginintotheclientcomputer,orclearallcachedKerberos
ticketsbyusingKerbTray.
2. StartanewNetMoncaptureontheclientcomputer.BesuretostartNetMonwith
administratorpermissions.
3. BrowsetothewebapplicationbyusingSSL(inthisexample,https://portal.)
4. StoptheNetMoncaptureandexaminetheKerberosV5traffic.Forinstructionson
howtofilterthecapturedisplay,seetheinstructionsintheNetMon 3.4sectionof
thisarticle.
5. LookfortheTGSrequesttheclientsends.IntherequestyouwillseetheSPN
requestedinthe"Sname"parameter.
74

Notethatthe"Sname"isHTTP/portal.vmlab.localandnotHTTPS/portal.vmlab.local.
Test SharePoint Server Search Index and Query
Verify browser access from the index server(s)

Beforerunningacrawl,ensurethattheindexservercanaccessthewebapplications
andauthenticatesuccessfully.Logintotheindexserverandopenthetestsite
collectionsinthebrowser.Ifthesitesrendersuccessfullyandnoauthenticationdialogs
appear,proceedtothenextstep.Ifanyissuesoccurwhileaccessingthesitesinthe
browsers,gobackoverthepreviousstepstoensureallconfigurationactionswere
performedcorrectly.
Upload sample content and perform a crawl

Ineachsitecollectionuploada"seed"document(onethatiseasilyidentifiablein
search)toadocumentlibraryinthesitecollection.Forinstance,createatextdocument
containingthewords"alpha,beta,delta"andsaveittoadocumentlibraryineachsite
collection.
Next,browsetoSharePointCentralAdministrationandstartafullcrawlontheLocal
SharePointSitescontentsource(whichshouldcontainthetwotestsitecollectionsby
default).
75
Test search
Ifindexingcompletedsuccessfully,youshouldseesearchableitemsinyourindexandno
errorsinthecrawllog.
76
Note:IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperforminga
crawlontheprofilestorebesuretoconfiguretheappropriatepermissionsontheUPA
toallowthecontentaccessaccounttoaccessprofiledata.Ifyouhavenotconfigured
theUPApermissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawler
couldnotaccesstheprofileservicebecauseitreceivedanHTTP401whentryingto
accesstheservice.The401returnedisnotduetoKerberos,butinsteadisduetothe
contentaccessaccountnothavingpermissionstoreadprofiledata.
Note:
IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperformingacrawlon
theprofilestore,besuretoconfiguretheappropriatepermissionsontheUPAtoallow
thecontentaccessaccounttoaccessprofiledata.IfyouhavenotconfiguredtheUPA
permissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawlercouldnot
accesstheprofileservicebecauseitreceivedanHTTP401whentryingtoaccessthe
service.The401returnedisnotduetoKerberos,butinsteadisduetothecontent
accessaccountnothavingpermissionstoreadprofiledata.
Next,browsetoeachsitecollectionandperformasearchfortheseeddocument.Each
sitecollectionssearchqueryshouldreturntheseeddocumentuploaded.
77
Test front-end Web delegation

Asalaststepinthisscenario,youusetheRSSviewerwebpartoneachsitecollectionto
ensurethatdelegationisworkingbothlocallyandremotely.
Configure RSS feed sources on each site collection

FortheportalapplicationyouhavetoenableRSSfeedsontheSiteCollection.Toturn
onRSSfeedsfollowtheinstructionsinManage RSS FeedsonOffice.com.
OnceRSSfeedsareenabled,createanewcustomlistandaddalistitemfortesting
purposes.NavigatetotheListtoolbarmenuandclickRSSFeedtoviewtheRSSfeed.
CopythefeedURLtouseitinthefollowingsteps.
78
Performthisstepforeachsitecollection.
Add RSS view web parts to the home page of each site collection
OntheportalapplicationyoullneedtoenabletheSharePointEnterpriseFeaturessite
collectionfeaturetousetheRSSviewerwebpart.OnceenabledaddtwoRSSviewer
webpartstothehomepage.Forthefirstwebpart,configurethefeedURLtopointat
thelocalRSSfeedyoucreatedinthepreviousstep.Forthesecondwebpart,configure
thefeedURLtopointattheremotefeedURL.Whencompleted,youshouldseeboth
webpartssuccessfullyrenderingcontentfromthelocalandremoteRSSfeeds.
79
80
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
Kerberos authentication for SQL OLTP

(SharePoint Server 2010)
InthisscenariowewalkthroughtheprocessofconfiguringKerberosauthenticationfor
theSQLServerclusterinoursampleenvironment.Oncethatprocessiscomplete,we
validatethatSharePointServerservicesareauthenticatedwiththeclusterbyusingthe
Kerberosprotocol.
Inthisscenario,youdothefollowingthings:
ConfigureanexistingSQLServer2008R2clustertouseKerberosauthentication
VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos
authentication
Createatestdatabaseandsampledatatobeusedinlaterscenarios
81
Note:
ItisnotrequiredtouseKerberosauthenticationforSQLServerforcoreSharePoint
Serverdataservices(forexample,connectionstoplatformdatabases).Thesample
environmenthasasoleSQLServerclusterthathostsadditionalsampledatabasesused
inlaterscenarios.Fordelegationtoworkcorrectlyinthesescenarios,theSQLServer
clustermustacceptKerberosauthenticatedconnection.
Note:
Areaofconfiguration Description
ConfigureDNS CreateDNS(A)hostrecordsfortheSQLServerclusterIP
ConfigureActive CreateServicePrincipalNames(SPNs)fortheSQLServer
Directory service
VerifySQLServer UseSQLServerManagementStudiotoquerySQLconnection
Kerberosconfiguration metadatatoensuretheKerberosauthenticationprotocolis
used
82
Scenario environment details

SQLDatabaseEngineIdentity
Vmlab\svcSQL
SQL
vmSQL2k8r201
DefaultInstance
LocalSQLClientAlias: DNS(A): Port:1433
SPFarmSQL MySQLCluster.vmlab.local
ClusterIP:
192.168.8.135 vmSQL2k8r202
SharePoint
SQLCluster
ThisscenariodemonstratesaSharePointServerfarmconfiguredtouseaSQLaliasfora
connectiontoaSQLServerclusterthatisconfiguredtouseKerberosauthentication.

Configure DNS
ConfigureDNSfortheSQLServerclusterinyourenvironment.Inthisexamplewehave
oneSQLServercluster,MySqlCluster.vmlab.local,runningonport1433atclusterIP
192.168.8.135/4.TheclusterisActive/PassivewiththeSQLServerdatabaseengine
runningonthedefaultinstanceofthefirstnode.
Inthisexample,weconfiguredaDNS(A)recordfortheSQLServercluster.
83
Note:
Technically,becauseSQLServerSPNsincludeaninstancename(ifyouareusingthe
secondnamedinstanceonthesamecomputer),youcanregistertheDNShostforthe
clusterasaCNAMEaliasandavoidtheCNAMEissuedescribedinAppendixA,Kerberos
configuration known issues (SharePoint Server 2010).However,ifyouchoosetouse
CNAMEs,youhavetoregisteranSPNusingtheDNS(A)recordhostnametheCNAME
aliases.

ForSQLServertoauthenticateclientsusingKerberosauthentication,youhaveto
registeraserviceprincipalname(SPN)ontheserviceaccountthatisrunningSQLServer.
ServiceprincipalnamesfortheSQLServerdatabaseengineusethefollowingformatfor
configurationsthatareusingthedefaultinstanceandnotaSQLServernamedinstance:
84
MSSQLSvc/<FQDN>:port
FormoreinformationaboutregisteringSPNsforSQLServer2008,seeRegistering a
Service Principal Name.
Inourexample,weconfiguredtheSQLServerSPNontheSQLServerdatabaseengine
serviceaccount(vmlab\svcSQL)withthefollowingSetSPNcommand:
SetSPNSMSSQLSVC/MySQLCluster.vmlab.local:1433vmlab\svcSQL
SQL Server named instances

IfyouuseSQLServernamedinstancesinsteadofthedefaultinstance,youhaveto
registerSPNsspecifictotheSQLServerinstanceandfortheSQLServerbrowserservice.
SeethefollowingarticlesformoreinformationaboutconfiguringKerberos
authenticationfornamesinstances:
Registering a Service Principal Name
An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
SQL aliases
Asabestpractice,whenbuildingyourfarmyoushouldconsiderusingSQLaliasesfor
connectionstoyourSQLServercomputer.IfyouchoosetouseSQLaliases,theKerberos
SPNformatforthoseconnectionsdoesnotchange.Youcontinuetousetheregistered
DNShostname(Arecord)intheSPNforSQLServer.Forexample,ifyouregisteranalias
"SPFARMSQL"for"MySQLCluster.vmlab.local"theSPNwhenyouareconnectingto
SPFarmSQLremains"MSSQLSVC/MySQLCluster.vmlab.local:1433".
Verify SQL Server Kerberos configuration

WhenDNSandServicePrincipalNamesareconfigured,youcanrebootthecomputers
thatarerunningSharePointServerandverifythatSharePointServerservicesnow
authenticatewithSQLServerbyusingKerberosauthentication.
Toverifytheclusterconfiguration
1. RebootthecomputersthatarerunningSharePointServerThisactionrestartsall
servicesandforcesthemtoreconnectandreauthenticatebyusingKerberos
authentication.
85
2. OpenSQLServerManagementStudioandrunthefollowingquery:
Select
s.session_id,
s.login_name,
s.host_name,
c.auth_scheme
from
sys.dm_exec_connections c
innerjoin
sys.dm_exec_sessions s
on c.session_id = s.session_id
Thequeryreturnsmetadataabouteachsessionandconnection.Thesessiondata
helpsidentifytheconnectionsource,andthesessioninformationrevealsthe
authenticationschemefortheconnection.
3. VerifythattheSharePointServerservicesareauthenticatingbyusingKerberos
authentication:

4. .IfKerberosauthenticationisconfiguredcorrectly,youseeKerberosinthe
auth_schemecolumnofthequeryresults.
86
Create a test SQL Server database and test table

TotestdelegationacrossthevariousSharePointServerserviceapplicationscoveredin
thescenariosinthisdocument,youhavetoconfigureatestdatasourceforthose
servicestoaccess.Inthefinalstepofthisscenario,youconfigureatestdatabasecalled
"Test"andatesttablecalled"Sales"tobeusedlater.
1. InSQLServerManagementStudio,createanewdatabasecalled"Test".Keepthe
defaultsettingswhencreatingthisdatabase.
2. IntheTestdatabase,createanewtablewiththefollowingschema:
ColumnName DataType AllowNulls
Region nvarchar(10) No
Year nvarchar(4) No
Amount money No
RowId int No
3. Savethetablewiththename"Sales".
4. InManagementStudio,populatethetablewithtestdata.Thedataitselfdoesnot
matteranddoesnotaffectthefunctionoflaterscenarios.Afewrowsofdatawill
suffice.Intheexampleenvironmentwepopulatedthetablewiththefollowingdata:
87
88
2010)
Kerberos authentication for SQL Server

Analysis Services (SharePoint Server
2010)
Inthisscenarioyoudothefollowingthings:
ConfigureAnalysisServiceinstancesintheSQLServer2008R2clustertouse
Kerberosauthentication
VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos
authentication
EnablingKerberosauthenticationforSQLServerAnalysisServicesissimilartoSQL
Server
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
ConfigureActiveDirectory CreateServicePrincipalNames(SPNs)forthe
AnalysisServicesinstance
VerifySQLKerberos ConnecttotheAnalysisServicesinstanceinExcel
89
Configuration 2010

ForSQLServerAnalysisServicestoauthenticateclientsbyusingKerberos
authentication,youhavetoregisteraserviceprincipalname(SPN)ontheservice
accountthatisrunningSQLServer.TheSPNforadefaultAnalysisServicesinstanceuses
thefollowingformat:
MSOLAPSvc.3/<FQDN>
IfyouareusinganamedinstanceofAnalysisServices,notethatyoucannotspecifya
portafterthecolon.Ifyoudo,itisinterpretedaspartofthehostnameordomainname.
Instead,youmustusetheactualinstancenameforallfunctionalitytoworkcorrectly.
MSOLAPSvc.3/<FQDN>:instanceName
FormoreinformationaboutregisteringSPNsforSQLServer2008,see
http://support.microsoft.com/kb/917409.
ThisscenarioassumesadefaultAnalysisServicesinstance.Wewillconfigurethe
AnalysisServicesSPNontheAnalysisServicesserviceaccount(vmlab\svcSQLAS)with
thefollowingSetSPNcommand:
SetSPNSMSOLAPSvc.3/MySQLCluster.vmlab.localvmlab\svcSQLAS
SQL Server named instances

IfyouuseSQLServernamedinstancesinsteadofthedefaultinstance,youhaveto
registerSPNsspecifictotheSQLServerinstanceandfortheSQLServerbrowserservice.
SeethefollowingarticlesformoreinformationaboutconfiguringKerberos
authenticationfornamedinstances:
Registering a Service Principal Name
90
2010)
An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
Verify SQL Server Kerberos configuration

OncetheSPNisconfigured,verifytheKerberosconnectiontotheclusterbyusingExcel
2010.
1. OpenExcel2010ontheclientcomputerbyusingadomainaccountthathasaccess
toatleastonedatabaseintheAnalysisServicesinstanceandopenadata
connectiontoyourAnalysisServicesinstancebyselectingtheDatatab,clicking
FromOtherSources,andthenclickingFromAnalysisServices.

2. IntheDataConnectionWizard,typeMySQLClusterintheServernamebox,then
clickNext.IfKerberosauthenticationisworking,thenyoucanseeallthedatabases
thatyoualreadyhavethepermissiontosee.
91
Note:
TousetheAdventureWorks2008R2sampledatabases,downloadfromMicrosoft SQL
Server Community Projects & Samplesandfollowtheinstallationinstructions.
3. Opentheeventvieweronthedatabaseserver(vmsql2k8r201).Youshouldnowbe
abletoseeanauditsuccessinthesecuritylogsimilartotheoneyouseeinthe
verificationstepsforScenario2,Kerberos authentication for SQL OLTP (SharePoint
Server 2010).
92
2010)
93
Identity delegation for SQL Server

Reporting Services (SharePoint Server
2010)
InthisscenarioyouconfigureapairofloadbalancedSQLServerReportingServices
(SSRS)serversinascaledoutconfigurationrunninginSharePointintegratedmode.The
serversareconfiguredtoacceptKerberosauthenticationandtheydelegate
authenticationtoabackendSQLServercluster.
Inthisscenario,theSharePointServerfarmandReportingServicesdatasourceareboth
inthesamedomain;thereforeinthisscenarioweconfigureKerberosconstrained
delegationtoallowidentitydelegationtothebackenddatasource.Ifyouarerequired
toauthenticatewithdatasourcesinotherdomainswithinthesameforest,youhaveto
configurebasic(unconstrained)Kerberosdelegation.RememberthatReportingServices
doesnotleveragetheC2WTSandthereforecanusebasicdelegation.
Note:
Scenario dependencies

(Optional)Scenario3:Kerberos Authentication for SQL Analysis Services
94
ActiveDirectory CreateSSRSserviceaccount
ConfigureKerberosconstraineddelegation
SQLServerReporting InstallandconfigureSSRSinloadbalanced,scaleoutmode
Services
ModifyWeb.Config
ModifyReportingServer.config
ConfigureSharePoint ConfigureReportingServicesintegration
Server
Addareportservertotheintegration
Setserverdefaults
Verifyconfiguration Createadocumentlibraryforreports
ConfiguresitecollectionsettingforReportingServices
CreateandpublishatestreportinSQLServerBusiness
IntelligenceStudio
ViewthetestreportinInternetExplorer
95
Inthisscenario,theInternetInformationServices(IIS)applicationpoolserviceaccounts
areconfiguredtodelegatetotheSQLServerReportingServices(SSRS)service.TheSSRS
serviceaccountisconfiguredtodelegatecredentialstotheSQLServerservice.Note
thatSQLServerReportingServicesinSharePointintegratedmodedoesnotleverage
intrafarmClaimsauthenticationandrequiresKerberosauthenticationfordelegated
authentication.Formoreinformation,seeClaims Authentication and Reporting
Services.
Cross-domain Kerberos delegation

Inthisexample,thedatasourcethatSSRSconnectstoresidesinthesamedomainas
theSSRSservers.Insomesituationsyoumaywanttoaccessdatasourcesoutsideofthe
domainthatSSRSresidesin.Toauthenticatewithdelegationcrossdomain,youhaveto
configurebasic(unconstrained)delegationontheSSRSserviceaccount.Rememberthat
thisispossiblebecausetheSSRSservicedoesnotrelyontheClaimstoWindowsToken
Service(C2WTS),thereforedoesnotrequireprotocoltransitionthroughKerberos
constraineddelegation.Alsonotethatcrossforestdelegationisnotpossible,evenwith
basicdelegation.
96

Configure DNS
ConfigureDNSfortheSSRSNLBservergroupinyourenvironment.Inthisexamplewe
havetwoSSRSservers,VMSSRS01andVMSSRS02,whichareloadbalancedandresolve
tothesameNLBVIP(192.168.24.180/24).TheVIPwillbemappedtothehost
FarmReportsandwillhavetheURLhttp://FarmReports.
ConfigureanewDNSARecordfortheSSRShost.Inthisexamplewehaveahost
FarmReportsconfiguredtoresolvetotheloadbalancedVIP.
Active Directory directory service
Create SSRS service account

Asabestpractice,SQLServerReportingServicesshouldrununderitsowndomain
identity.Inthisexample,thefollowingaccountswerecreated:
Service ServiceIdentity
SQLServerReportingServices vmlab\svcSQLRS
97
Configure Service Principal Names

ForSSRStoconnectandauthenticatewithexternaldatasourcesusingKerberos
authentication,theReportServerWebServiceandReportManagerserviceaccounts
andtheserviceaccountfortheexternaldatasourcemusthaveserviceprincipalnames
configured.Refertoscenarios1and2(Core configurationandKerberos authentication
for SQL OLTP)inthisseriesofarticlestoconfigureandvalidatethenecessarySPNSon
theSharePointServerwebapplicationsandSQLServerserviceaccounts.FortheSSRS
servers,thefollowingSPNsweredefined:
DNSHost IISAppPoolIdentity ServicePrincipalNames
FarmReports.vmlab.local vmlab\svcSQLRS HTTP/FarmReports
HTTP/FarmReports.vmlab.local
Inthisexamplethefollowingcommandswereexecuted:
SetSPNSHTTP/FarmReportsvmlab\svcSQLRS
SetSPNSHTTP/FarmReports.vmlab.localvmlab\svcSQLRS
Configure delegation
KerberosdelegationmustbeconfiguredforSSRStodelegatetheclient'sidentityto
backenddatasource.Inthisexample,SSRSqueriesdatafromaSQLServer
transactionaldatabasebyusingtheclient'sidentity,thereforeKerberosdelegationis
required.Kerberosconstraineddelegation(KCD)isnotarequirementinthisscenario
(becauseprotocoltransitionisnotneeded),butKCDisconfiguredasabestpractice.
TheSSRSserviceaccountthatisrunningtheSSRSservicesmustbetrustedtodelegate
credentialstoeachbackendservice.Inourexample,thefollowingdelegationpathsare
needed:
Principaltype Principalname Delegatestoservice
98
User Vmlab\svcPortal10App HTTP/FarmReports
HTTP/FarmReports.vmlab.local
User Vmlab\svcSQLRS MSSQLSVC/MySqlCluster.vmlab.local:1433
Optionally,ifyouwishtoreportagainstAnalysisServicesdatasources,configurethe
followingdelegationpaths:
User Vmlab\svcSQLRS MSOLAPSvc.3/MySqlCluster.vmlab.local
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObject'spropertiesinActiveDirectoryUsersand
Computers.
2. NavigatetotheDelegationtab.
99

3. SelectTrustthisuserfordelegationtospecifiedservicesonly.
Note:
FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe
sameforestbutoutsideofthedomainthattheSSRSserverresidesin,configurebasic
delegationinsteadofconstraineddelegation.YoucandothisbyselectingTrustthis
computerfordelegationtoanyservice.RememberthatcrossforestKerberos
delegationisnotpossible.
4. OptionallyselectUseanyauthenticationprotocol.Thisenablesprotocoltransition.
5. ClicktheAddbuttontoselecttheserviceprincipalthatcanbedelegateto.
100

6. SelectUserandComputers.

7. Selecttheserviceaccountthatisrunningtheserviceyouwanttodelegateto.Inthis
example,itistheserviceaccountfortheSQLServerReportingService.
101
Note:
TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor
thisaccount(HTTP/FarmReports.vmlab.local)wasconfiguredearlierinthescenario.
8. ClickOK.YouarethenaskedtoselecttheSPNsyouwanttodelegatetoonthe
followingpage.

9. SelecttheserviceorSelectAllandclickOK.
YoushouldnowseetheselectedSPNsintheservicestowhichthisaccountcan
presentdelegatedcredentialslist:
102

10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.You
havetoconfiguredelegationfromtheSQLServerReportingServicesserviceaccount
tooneormorebackenddatasources(SQLOLTPorSQLASinourscenarios).
103
Note:
FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe
sameforestbutoutsideofthedomaintheSSRSserverresidesin,configurebasic
delegationinsteadofconstraineddelegation.Todoso,selectTrustthiscomputerfor
delegationtoanyservice.RememberthatcrossforestKerberosdelegationisnot
possible.
Verify MSSQLSVC SPN for the service account running the service
on SQL Server (performed in Scenario 2)
VerifythattheSPNfortheAnalysisServicesserviceaccount(vmlab\svcSQL)existsby
usingthefollowingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
MSSQLSVC/MySqlCluster.vmlab.local:1433
Verify MSOLAPSvc.3 SPN for the Service Account running the SSAS
service on the SQL Server Analysis Services server (performed in
Scenario 3)
VerifythattheSPNfortheSQLServerserviceaccount(vmlab\svcSQLAS)existsbyusing
SetSPNLvmlab\svcSQLAS
MSOLAPSvc.3/MySqlCluster
MSOLAPSvc.3/MySqlCluster.vmlab.local
104
SQL Server Reporting Services
Install SharePoint Server 2010

SQLServerReportingServicesrequiresSharePointServer2010tobeinstalledoneach
SSRSservertorunSSRSinSharePointintegratedmode.InstallSharePointServer2010
oneachreportingserverandjoineachservertotheSharePointServerfarm.
Install and configure SSRS in load-balanced, scaled out mode

DetailedstepbystepinstructionsonhowtoconfigureSQLServerReportingServicesin
aloadbalanced,scaledoutconfigurationisbeyondthescopeofthisdocument.For
detailedinstructionsonhowtoinstallSSRS,seeDeployment Topologies for Reporting
Services in SharePoint Integrated Mode.OnceSSRSisinstalled,besuretocompletethe
additionalSSRSconfigurationstepsoutlinedbelowtocompletetheinstall.
Modify Web.config on the SSRS Servers

Thefollowingchangeshavetobemadetotheweb.configfilesoneachSSRSserver.The
web.configfilecanbefoundintheProgramFilesdirectorywhereSSRSisinstalled:
Addthe<machineKey>element
SSRSserversinaloadbalancedconfigurationneedthesamemachinekeysetacrossall
servers.Themachinekeyelementshouldbeaddedasachildofthe<system.web>
elementinweb.config.Belowisanexamplemachinekey:
<machineKey
validationKey="54AEBD3BC893726E9B84D30F4970CB58F2086C2DAEE2F8D34A65A0632F4676DDB
BC38779F2972C6596931E13BD07A772BD4B9395BE38A43E461079E45D594E53"
decryptionKey=""validation="SHA1"decryption="AES"/>
105
Important:
DONOTUSETHESAMPLEMACHINEKEYINOURENVIRONMENT.Generateyourown
keyvaluesforyourenvironment.
Modify ReportingServer.config
ThefollowingchangeshavetobemadetotheReportingServer.configfilesoneachSSRS
server.TheReportingServer.configfilecanbefoundintheprogramfilesdirectory
whereSSRSisinstalled:
EnableKerberosauthentication
ToenableKerberosauthentication,settheauthenticationtypeto
"RSWindowsNegotiate".Changethe<AuthenticationTypes/>
elementandadd<RSWindowsNegotiate/>
<AuthenticationTypes><RSWindowsNegotiate/></AuthenticationTypes>
ModifytheURLroot
AddtheURLforthereportservertothe<UrlRoot>tagfoundinthe<service>tagof
ReportingServer.Config
<UrlRoot>http://FarmReports/reportserver</UrlRoot>
Configure BackConnectionHostNames in the registry

ToallowSQLServerReportingServicestoauthenticatewitheachotheronasingle
computer,NTLMloopbackdetectionneedstobeaddressed.Insteadofdisabling
loopbackdetection,abetterpracticeistoconfiguretheBackConnectionHostNames
valueintheregistryofeachSSRSserver.Formoreinformationabout
106
BackConnectionHostNames,seeYou receive an error message when you use SQL

Server 2008 Reporting Services.
Inourexample,weconfigurethefollowingvaluesforBackConnectionHostNames:
FarmReports
FarmReports.vmlab.local
OncetheBackConnectionHostNamesvaluesareset,reboottheSSRSserver.
Configure SharePoint Server

InCentralAdministration,youfindthefarmconfigurationoptionsforSSRS.Notethatin
SharePointServer2010youdonotneedtoinstallaseparateSSRScomponent
installationforSSRSadministrationandWebParts.ToaccesstheSSRSfarmoptions,
navigatetoCentralAdministrationandthenseeReportingServicesintheGeneral
ApplicationSettingssection.

107
Grant the Reporting Services service account permissions on the

web application content database
ArequiredstepinconfiguringSQLServerReportingServicesinSharePointintegrated
modeisallowingtheReportingServicesserviceaccountaccesstothecontentdatabases
forwebapplicationshostingreports.Inthisexample,wegranttheReportingServices
accountaccesstothe"portal"webapplication'scontentdatabasethroughWindows
PowerShell.
RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal
$w.GrantAccessToProcessIdentity("vmlab\svcSQLRS")
Configure Reporting Services Integration

IntheReportingServiceIntegrationdialogbox,specifytheloadbalancedURLofthe
reportserver.Also,selecttheActivatefeatureinallexitingcollectionsoptionto
automaticallyactivatetheReportingServicesfeatureinyoursitecollections.
108
Add each report server to the integration

IntheAddareportservertotheintegrationdialogbox,specifyeachofthenodesof
theReportingServicesNLBgroup.Youhavetoopenthisdialogboxforeachserverthat
youareaddingtotheintegration;thereisnowaytoaddmultipleserversinasingle
operation.
Set server defaults

AtthispointSSRSintegrationshouldbeconfigured.Tovalidatetheconfiguration,open
theServerDefaultspage.Nochangesarerequiredfortheexampleinthisdocument.
109
Verify configuration
Create a document library for reports

CreateadocumentlibrarytohostSSRSreportsinyourSharePointsite.Inthisexample,
weassumetheexistenceofadocumentlibrarycalled"reports"athttp://portal/reports.
110
Validate site collection settings for Reporting Services

Inthebrowser,navigatetotheSiteSettingsofthesitethatishostingthedocument
libraryforSSRSreports.InSiteSettingsyoushouldseeanewcategorycalledReporting
Services.
IfyoudonotseetheReportingServicesfeatureinthesitecollectionsfeatureslist,you
mayneedtoactivateitfromCentralAdministration.Formoreinformation,seeHow to:
Activate the Report Server Feature in SharePoint Central Administration
(http://go.microsoft.com/fwlink/?LinkId=196878).
ClicktheReportingServicessitesettingslinktoensurethesettingsareaccessible.
111
Note:
NochangestoReportingServicesSiteSettingsarerequiredforthisdemonstration.
Create and publish a test report in SQL Server Business Intelligence

Development Studio
AfteryouconfigureSSRSandtheintegrationwithSharePointServer,youcreateatest
reporttoensureidentitydelegationisworkingcorrectly.
1. OpenSQLServerBusinessIntelligenceDevelopmentStudio.ClickFile,pointtoNew,
andthenclickProject.

2. SelectReportServerProjectWizardandenteraprojectname.
112

3. Nextconfigureanewdatasource.ChoosethetypeMicrosoftSQLServerandclick
theEditbutton.
113

4. InConnectionPropertiesentertheinformationtoconnecttothedemoSQLServer
clustercreatedinscenario2.
114

5. Openquerydesigner,rightclickthequerywindowandselectAddtable.
115

6. ChoosetheSalestable(createdinscenario2)andselectAllColumns.
116

7. Selectatabularreporttype.
117

8. Inourexamplewegroupbyregion;youcanskipthisstepifyouwantto.
9. Oncetheprojectiscreated,opentheprojectpropertiesontheProjectmenu.
118

10. Configurethefollowingprojectproperties:
a) TargetDatasetFolderSetittothetestreportfoldercreatedearlier
b) TargetDatasetFolderSetittothetestreportfoldercreatedearlier
c) TargetReportFolderSetittothetestreportfoldercreatedearlier
d) TargetReportPartFolderSetittothetestreportfoldercreatedearlier
e) TargetServerURLSettothewebapplicationURLthatishostingthereport
119

11. DeploythereporttotheSharePointlibrary.OnthebuildmenuselectDeploy
<projectname>.

12. Ifitissuccessful,youwillseethedeploymentsucceededmessageintheOutput
window.
120
View the test report in Internet Explorer

Openthereportdocumentlibrarycreatedinpreviousstepsofthisscenariointhe
browser.Youshouldseethereportfileyoujustpublished.Ifyoudonotseethereport,
youmayneedtoactivatetheReportingServicesfeaturesinyoursitecollection.For
moreinformation,seeHow to: Activate the Report Server Feature in SharePoint Central
Administration(http://go.microsoft.com/fwlink/?LinkID=196878).
Clickthereportanditwillrenderinthebrowser.
121
Tofurtherverifydelegationandthedataconnection,changedthesourcedatainSQL
ServerManagementStudioandrefreshtheSSRSreportdataconnectioninthebrowser.
Youshouldseethedatachangesreflectedinthereport.
SSL configuration for Reporting Services

Insomeenvironmentsitmayberequiredtoprotectcommunicationsbetweenfront
endWebandSSRSserverswithSSL.AdetailedwalkthroughofhowtoconfigureSSLfor
ReportingServicesisoutofscopeforthispaper,butatahighlevelthesearethesteps
youhavetotake:
1. ConfigureeachreportingserverforSSL.SeeConfiguring a Report Server for Secure

Sockets Layer (SSL) Connections(http://go.microsoft.com/fwlink/?LinkId=196881).
2. UpdateReportingServer.config.Changethe<UrlRoot>tothenewhttps://URL.
3. RestarttheSQLServerReportingServicesservice.
4. InCentralAdministration,changetheReportingServicesintegrationsettingsand
changetheReportServerWebServiceURLtothenewhttps://URL.
5. RestartIISoneachinstanceofSharePointServerthatisrunningthewebapplication
service.
122
YoudonotneedtochangeanyoftheSPNscreatedwhenconfiguringReportingServices
withHTTPintheprevioussteps.TheSPNforanHTTPserviceoverSSLremains
HTTP/<service>.YoucanseethisbyusingNetMontoviewthefrontendwebserverthat
iscommunicatingwiththeReportingServicesServer.
NoticetheticketgrantingservicerequesthighlightedandtheSnamerequested.The
reportingserverservicewasaccessedusinghttps://andtheSNameintheticketrequest
remainedHTTP/asexpected.ToensuretheWFEwasactuallyusingSSLtocommunicate
withthereportingserver,additionaltrafficwascapturedandanalyzed:
NoticethatallrequestsfromtheWFEtothereportingserverareprotectedoverSSL.
ThisconfirmsSSLwasusedforcommunicationsbetweenthewebfrontendsandthe
reportingserver.
123
Identity delegation for Excel Services

InthisscenarioyouaddtheExcelServicesserviceapplicationtotheSharePointServer
environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto
refreshdatainaworksheetfromanexternalSQLServerdatasource.
Note:
Tocompletethisscenarioyouneedtohavecompletedthefollowingarticles:
ActiveDirectory CreateExcelServicesserviceaccount
Configuration
ConfigureSPNonExcelServicesserviceaccount
124
Identity delegation for Excel Services (SharePoint Server 2010)
ConfigureKerberosconstraineddelegationforserversrunning
ExcelServices
ConfigureKerberosconstraineddelegationfortheExcelServices
serviceaccount
SharePointServer StartClaimstoWindowsTokenServiceonExcelServicesServers
configuration
StarttheExcelServicesserviceinstanceontheExcelServices
server
CreatetheExcelServicesserviceapplicationandproxy
ConfigureExcelservicestrustedfilelocationandauthentication
settings
VerifyExcelService Createdocumentlibrarytohosttestworkbook
Constrained
Delegation CreatetestSQLdatabaseandtesttable
CreatetestExcelworkbookwithSQLdataconnection
PublishworkbooktoSharePointServerandrefreshdata
connection
125
Kerberos constrained delegation paths
InthisscenariowewillconfiguretheSharePointServerExcelServicesserviceaccount
forKerberosconstraineddelegationtotheSQLServerservice.
126
Note:
InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse
adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou
willneedtoconfiguredconstraineddelegationonthecomputeraccountforthe
computerrunningtheC2WTSandExcelServices.
SharePoint Server logical authentication

AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos
authenticationatthewebfrontend.SharePointServer2010willconverttheWindows
authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS).
Theexcelserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows
token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart
ofWindowsIdentityFramework(WIF).Theexcelserviceapplicationwillthenusethe
clientsKerberostickettoauthenticatewiththebackendDataSource.

Active Directory configuration
Create Excel Services service account

AsabestpracticeExcelServicesshouldrununderitsowndomainidentity.Toconfigure
theExcelServiceApplicationanActiveDirectoryaccountsmustbecreated.Inthis
examplethefollowingaccountswerecreated:
127
SharePointServerService IISAppPoolIdentity
ExcelServices vmlab\svcExcel
Configure SPN on the Excel Services service account

KerberosconstraineddelegationmustbeconfiguredifExcelServicesisgoingto
delegatetheclientsidentitytoabackenddatasource.InthisexampleExcelservices
willquerydatafromaSQLtransactionaldatabase,thereforeKerberosdelegationis
required.
TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure
Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive
Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise
thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog.
AlthoughExcelServicesdoesnotrequireaSPNtofunction,wewillconfigureonefor
thispurpose.
Onthecommandline,runthefollowingcommand:
SETSPNSSP/ExcelServices
Note:
TheSPNisnotavalidSPN.Itisappliedtothespecifiedserviceaccounttorevealthe
delegationoptionsintheADusersandcomputersaddin.Thereareothersupported
waysofspecifyingthedelegationsettings(specificallythemsDSAllowedToDelegateTo
ADattribute)butthistopicwillnotbecoveredinthisdocument.
Configure Kerberos constrained delegation for Excel Services

ToallowexcelservicestodelegatetheclientsidentityKerberosconstraineddelegation
mustbeconfigured.Itisrequiredtoconfigureconstraineddelegationwithprotocol
transitionfortheconversionofclaimstokentowindowstokenviatheWIFC2WTS.
128
Eachserverrunningexcelservicesmustbetrustedtodelegatecredentialstoeachback
endserviceexcelwillauthenticatewith.Inadditional,theexcelservicesserviceaccount
mustalsobeconfiguredtoallowdelegationtothesamebackendservices.
Inourexamplethefollowingdelegationpathsaredefined:
User svcExcel MSSQLSVC/MySqlCluster.vmlab.local:1433
*User svcC2WTS MSSQLSVC/MySqlCluster.vmlab.local:1433
**Computer VMSP10APP01 MSSQLSVC/MySqlCluster.vmlab.local:1433
*Configuredlaterinthisscenario
**OnlyrequirediftheC2WTSisrunningaslocalsystem
1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand
Computers.
129

4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis
requiredfortheserviceaccounttousetheC2WTS.
5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
130


7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis
exampleitistheserviceaccountfortheSQLservice.
131
Note:
TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
thisaccountwasconfiguredinapreviousscenario.
8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegatetoin
thefollowingwindow.

9. SelecttheservicesfortheSQLclusterandclickOK.
10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan
presenteddelegatedcredentialslist.
132

11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
Verify MSSQLSVC SPN for the Service Account running the service
on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe
followingSetSPNcommand:
SetSPNLvmlab\svcSQL
133
SharePoint Server configuration
Configure and Start the Claims to Windows Token Service on Excel

Services Servers
TheClaimstoWindowsTokenService(C2WTS)isacomponentoftheWindowsIdentity
Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstowindows
tokens.ExcelservicesusestheC2WTStoconverttheusersclaimstokenintoawindows
tokenwhentheservicesneedstodelegatecredentialstoabackendsystemwhichuses
IntegratedWindowsauthentication.WIFisdeployedwithSharePointServer2010and
theC2WTScanbestartedfromCentralAdministration.
EachExcelServicesApplicationservermustruntheC2WTSlocally.TheC2WTSdoesnot
openanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTSservice
configurationfilemustbeconfiguredtospecificallytrustthelocalcallingclientidentity.
AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot
asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial
localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese
permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure
theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif
doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement
console(services.msc).
TostarttheC2WTS
1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample
wecreatedvmlab\svcC2WTS.
2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe
delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The
SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing
Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid
potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe
registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis
scenariowewilldelegatecredentialstotheSQLservicerunningwiththe
MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.
134

4. Next,configuretherequiredlocalserverpermissionsthattheC2WTSrequires.You
willneedtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour
examplethisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe
followingpermissions:
a) AddtheserviceaccounttothelocalAdministratorsGroups.
b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe
serviceaccountthefollowingpermissions:
i. Actaspartoftheoperatingsystem
ii. Impersonateaclientafterauthentication
iii. Logonasaservice
135
5. OpenCentralAdministration.
6. UnderSecurity>ConfigureManagedServiceAccounts,RegistertheC2WTSservice
accountasamanagedaccount.

7. Underservices,selectManageservicesonserver.

8. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningexcelservices.InthisexampleitisVMSP10APP01:

9. FindtheClaimstoWindowsTokenServiceandstartit:

10. GotoSecurity>ManageServiceAccounts.ChangetheidentityoftheC2WTSto
thenewmanagedacount.
136
Note:
IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif
youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning
youmustrestarttheC2WTSfromtheservicesconsole.
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay
alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
Add Startup dependencies the WIF C2WTS service

ThereisaknownissuewiththeC2WTSwhereitmaynotautomaticallystartup
successfullyonsystemreboot.Aworkaroundtotheissueistoconfigureaservice
dependencyontheCryptographicServicesservice:

alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
1. OpentheCommandPromptwindow.
2. Type:scconfig"c2wts"depend=CryptSvc
137

3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice.

5. ChecktheDependenciestab.MakesureCryptographicServicesislisted.

6. ClickOK.
138
Grant the Excel Services service account permissions on the web

application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis
allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora
givenwebapplication.Inthisexample,wewillgranttheExcelServicesserviceaccount
accesstotheportalwebapplicationscontentdatabasebyusingWindows
PowerShell.
$w.GrantAccessToProcessIdentity("vmlab\svcExcel")
Start the Excel Services service instance on the Excel Services

server
BeforecreatinganExcelServicesserviceapplication,starttheexcelservicesserve
serviceonthedesignatedFarmservers.

runningexcelservices.InthisexampleitisVMSP10APP01.
4. StarttheExcelCalculationServicesservice.
139
Create the Excel Services service application and proxy

NextconfigureanewExcelServicesserviceapplicationandapplicationproxytoallow
webapplicationstoconsumeExcelServices:
2. SelectManageServiceApplicationsunderApplicationManagement.

3. SelectNew,andthenclickExcelServicesApplication.

4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount
(createanewmanagedaccountiftheexcelserviceaccountisnotinthelist).
140
Configure Excel services trusted file location and authentication

settings
OncetheExcelServicesapplicationiscreated,configurethepropertiesonthenew
serviceapplicationtospecifyatrustedhostlocationandauthenticationsettings.
141

3. ClickthelinkforthenewServiceApplication,ExcelServicesinthisexample.

4. IntheExcelServicesmanagementpage,click"TrustedFileLocations".

5. Addanewtrustedfilelocation.
142

6. Specifythelocationtoyourtestlibrary.
Note:
Inourexample,wetrusttherootwebapplicationURLandallchildren.Inaproduction
environmentyoumaychoosetoconstrainthetrusttoamoregranularlocation.
7. InExternalDataSelecttrusteddataconnectionlibrariesandembedded.
143
Note:
ThisexamplewilluseanembeddedconnectiontoconnecttoSQLServer.Inyour
environmentyoumaychoosetocreateaseparateconnectionfileandstoreitina
trusteddataconnectionlibrary.InthatcaseyoumightselectTrusteddataconnection
librariesonly.
8. ChangetheExternalDataCacheAgeFortestingpurposes,itisconvenientto
changetheexternaldatacachelifetimetoensuredatarefreshesarecomingfrom
thedatasourceandnotthecache.UnderExternalData,changethefollowing
settings:
Automaticrefresh(periodic/onopen)=0
Manualrefresh=0
Note:
Inaproductionenvironmentyouwillwanttoconfigureacachesettinghigherthan0.
Settingthecacheto0isfortestingpurposesonly.
Verify Excel Services constrained delegation
Create document library to host the test workbook

Openasiteinthetrustedpaththatwasconfiguredinthepreviousstep.Createanew
documentlibrarytohostatestExcelworkbook.
144
Create test Excel workbook with SQL data connection

NextcreateanExcelworkbookwithadataconnectiontothenewtestdatabase:
1. OpenExcel.
2. OntheDatatab,selectFromothersources>FromSQLServer.

3. ConnecttothetestSQLdatasource.
145

4. Selectthetestdatabaseandthetesttable(Salesinourexample).

5. ClickNext.Clicktheauthenticationsettingsbutton.EnsureWindowsAuthentication
isspecified.
146

6. ClickFinish.
7. SelectPivotTableReport.

8. Configurethepivottable.EnsuredataisreturnedfromtheSQLsource.
147
Publish workbook to SharePoint Server and refresh data connection

ThelaststeptovalidatetheExcelServicesapplicationistopublishtheworkbookand
testrefreshingtheembeddedSQLconnection.
1. ClicktheFiletab.
2. ClickSaveandSend,thenclickSavetoSharePoint,andthenclickBrowsefora
location.
148
3. Enterthelocationtothetrustedlibrarycreatedinprevioussteps.

4. EnsureOpenwithExcelinthebrowserisselected.
Anewbrowserwindowwillopenatthispointwithyourtestworkbookdisplayed.
Oncetheworkbookrenders,refreshthedataconnectionbyclickingDataandthen
clickingRefreshAllConnections.
149
IfthedataconnectionrefreshesyouhavesuccessfullyconfiguredKerberosdelegation
forexcelservices.Tofurthertestconnectivity,changethesourcedataviaSQL
ManagementStudiothenrefreshtheconnection.Youshouldseethenewlychanged
datainyourworkbook.Ifyoudonotseeanychanges,andyoudonotreceiveanyerrors
onrefreshyouaremostlikelyseeingcacheddata.Bydefault,ExcelServiceswillcache
datafromexternalsourcesforfiveminutes.Youcanchangethiscachesetting;see
Configure Excel services trusted file location and authentication settingsinthisarticlefor
moreinformation.
150
Identity delegation for PowerPivot for

SharePoint 2010 (SharePoint Server
2010)
ThefarmtopologydescribedinEnvironment and farm topologydoesnotrequire

KerberosauthenticationforPowerPivotforMicrosoftSharePoint2010towork.The
PowerPivotSystemServiceisclaimsaware,andusestheClaimsToWindowsToken
Service(C2WTS)torecreatetheclientsWindowsidentityusingtheclientsclaimstoken
inordertoconnectwiththeAnalysisServiceVertipaqenginethatrunsonthe
applicationserver.
WhenaPowerPivotworkbookisuploadedinSharePointServer,italreadycontainsthe
PowerPivotdatathattheworkbookuses.WhentheuseropensthePowerPivot
workbookinExcelWebAccessandinteractswiththeslicers,thePowerPivotSystem
ServiceloadsthedataintheworkbookdirectlyintoitsAnalysisServicesengine.No
accessismadetothedataconnectionembeddedintheworkbook.

WhenadatarefreshjobforaPowerPivotworkbookstartsexecuting,thePowerPivot
SystemServiceperformsaWindowsloginusingthecredentialsstoredintheSharePoint
ServerSecureStoreService.SincetheWindowsidentityiscreatedontheapplication
server,theconnectionfromthePowerPivotAnalysisServicesVertipaqengine(onthe
samecomputer,VMSP10APP01)toMySQLClusteristhefirstNTLMhop.
151
Note:
Scenarios requiring Kerberos authentication

Asyoucanseefromthediscussionabove,mostcommonsituationswithPowerPivotdo
notrequireKerberosauthentication.However,therearesomeunusualedgecases
whereKerberosauthenticationwouldberequired.Forexample,ifyourPowerPivot
workbookcontainsadataconnectiontoaSQLServerinstancethatislinkedtoyet
anotherSQLServerinstanceonaseparatecomputer,youwillneedtoconfigure
Kerberosauthenticationwithidentitydelegationfordatarefreshtowork.Forexample,
ifMySQLClusterislinkedtoanotherremoteSQLServerinstance,thenthelinkfrom
MySQLClustertothelinkedremoteserveristhesecondhop.Inthiscase,NTLMisno
longeradequate.YoumustconfigureKerberosdelegationforthedatarefreshto
processsuccessfully.
152

Whiletheyareoutsidethescopeofthescenariosdefinedinthispaper,themajorsteps
toconfigureidentitydelegationforPowerPivotareasfollows:
1. ChangetheserviceaccountoftheC2WTSWindowsservicetoadomainaccount
(e.g.VMLAB\svcC2WTS).ConfiguringtheC2WTSisalargetopicandiscoveredin
detailintheotherscenariosinthisdocument:
ConfigureandStarttheClaimstoWindowsTokenServiceonExcelServices
Servers
ConfigureandStarttheClaimstoWindowsTokenServiceonVisioGraphics
Servers
ConfigureandStarttheClaimstoWindowsTokenServiceonPerformancePoint
ServicesServers
2. ConfiguredelegationfromtheVMLAB\svcSQLaccounttotheSPNforthelinkedSQL
ServerinstanceConfigurationChecklist.
PowerPivotinstallation InstallSQLServerPowerPivotforSharePointonthe
applicationserver
Strictlyspeaking,thefollowingKerberosauthenticationscenariosarenotrequiredby
PowerPivotforSharePoint.HoweveritexpeditesyourPowerPivotforSharePoint
153
installationprocessifyousuccessfullycompletedthem,asthecomponentsthemselves
areprerequisitesforPowerPivotforSharePoint.

(Optional)Scenario3:Kerberos Authentication for SQL Analysis Services
Scenario5:Identity Delegation for Excel Services
Configuration instructions
InstallPowerPivotforSharePointontheapplicationserver(vmsp10app01).Fordetailed
instructions,seeHow to: Install PowerPivot for SharePoint in a Three-tier SharePoint
FarmintheMSDNLibraryonline.Ifyouhavealreadyperformedthedependent
scenariosinthispaper,youcanskipthesectionsintheMSDNarticlethathavealready
beencoveredbythescenariodependencies.
Important:
TheapplicationpoolfortheSQLServerPowerPivotServiceApplicationmustberun
usingthedomainaccountoftheSharePointServerfarmadministrator.Innootheruser
contextcanthePowerPivotSystemServiceretrievetheunattendedaccountcredentials
fromtheSecureStoreService.
154
Identity delegation for Visio Services (SharePoint Server 2010)
Identity delegation for Visio Services

Inthisscenario,youaddaVisioServicesserviceapplicationtotheSharePointServer
environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto
refreshdatafromanexternalSQLServerdatasourceinaVisiowebdrawing.
Note:
Scenariodependencies
Tocompletethisscenarioyouwillneedtohavecompleted:
Scenario2:Kerberos authentication for SQL OLTP
Configurationchecklist
ActiveDirectory CreateVisioServicesserviceaccount
Configuration
ConfigureSPNonVisioServicesserviceaccount
155
ConfigureKerberosconstraineddelegationforservers
runningVisioServices
ConfigureKerberosconstraineddelegationfortheVisio
Servicesserviceaccount
SharePointServer StartClaimstoWindowsTokenServiceonVisioServices
configuration Servers
GranttheVisioServicesserviceaccountpermissionsonthe
webapplicationcontentdatabase
StarttheVisioServicesserviceinstanceontheVisioServices
server
CreatetheVisioServicesserviceapplicationandproxy
VerifyVisioServices ConfiguretheVisioservicescachesettings
ConstrainedDelegation
CreatedocumentlibrarytohosttestVisioDiagram
CreateatestVisiowebdrawingwithSQLServerdata
connectedshapes
PublishtheVisiodrawingtoSharePointServerandrefresh
dataconnection
156

Kerberosdelegation SQLDatabaseEngineIdentity
Vmlab\svcSQL
VisioServicesIdentity SPN:MSSQLSVC/MySqlCluster.vmlab.local:1433
Vmlab\svcVisio SQL
Visio
SPN:SP/Visio
c2WTS vmSQL2k8r201
DefaultInstance
Port:1433
AppServer
VMSP10APP01
vmSQL2k8r202
SQLCluster
DNS(A):
MySQLCluster.vmlab.local
Inthisscenario,wewillconfiguretheSharePointServerVisioservicesapplication
serversandserviceaccountsforKerberosconstraineddelegationtotheSQLServer
service.

TheVisioserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows
token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart
157
ofWindowsIdentityFoundation(WIF).TheVisioserviceapplicationwillthenusethe
clientsKerberostickettoauthenticatewiththebackenddatasource.

Create Visio Services service account

Asabestpractice,VisioServicesshouldrununderitsowndomainidentity.Toconfigure
theExcelServiceApplication,anActiveDirectoryaccountmustbecreated.Inthis
example,thefollowingaccountswerecreated:
SharePointServerservice IISAppPoolIdentity
VisioServices vmlab\svcVisio
Configure SPN on Visio Services service account

KerberosconstraineddelegationmustbeconfiguredifVisioServicesisgoingtodelegate
theclientsWindowsidentitytobackenddatasource.InthisexampleVisioserviceswill
querydatafromaSQLServertransactionaldatabaseastheclientthereforKerberos
delegationisrequired.
AlthoughVisioServicesdoesnotrequireaSPNtofunction,wewillconfigureoneforthis
purpose.
SETSPNSSP/VisioServicessvc\VisioServices
158
Note:
Configure Kerberos constrained delegation for Visio Services

ToallowVisioServicestodelegatetheclientsidentityKerberosconstraineddelegation
mustbeconfigured.Itisrequiredtoconfigureconstraineddelegationwithprotocol
transitionfortheconversionofclaimstokentowindowstokenviatheWIFC2WTS.
EachserverrunningVisioservicesmustbetrustedtodelegatecredentialstoeachback
endserviceVisiowillauthenticatewith.Inadditional,theVisioservicesserviceaccount
mustalsobeconfiguredtoallowdelegationtothesamebackendservices.
User Vmlab\svcVisio MSSQLSVC/MySqlCluster.vmlab.local:1433
*User Vmlab\svcC2WTS MSSQLSVC/MySqlCluster.vmlab.local:1433
**Computer Vmlab\vmsp10app01 MSSQLSVC/MySqlCluster.vmlab.local:1433
*Configuredlaterinthisscenario
**Optional.Constraineddelegationonthecomputeraccountisonlyrequiredwhen
runningtheC2WTSasLocalSystem
Computers.
159

4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis
requiredfortheVisioserviceaccounttousetheC2WTS.
5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
160


exampleitistheserviceaccountfortheSQLServerservice.
Note:
theserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegateto.
161

9. SelecttheservicesfortheSQLServerclusterandclickOK.
162

11. Repeatthesestepsforeachdelegationpath(ComputerandUser)definedinthe
beginningofthissection.
SetSPNLvmlab\svcSQL
163
Configure and Start the Claims to Windows Token Service on Visio

Graphics Servers
Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstowindows
tokens.TheVisiographicsserviceusestheC2WTStoconverttheusersclaimstoken
intoawindowstokenwhentheservicesneedstodelegatecredentialstoabackend
systemwhichusesWindowsauthentication.WIFisdeployedwithSharePointServer
2010andtheC2WTScanbestartedfromCentralAdministration.
EachVisioGraphicsServiceapplicationservermustruntheC2WTSlocally.TheC2WTS
doesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTS
serviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcallingclient
identity.
AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot
asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial
localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese
permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure
theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif
doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement
console(services.msc).
TostarttheC2WTS
scenariowewilldelegatecredentialstotheSQLServerservicerunningwiththe
MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.
164

4. ConfiguretherequiredlocalserverpermissionsthattheC2WTSrequires.Youwill
needtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour
example,thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe
followingpermissions:
165
6. InSecurity,intheConfigureManagedServiceAccountssection,registertheC2WTS
serviceaccountasamanagedaccount.


8. Intheserverselectionboxintheupperrightcorner,selecttheserver(s)thatisor
arerunningtheVisioGraphicsService.InthisexampleitisVMSP10APP01.

9. FindtheClaimstoWindowsTokenServiceandstartit.
10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof
theC2WTStothenewmanagedacount.
166
Note:
alsobenecessarytoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
Add Startup dependencies the WIF C2WTS service

1. OpenaCommandPromptwindow.
2. Type:scconfig"c2wts"depend=CryptSvc

167

5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:

6. ClickOK.
168
Grant the Visio Services service account permissions on the web

application content database
givenwebapplication.Inthisexample,wewillgranttheVisioGraphicsServiceaccount
accesstotheportalwebapplicationscontentdatabasebyusingWindowsPowerShell.
$w.GrantAccessToProcessIdentity("vmlab\svcVisio")
Start the Visio Graphics Service instance on the Visio server

BeforecreatingaVisioServicesserviceapplication,starttheVisioservicesserverservice
onthedesignatedFarmservers.

runningexcelservices.InthisexampleitisVMSP10APP01.

4. StarttheVisioGraphicsService.
Create the Visio Graphics Service application and proxy

Next,configureanewExcelServicesserviceapplicationandapplicationproxytoallow
WebapplicationstoconsumeExcelServices(ifonedoesnotalreadyexist):
169

3. SelectNew,andthenselectVisioGraphicsService.

(createanewmanagedaccountiftheVisioserviceaccountisnotinthelist).
170
Verify Visio Graphic Service Constrained Delegation
Configure the Visio services cache settings

Bydefault,theVisioGraphicsservicewillcachethewebdrawingsitrendersforweb
clientsforanumberofminutesbasedontheservicescachesettings.Totestdelegation
wewillconfiguretheservicetonotcachedrawingstoeasilycheckdatarefreshinaVisio
webdrawing.
171
Note:
Disablingtherenderingcacheisnotrecommendedforproductionenvironments.
RemembertoreenablethecacheonceyouhavecompletedtestingdelegationinVisio

3. SelecttheVisioGraphicsServiceapplicationcreatedinthepreviousstep.

4. SelectGlobalSettings.

5. IntheMinimumCacheAgesetting,setthecacheto0(nocache).
172
Note:
Settingtheminimumcacheageto0isfortestingpurposesonlyandshouldnotbeused
inaproductionenvironment.
Create document library to host a test Visio Web Drawing

Navigatetotheportalapplication(http://portal).Createanewdocumentlibrarytohost
atestVisioworkbook.Thedefaultdocumentlibrary
Create a test Visio web drawing with SQL Server data-connected

shapes
1. StartVisio2010.
2. CreateanewBasicDiagramintheGeneralsectionunderHome.

3. OntheDataRibbonTab,selectLinkDatatoShapes.
173

4. Inthedataselectordialogbox,selectMicrosoftSQLServerdatabase.

5. SpecifytheSQLServerclustercreatedinScenario2andselectWindows
Authentication.
174

6. SelecttheTestdatabaseandtheSalesTable.
175

7. Specifyafriendlynamefortheconnectionandsavetheconnectiontothe
documentlibrarycreatedinthepreviousstep.
176

8. IntheDataSelectordialog,selectthenewlycreatedconnectionandpressFinish.
177
Youshouldnowseetheexternaldatawindowatthebottomofthedrawingwindow
withthesampledatathatwascreatedearlier.

9. Dragthefirstdatarowontothedrawingsurface.Thiswillcreateanewshapethatis
linkedtothedatarow.Notethatthetestdrawingismeanttotestdelegationandis
notmeanttodemonstratehowtocreateafullyfunctioning,productionreadyweb
drawing.
178
Publish the Visio drawing to SharePoint Server and refresh the data
connection
1. PublishthedrawingtothetestSharePointdocumentlibrary.OntheFiletabclick
SaveandSend,SavetoSharePoint,Browseforalocation,andthenWebDrawing.

2. Browsetothetestdocumentlibrary,specifyanameforthetestdrawing,andthen
clickSave.
179
Thedrawingopensinthebrowser.
3. Intherefreshdisablednotification,selectEnable(always).
180

4. Thedataconnectionshouldautomaticallyrefreshandnoerrorsshouldoccur.
5. OpenSQLServerManagementStudioandmodifythedatarowdisplayedintheweb
drawing.
6. RefreshthedataconnectionbypressingtheRefreshbuttonatthetopofthe
drawingwindow.Ifdelegationisconfiguredcorrectlyyoushouldseeyourdata
refresh.
181
182
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
Identity delegation for PerformancePoint

Services (SharePoint Server 2010)
Inthisscenario,youwilladdthePerformancePointServicesserviceapplicationtothe
SharePointServerenvironmentandconfigureKerberosconstraineddelegationtoallow
theservicetopulldatafromanexternalAnalysisServicescubeandhavetheoptionto
pulldatafromSQLServer.
Note:
Tocompletethisscenarioyouwillneedtohavecompleted:
Scenario2:Kerberos Authentication for SQL OLTP(optional)

Scenario3:Kerberos Authentication for SQL Server Analysis Services
183
ActiveDirectory CreatePerformancePointServicesserviceaccount
configuration
CreateanSPNfortheserviceaccountrunningthe
PerformancePointServiceontheApplicationServer
VerifyAnalysisServicesSPNonSQLServerAnalysisServices
serviceaccount,vmlab\svcSQLAS(performedinScenario3)
and
(Optional)verifytheSQLServerdatabaseengineserviceaccount,
vmlab\svcSQL(performedinScenario2).
ConfigureKerberosconstraineddelegationforClaimsto
WindowsServicesserviceaccounttoAnalysisServices
ConfigureKerberosconstraineddelegationforthe
PerformancePoint
ServicesserviceaccounttoAnalysisServices
SharePointServer StartClaimstoWindowsTokenServiceonPerformancePoint
configuration ServicesServers
StartthePerformancePointServicesserviceinstanceonthe
PerformancePointServicesserver
CreatethePerformancePointServicesserviceapplicationand
proxy
ChecktheidentityonPerformancePointapplication
GrantthePerformancePointServicesserviceaccount
permissionsonthewebapplicationcontentdatabase
ConfigurePerformancePointservicestrustedfilelocationand
authenticationsettings
Verify Createdocumentlibrarytohostatestdashboard
PerformancePoint
Serviceconstrained CreateadatasourcethatreferenceanexistingSQLServer
184
delegation AnalysisServicescube
CreateatrustedPerformancePointcontentlist
CreatetestPerformancePointdashboard
PublishdashboardtoSharePointServer


InthisscenariowewillconfigurethePerformancePointServicesserviceaccountfor
KerberosconstraineddelegationtotheSQLServerservice.
185
Note:
InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse
adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou
willneedtoconfigureconstraineddelegationonthecomputeraccountforthe
computerrunningtheC2WTSandExcelServices.

ThePerformancePointserviceapplicationwillaccepttheclaimstokenandconvertit
intoaWindowstoken(Kerberos)usingthelocalClaimstoWindowsTokenService
(C2WTS)thatisapartofWindowsIdentityFramework(WIF).ThePerformancePoint
serviceapplicationwillthenusetheclientsKerberostickettoauthenticatewiththe
backendDataSource.
186
Step-by-step Configuration instructions

Create PerformancePoint Services service account

AsabestpracticePerformancePointServicesshouldrununderitsowndomainidentity.
ToconfigurethePerformancePointServiceApplication,anActiveDirectoryaccount
mustbecreatedandregisteredasamanagedaccountinSharePointServer2010.For
moreinformationseeManaged Accounts in SharePoint 2010.Inthisexamplethe
followingaccountiscreatedandregisteredlaterinthisscenario:
PerformancePointServices vmlab\svcPPS
*NOTE:Youcanoptionallyreuseasingledomainaccountformultipleservices.This
configurationisnotcoveredinthefollowingsections.
Create an SPN for the Service Account that is running the

PerformancePoint service on the Application Server
AlthoughPerformancePointServicesdoesnotrequireaSPNtofunction,wewill
configureoneforthispurpose.NotethatiftheserviceaccountalreadyhasanSPN
applied(inthecaseofsharingaccountsacrossservices)thisstepisnotrequired.
187
SETSPNSSP/PPSvmlab\svcPPS
Note:
Verify Analysis Services SPN on SQL Server Analysis Services

service account, vmlab\svcSQLAS(performed in Scenario 3) AND
(Optional) Verify the SQL Server database engine service account,
vmlab\svcSQL(performed in Scenario 2)
VerifythattheSPNfortheSQLAnalysisServicesaccount(vmlab\svcSQLAS)existswith
SetSPNLvmlab\svcSQLAS
MSOLAPSvc.3/MySqlCluster
VerifytheSPNfortheSQLServerserviceaccount(vmlab\svcSQL)existswiththe
SetSPNLvmlab\svcSQL
188
Configure Kerberos constrained delegation from the

PerformancePoint Services Service account to the SSAS Service and
optionally for SQL Server service
ToallowPerformancePointservicestodelegatetheclient'sidentity,Kerberos
constraineddelegationmustbeconfigured.Youmustalsoconfigureconstrained
delegationwithprotocoltransitionfortheconversionofclaimstokentoWindowstoken
viatheWIFC2WTS.
EachserverrunningPerformancePointservicesmustbetrustedtodelegatecredentials
toeachbackendservicewithwhichPerformancePointwillauthenticate.Inaddition,
thePerformancePointservicesserviceaccountmustalsobeconfiguredtoallow
delegationtothesamebackendservices.NoticealsothatHTTP/Portaland
HTTP/Portal.vmlab.localareconfiguredtodelegateinordertoincludeaSharePointlist
asanoptionaldatasourceforyourPerformancePointdashboard.
PrincipalType PrincipalName
User Vmlab\svcC2WTS
User Vmlab\svcPPS
Computers.
189

3. SelectTrustthiscomputerfordelegationtospecifiedservicesonly.
4. SelectUseanyauthenticationprotocol.
5. Clicktheaddbuttontoselecttheserviceprincipal.
190

7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto(SQLServer,
SQLServerAnalysisServices,orboth).
Note:
TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor
thisaccountwasconfiguredinapreviousscenario.SeetheKerberosAuthenticationfor
SQLOLTPandKerberosAuthenticationforSQLAnalysisServicessectionsofthis
document.
8. ClickOK.
9. SelecttheSPNsyouwouldliketodelegateto,andthenclickOK.
191

192

11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
Configure and Start the Claims to Windows Token Service on

PerformancePoint Services Servers
Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstoWindows
tokens.PerformancePointServicesusestheC2WTStoconverttheusersclaimstoken
intoawindowstokenwhentheservicesneedstodelegatecredentialstoabackend
systemwhichusesWindowsauthentication.WIFisdeployedwithSharePointServer
2010andtheC2WTScanbestartedfromCentralAdministration.
193
EachPerformancePointServicesApplicationservermustruntheC2WTSlocally.The
C2WTSdoesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,the
C2WTSserviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcalling
clientidentity.
AsarecommendedpracticeyoushouldruntheC2WTSusingadedicatedservice
accountandnotasLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccount
requiresspeciallocalpermissionsoneachserverthattheservicerunson.Besureto
configurethesepermissionswhenyouchoosetoruntheC2WTSwithadomainaccount.
ToensuretheC2WTSaccountpicksuptheneededprivileges,reboottheserverafteryou
haveconfiguredtheC2WTS.
*NOTE:IfyouchoosetoconfiguretheC2WTSaslocalsystemyoudonotneedto
configureanyadditionallocalprivileges.
TostarttheC2WTS

scenariowedelegatecredentialstotheSQLServerservicethatisrunningwiththe
MSOLAPsvc.3/MySqlCluster.vmlab.localserviceprincipalname.
194

4. Next,configuretherequiredlocalserverpermissionstheC2WTSrequires.Youhave
toconfigurethesepermissionsoneachservertheC2WTSrunson.Inourexample
thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthefollowing
permissions:
195
6. IntheSecuritysection,underConfigureManagedServiceAccounts,registerthe
C2WTSserviceaccountasamanagedaccount.


runningPerformancePointservices.InthisexampleitisVMSP10APP01.
9. FindtheClaimstoWindowsTokenServiceandstartit:

10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof
theC2WTStothenewmanagedacount.
196
Note:
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceit
mayalsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththe
C2WTS.
Add startup dependencies to the WIF C2WTS service

1. Openthecommandpromptwindow.
2. Type:scconfigc2wtsdepend=CryptSvc
197


5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:

6. ClickOK.
198
7. Reboottheserver.MakesurethattheC2WTShasstartedoncethecomputer
reboots.
Start the PerformancePoint Services service instance on the

PerformancePoint Services server
BeforecreatingaPerformancePointServicesserviceapplication,startthe
PerformancePointservicesserveserviceonthedesignatedFarmservers.Tolearnmore
aboutPerformancePointServicesconfiguration,seePerformancePoint Services
administrationonMicrosoftTechNet.
runningPerformancePointservices.InthisexampleitisVMSP10APP01:

4. StartthePerformancePointServicesservice.
Create the PerformancePoint Services service application and proxy

NextconfigureanewPerformancePointServicesserviceapplicationandapplication
proxytoallowwebapplicationstoconsumePerformancePointServices:
199

3. SelectNew,andthenclickPerformancePointServicesApplication.

orcreateanewmanagedaccountifyoudidnotperformthissteppreviously.
200
Note:
ConfiguringtheUnattendedServicesAccountisoptionalinthisscenarioandonlyusedif
youwanttoalsotestNTLMauthentication.
Youcancreateandregisteranewserviceaccountforanexistingapplicationpool
dedicatedforPerformancePointServicesbeforethissteporwhenyoucreatethenew
PerformancePointService.Toassociatetheserviceaccountwithanexistingapplication
pooldedicatedtoPerformancePointorverifyanexistingaccount,dothefollowing.
201
1. NavigatetoSharePointCentralAdministration.FindConfiguremanagedaccounts
intheSecuritysection.
2. Selectthedropdownboxandselecttheapplicationpool.
3. SelecttheActiveDirectoryaccount.
Grant the PerformancePoint Services service account permissions

on the web application content database
givenwebapplication.Inthisexample,wewillgrantthePerformancePointServices
accountaccesstothe"portal"webapplicationscontentdatabasebyusingWindows
PowerShell.
$w.GrantAccessToProcessIdentity("vmlab\svcPPS")
202
Configure PerformancePoint Services trusted file location and

authentication settings
OncethePerformancePointServicesapplicationiscreated,youmustconfigurethe
propertiesonthenewserviceapplicationtospecifyatrustedhostlocationand
authenticationsettings.

3. ClickthelinkforthenewServiceApplication,PerformancePointServicesandclick
theManagebuttonintheribbon.

4. InthePerformancePointservicesmanagementscreen,clickTrustedDataSource
Locations.
203
5. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource
Location.
6. TypetheURLofthelocation,selecttheSiteCollection(andsubtree)option,and
thenclickOK.

7. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource
Location.
204
8. TypetheURLofthelocation,selecttheSite(andsubtree)option,andthenclickOK.
Verify PerformancePoint Service Constrained Delegation

Note:InlargerenvironmentswithmultipleActiveDirectoryservers,youmayneedto
waitforActiveDirectoryreplicationtofinishbeforeyouverifyyourconfiguration.
205
Create test PerformancePoint dashboard with a SQL Server AS data

connection
Next,openPerformancePointDashboardDesignerandcreateanAnalysisServicesdata
connection.
1. OpenPerformancePointDashboardDesignerandrightclickdatasourcetocreatea
connection.

2. SelectAnalysisServices.
206

3. Specifytheserver,database,andcubeandselectPeruserIdentity.
207

4. ClickTestDataSourcetotesttheconnection.

208
5. Createareportanddashboard.

6. Makesureyouhaveadataconnectionbydraggingmeasuresanddimensionsfrom
thedetailspainintothereportdesigner.

209
7. Yourreportcanbeincludedinthedashboard.
SelectReportsandthendragMyReportontotheDashboardContentpage.
Publish the dashboard to SharePoint Server

ThelaststeptovalidatethePerformancePointServicesapplicationistopublishthe
dashboardandtestrefreshingandviewingtheAnalysisServicesdata.Todothis:
1. Selectthebrightfilebuttonicon.
210
2. ClickDeployinthefileselection.

3. SelectaMasterPagetowhichyouwanttopublish.
4. Clicktherefreshbuttoninyourbrowser.
Ifthedataconnectionrefreshes,youhavesuccessfullyconfiguredKerberos
delegationforPerformancePointServices.
211
212
Identity delegation for Business

Connectivity Services (SharePoint Server
2010)
InthisscenarioyouconfiguretheBusinessDataConnectivityserviceapplicationtouse
KerberosconstraineddelegationtoauthenticatewithSQLServer.Onceitisconfigured,
youcreateanewexternalcontenttypeandexternallisttotestauthenticationandread
operationswithinaSharePointsite.
Inthisscenario,theSharePointServerFarmandBCSdatasourcearebothinthesame
domain.Therefore,weconfigureKerberosconstraineddelegationtoallowidentity
delegationtothebackenddatasource.Ifyouarerequiredtoauthenticatewithdata
sourcesinotherdomainswithinthesameforest,youhavetoconfigurebasic
(unconstrained)Kerberosdelegation.RememberthatBCSdoesnotleveragetheC2WTS;
thereforeyoucanusebasicdelegation.
Note:
Tocompletethisscenarioyouhavetohavecompletedthefollowing:
213
ActiveDirectoryconfiguration CreateBCSApplicationServiceAccount
ValidateServicePrincipalNames
ConfigureDelegation
SharePointServerconfiguration StarttheBCSServiceInstance
CreatetheBCSServiceApplication
Verification CreateaBCSExternalContentType
ConfigureBCSSecurity
CreateaBCSExternalList
Opentheexternallistinthebrowser
214
Scenario Environment Details

Kerberosdelegation
SQLDatabaseEngineIdentity
Vmlab\svcSQL
SQL SPN:MSSQLSVC/MySqlCluster.vmlab.local:1433
AppPoolIdentities
vmSQL2k8r201
DefaultInstance
Port:1433
vmSP10WFE01
vmSQL2k8r202
vmSP10WFE02
SQLCluster
DNS(A):
MySQLCluster.vmlab.local
215

Create BCS Application Service Account

AsabestpracticeBusinessConnectivityServicesshouldrununderitsowndomain
identity.ToconfiguretheBCSApplicationanActiveDirectoryaccountmustbecreated.
Inthisexamplethefollowingaccountswerecreated:
BusinessConnectivityService vmlab\svcBDC
Validate Service Principal Names

BCSexternalcontenttypesrunwithinthecontextoftheIISapplicationpoolusingthe
ECTtypewhenBCSdataisusedinSharePointsites.ForBCStoconnectandauthenticate
withexternaldatasourcesusingKerberosauthenticationtheIISapplicationpoolservice
accountandtheserviceaccountfortheexternaldatasourcemusthaveserviceprincipal
namesconfigured.Refertoscenarios1&2inthisdocumenttoconfigureandvalidate
thenecessarySPNSonthewebapplicationsandSQLServerserviceaccounts.
Configure delegation
ToallowBCStodelegatetheclientsidentityKerberosdelegationmustbeconfigured.
AlthoughconstraineddelegationistechnicallynotrequiredlikeExcelServices,
unconstraineddelegationcanbeusedforBCS,itisabestpracticetolimitthescopeof
delegationtheserviceisallowedtoperformthereforeconstraineddelegationwillbe
configuredinthisexample.
EachIISapplicationpoolserviceaccounthostingthesiterunningtheECTmustbe
configuredtoallowdelegationtothebackendservices.
Inourexamplethefollowingdelegationpathsareneeded:
216
User svcPortal10App MSSQLSVC/MySqlCluster.vmlab.local:1433
User svcTeams10App MSSQLSVC/MySqlCluster.vmlab.local:1433
Computers.
217
Note:
IfyouneedBCStoauthenticatewithdatasourceswithinthesameforestbutoutsideof
thedomainthatSharePointServerresidesinyouwillwanttoselectTrustthiscomputer
fordelegationtoanyservicetoconfigurebasicdelegationinsteadofconstrained
delegation.TheBCSexternalcontenttypewillexecuteinthewebapplicationsIIS
workerprocessanddoesnotleveragetheC2WTS.RememberthatcrossforestKerberos
delegationisnotpossible.
4. ClicktheAddbuttontoselecttheserviceprincipalallowedtodelegateto.

218

exampleitistheserviceaccountfortheSQLServerservice.
Note:
TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
7. ClickOK.
8. SelecttheSPNsyouwouldliketodelegate,andthenclickOK.
219
9. SelecttheservicesfortheSQLServerclusterandclickOK.
YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan

10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.
220
SetSPNLvmlab\svcSQL
Start the BCS service instance

BeforecreatingaBCSserviceapplication,starttheBCSserviceonthedesignatedfarm
servers.
2. UnderServices,selectManageservicesonserver.

3. IntheServerSelectionboxintheupperrightcorner,selecttheserver(s)running
ExcelServices.Inthisexample,itisVMSP10APP01.

4. StarttheBusinessDataConnectivityServiceservice.
221
Create the BCS service application

Next,configureanewBDCserviceapplicationandapplicationproxytoallowweb
applicationstoconsumeBDCservices:

3. SelectNewthenBusinessDataConnectivityService.

(createanewmanagedaccountiftheBDCserviceaccountisnotinthelist).
222
Verification
Create a BCS external content type

ToaccessexternaldatathroughBDCaBDCeternalcontenttypemustbecreated.Inthis
examplewewilluseSharePointDesigner2010tocreatetheexternalcontenttypeinthe
Portalwebapplication(http://portal):
1. OpenSharePointDesigner2010.
2. Openthetestsitecollectionathttp://portal.
223

3. Onthelefthandnavigation,clickExternalContentTypes.
4. SelectExternalContentTypeintheNewsectionoftheribbonintheupperleft
handcornerofthepage.
224

5. GivetheExternalContentTypeadisplayname.
225

6. ThenselectClickheretodiscoverexternaldatasourcesanddefineoperations.
7. ClickAddConnection.
226

8. SelectSQLServerfromtheDataSourceTypedropdownlistandaddthe
informationtoconnecttothetestdatabase.BesuretoselectConnectwiththe
UsersIdentitytotestdelegation.
227

9. Expandthenewconnection.Rightclickthetesttable(Sales)andselectCreateAll
Operations.

10. Youshouldseeanerrorexplainingthereisntauniqueidentifierdefined.Selectthe
identifiercolumnandselecttheMaptoIdentifiercheckbox.ClickFinishtoaccept
thedefaultoptionsandcreatetheECToperations.
228

11. ClickSave(CTRL+S).ThiswillpublishtheECTtotheBDCserviceapplication
metadatastore.
Configure BCS security

BeforeclientscanusetheBCSexternalcontenttypeintheportalwebapplicationBCS
permissionsmustbeconfigured.BCSsupportsagranularpermissionmodelbutforthe
purposesofthisdemowewillconfiguresecureattheMetadatastoreleveland
propagatethesecuritychangestoallobjectsinthestore.
229

3. ClickthelinkforthenewServiceApplication,BusinessDataServicesinthis
example.

4. SelectSetMetadataStorePermissions.

230
5. Inourexample,weconfiguredEnterpriseAdminswithallpermissionsandAll
AuthenticatedUserswithallpermissionsexcepttheSetPermissionspermission.

6. EnsurethePropagatepermissionscheckboxisselectedandclickOKtosaveyour
changes.
Create a BCS External List

Totesttheexternalcontenttypewewillconfigureanexternallisttodisplaythe
externaldataintheportalapplication:
231

3. SelectExternalContentTypesontheleftside.
232
233

4. Clickthecontenttypethatyoucreatedearlier.
5. Intheribbon,clickCreateLists&Form.
6. Ifyouarepromptedtosavetheexternalcontenttype,clickYes.
7. OntheCreateListandFormdialogbox,typealistnameintheListNametextbox,
andthenclickOK.
Open the external list in the browser

234

3. Click"ListsandLibraries"inthelefthandnavigation.
4. SelecttheexternallistatthebottomoftheListandLibrarieslist.
5. ClickthePreviewinBrowserbutton.
235
InternetExplorerwillopenanddisplaytheselectedsiteandexternallist.
236

6. Validatetheexternaldataisdisplayedcorrectly.Tofurthervalidatetheconnection,
changethesourcedatainSQLServerManagementStudioandrefreshthebrowser
page.Youshouldseethedatachangesreflectedinthebrowser.
237
Kerberos configuration known issues

Kerberos authentication and non-default

ports
ThereisaknownissuewheresomeKerberosclients(.NETFramework,InternetExplorer
7and8included)donotcorrectlyformserviceprincipalnameswhenattemptingto
authenticatewithKerberosenabledwebapplicationsthatareconfiguredonnon
defaultports(portsotherthan80and443).Therootoftheproblemistheclientdoes
notproperlyformtheSPNintheTGSrequestbyspecifyingitwithouttheportnumber
(asseenintheSnameoftheTGSrequest).
Example:
Ifthewebapplicationisrunningathttp://intranet.contoso.com:1234,theclientwill
requestaticketforaservicewithaSPNequaltohttp/intranet.contoso.cominsteadof
http/intranet.contoso.com:1234.
Detailsregardingtheissuecanbefoundinthefollowingarticles:
Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a

Web site that uses a non-standard port in Windows XP and in Windows Server 2003
(http://support.microsoft.com/kb/908209/enus)
Configure Kerberos authentication (Office SharePoint Server 2007)

Toworkaroundthisissue,registerSPNswithandwithoutportnumber.Example:
http://intranet.contoso.com:12345
http/intranet
http/intranet.contoso.com
http/intranet:12345
238
Kerberos configuration known issues (SharePoint Server 2010)
http/intranet.contoso.com:12345
Werecommendthatyouregisterthenondefaultporttoensurethatiftheissueis
resolvedinsomefutureservicepackorhotfix,theapplicationsusingtheworkaround
willstillcontinuetofunction.
Notethatthisworkaroundwillnotworkifthefollowingconditionsaretrue:
Thereismorethanonewebapplicationrunningonanondefaultport
Thewebapplicationseitherbindtothehostnameoftheserverorbindtothesame
hostheader(ondifferentports)
ThewebapplicationIISapplicationpoolsusedifferentserviceaccounts
http://server.contoso.com:5000AppPoolId:contoso\svcA
http://server.contoso.com:5001AppPoolId:contoso\svcB
Iftheseconditionsaretrue,followingtherecommendationinthisworkaroundwillyield
duplicateSPNsregisteredtodifferentserviceaccountswhichwillbreakKerberos
authentication.
Ifyouhavemultiplewebsitessharingacommonhostnamerunningonmultipleports,
andyouusedifferentIISapplicationpoolidentitiesforthewebapplications,thenyou
cannotuseKerberosauthenticationonallwebsites.(OneapplicationcanuseKerberos,
therestwillrequireanotherauthenticationprotocol.)TouseKerberosonall
applicationsinthisscenario,youwouldneedtoeither:
1. Runallwebapplicationsunder1sharedserviceaccount
2. Runeachsitewithitsownhostheader
Kerberos authentication and DNS CNAMEs

ThereisaknownissuewithsomeKerberosclients(InternetExplorer7and8included)
thatattempttoauthenticatewithKerberosenabledservicesthatareconfiguredto
resolveusingDNSCNAMEsinsteadofARecords.Therootoftheproblemistheclient
doesnotcorrectlyformtheSPNintheTGSrequestbycreatingitusingthehostname(A
Record)insteadofthealiasname(CNAME).
Example:
ARecord:wfe01.contoso.com
239
CNAME:intranet.contoso.com(aliaseswfe01.contoso.com)
Iftheclientattemptstoauthenticatewithhttp://intranet.contoso.com,theclientdoes
notcorrectlyformtheSPNandrequestsaKerberosticketforhttp/wfe01.contoso.com
insteadofhttp/intranet.contoso.com
Detailsregardingtheissuecanbefoundinthefollowingarticles:
http://support.microsoft.com/kb/911149/en-us
http://support.microsoft.com/kb/938305/en-us
Toworkaroundthisissue,configureKerberosenabledservicesusingDNSArecords
insteadofCNAMEaliases.ThehotfixmentionedinKBarticlewillcorrectthisissuefor
InternetExplorerbutwillnotcorrecttheissueforthe.NETframework(whichisusedby
MicrosoftOfficeSharePointServerforwebservicecommunication).
Kerberos authentication and Kernel Mode

Authentication
Note:
KernelModeAuthenticationisnotsupportedinSharePoint2010Products.This
informationisprovidedforinformationalpurposesonly.
BeginninginIISversion7.0,thereisanewauthenticationfeaturecalledKernelMode
Authentication.WhenanIISwebsiteisconfiguredtouseKernelModeauthentication,
HTTP.syswillauthenticatetheclientsrequestsinsteadoftheapplicationpoolsworker
process.BecauseHTTP.sysrunsinkernelmodethisyieldsbetterperformancebutalso
introducesabitofcomplexitywhenconfiguringKerberos.ThisisduetoHTTP.sys
runningunderthecomputersidentityandnotundertheidentityoftheworkerprocess.
WhenHTTP.sysreceivesaKerberosticket,bydefaultitwillattempttodecrypttheticket
usingtheserversencryptionkey(akasecret)andnotthekeyfortheidentitytheworker
processisrunningunder.
IfasinglewebserverisconfiguredtouseKernelModeauthentication,Kerberoswill
workwithoutanyadditionalconfigurationoradditionalSPNsbecausetheserverwill
automaticallyregisteraHOSTSPNwhenitisaddedtothedomain.Ifmultipleweb
240
serversareloadbalanced,thedefaultKernelModeAuthenticationconfigurationwill
notwork,oratleastwillintermittentlyfail,becausetheclienthasnowayofensuring
theservicetickettheyreceivedintheTGSrequestwillworkwiththeserver
authenticatingtherequest.
Toworkaroundthisissueyoucandothefollowing:
TurnoffKernelModeAuthentication
ConfigureHTTP.systousetheIISapplicationpoolsidentitywhendecryptingservice
tickets.SeeInternet Information Services (IIS) 7.0 Kernel Mode Authentication
Settings.
YoumayalsoneedahotfixwhenconfiguringHTTP.systousetheapplicationpools
credentials:FIX: You receive a Stop 0x0000007e error message on a blue screen
when the AppPoolCredentials attribute is set to true and you use a domain account
as the application pool identity in IIS 7.0
Kerberos authentication and session-based

authentication
YoumaynoticeincreasedauthenticationtrafficwhenusingKerberosauthentication
withIIS7.0andgreater.ThismayberelatedtoWindowsauthenticationsettingsinIIS,
inparticular:
Setting Description
AuthPersistNonNTLM OptionalBooleanattribute.
SpecifieswhetherIISautomaticallyreauthenticatesevery
nonNTLM(forexample,Kerberos)request,eventhoseon
thesameconnection.Falseenablesmultiple
authenticationsforthesameconnections.
ThedefaultisFalse.
Note:
AsettingofTruemeansthattheclientwillbe
authenticatedonlyonceonthesameconnection.IISwill
cacheatokenorticketontheserverforaTCPsessionthat
241
Setting Description
staysestablished.

authPersistSingleRequestOptionalBooleanattribute.
SettingthisflagtoTruespecifiesthatauthentication
persistsonlyforasinglerequestonaconnection.IIS
resetstheauthenticationattheendofeachrequest,and
forcesreauthenticationonthenextrequestofthe
session.
ThedefaultvalueisFalse.
ForinstructionsonhowtoconfigureauthenticationpersistenceinIIS7.0,seeYou may
experience slow performance when you use Integrated Windows authentication together
with the Kerberos authentication protocol in IIS 7.0andImplementing Access Control.
Kerberos authentication and

duplicate/missing SPN issues
WhenconfiguringKerberosauthentication,itiseasytoaccidentallyconfigureduplicate
serviceprincipalnames,especiallyifyouuseSetSPNAortheADSIEdit(adsiedit.msc)
tooltocreateyourSPNs.ThegeneralrecommendationistouseSetSPNStocreate
SPNsbecausetheSswitchwillcheckforaduplicateSPNbeforecreatingthespecified
SPN.
IfyoususpectyouhaveduplicateSPNsinyourenvironment,usetheSetSPNX
commandtoqueryforallduplicateSPNsinyourenvironment(Windows2008orgreater
only).IfanySPNsarereturnedyoushouldinvestigatewhytheSPNshavebeen
registeredanddeleteanySPNsthatareduplicatesandarenotneeded.Ifyouhavetwo
servicesrunningwithtwodifferentidentitiesandbothusethesameSPN(duplicateSPN
issue)youneedtoreconfigureoneofthoseservicestoeitheruseadifferentSPNor
shareacommonserviceidentity.

242
IfyoususpectaSPNhasnotbeenregistered,ornotregisteredinaformatrequired,you
canusetheSetSPNQ<insertSPN>toqueryfortheexistenceofaparticularSPN.
Kerberos Max Token Size

Insomeenvironments,usersmaybemembersofmanyActiveDirectorygroups,which
canincreasethesizeoftheirKerberostickets.Iftheticketsgrowtoolarge,Kerberos
authenticationcanfail.Formoreinformationabouthowtoadjustthemaxtokensize,
seeNew resolution for problems with Kerberos authentication when users belong to
many groups(http://support.microsoft.com/kb/327825).
Note:
Whenadjustingmaximumtokensize,beawarethatifyouconfigurethemaximum
tokensizebeyondthemaximumvaluefortheregistrysetting,youmayseeKerberos
authenticationerrors.Werecommendnotexceeding65535decimal,FFFFhexadecimal,
formaximumtokensize.
Kerberos authentication hotfixes for Windows

Server 2008 and Windows Vista
algorithm is used(http://support.microsoft.com/kb/969083).
YoumayneedtoinstallahotfixforKerberosauthenticationonallcomputersthatare
runningWindowsServer2008orWindowsVistainyourenvironment.Thisincludesall
computersthatarerunningSharePointServer2010,SQLServer,orWindowsServer
2008thatSharePointServerattemptstoauthenticatewithbyusingKerberos
243
authentication.Followtheinstructionsinthesupportpagetoapplythehotfixifyou
experiencethesymptomsdocumentedinthesupportcase.
244
How to reset the Claims to Windows Token Service account (SharePoint Server
2010)
How to reset the Claims to Windows

Token Service account (SharePoint
Server 2010)
Scenario:TheClaimstoWindowsTokenServiceaccountischangedunintentionallyor
otherwiseneedstoberesetbacktodefault.
Solution
TheClaimstoWindowsTokenServicecannotberesettotheLocalSystemaccountby
usingCentralAdministration.ThefollowingWindowsPowerShellcmdletscanbeusedto
resettheClaimstoWindowsTokenServicebacktoLocalSystem.
LaunchtheSharePointManagementShellfromthecomputerthatisrunningSharePoint
Server.
Runthefollowingcmdlettoviewalistofservices.
Get-SPServiceInstance
FindandcopytheIdoftheClaimsToWindowsTokenService.Rightclickinthe
WindowsPowerShellwindowandchooseMark.Thiswillallowyoutoselectandcopy
theIdwithyourmousecursor.AfterhighlightingtheId,pressENTERonyourkeyboard.
TestyourIdbyrunningthefollowingcmdlet.
245
GetSPServiceInstanceidentity<PastetheC2WTSId>
RightclickinthePowerShellwindowandpastetheIdyoucopiedearlier.
Next,setavariablebyrunningthiscmdlet:
$claims=getspserviceinstanceidentity<PastetheC2WTSId>
RunthesecmdletstoresettheC2WTSbacktoLocalSystem:
$claims.Service.ProcessIdentity.CurrentIdentityType=0//The0inthepreceding
lineisIdentityType.LocalSystem$claims.Service.ProcessIdentity.Update()
$claims.Service.ProcessIdentity.Deploy()$claims.Service.ProcessIdentity//
ThisoutputdemonstratesthatthecmdletwassuccessfulCurrentIdentityType:
LocalSystemCurrentSecurityIdentifier:S1518ManagedAccount:ProcessAccount
:S1518Username:NTAUTHORITY\SYSTEM
246

Configure Kerberos Authentication For SharePoint 2010 Products PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configure Kerberos Authentication For SharePoint 2010 Products PDF

Uploaded by

Copyright:

Available Formats

Configure Kerberos Authentication

for SharePoint 2010 Products

Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan,

Microsoft and the trademarks listed at

Configure Kerberos authentication for SharePoint 2010 Products...........................7

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.....8

Who should read these articles about Kerberos authentication?..........................9

Identity scenarios in SharePoint 2010 Products....................................................11

Kerberos protocol primer...........................................................................................20

Benefits of the Kerberos protocol.............................................................................20

Kerberos delegation, constrained delegation, and protocol transition................21

Kerberos authentication changes in Windows 2008R2 and Windows 7............22

Kerberos configuration changes in SharePoint 2010 Products...........................23

Configuring Kerberos authentication: Step-by-step configuration (SharePoint

Environment and farm topology................................................................................24

Web Application specification...................................................................................27

SharePoint Server Services and service accounts...............................................30

C2WTS Service Identity.............................................................................................31

Configuring Kerberos authentication: Core configuration (SharePoint Server

Step-by-step configuration instructions...................................................................35

Kerberos authentication for SQL OLTP (SharePoint Server 2010)........................81

Scenario environment details....................................................................................83

Step-by-step configuration instructions...................................................................83

Kerberos authentication for SQL Server Analysis Services (SharePoint Server

Step-by-step configuration instructions...................................................................90

Scenario environment details....................................................................................96

Cross-domain Kerberos delegation.........................................................................96

Step-by-step configuration instructions...................................................................97

SSL configuration for Reporting Services.............................................................122

Identity delegation for Excel Services (SharePoint Server 2010).........................124

Step-by-step configuration instructions.................................................................127

Scenarios requiring Kerberos authentication.......................................................152

Identity delegation for Visio Services (SharePoint Server 2010)..........................155

Scenario environment details..................................................................................157

Step-by-step configuration instructions.................................................................158

Identity delegation for PerformancePoint Services (SharePoint Server 2010)...183

Scenario environment details..................................................................................185

Step-by-step Configuration instructions................................................................187

Identity delegation for Business Connectivity Services (SharePoint Server 2010)

Scenario Environment Details................................................................................215

Kerberos configuration known issues (SharePoint Server 2010).........................238

Kerberos authentication and non-default ports....................................................238

Kerberos authentication and DNS CNAMEs........................................................239

Kerberos authentication and Kernel Mode Authentication.................................240

Kerberos authentication and session-based authentication..............................241

Kerberos authentication and duplicate/missing SPN issues..............................242

Kerberos Max Token Size.......................................................................................243

Configure Kerberos authentication for

Overview of Kerberos authentication for

Who should read these articles about

Upgrading from Office SharePoint Server 2007

Identity scenarios in SharePoint 2010 Products

Kerberos authentication changes in Windows 2008 R2 and Windows 7

Kerberos configuration changes in SharePoint 2010 Products

Scenario2:Kerberos Authentication for SQL OLTP

Scenario4:Identity Delegation for SQL Reporting Services

Scenario5:Identity Delegation for Excel Services

Scenario7:Identity Delegation for Visio Services

Scenario8:Identity Delegation for Performance Point Services

Existing SharePoint 2010 Product environments

Identity scenarios in SharePoint 2010

Note about incoming claims authentication and the Claims to

Identity within a SharePoint 2010 Products environment