Professional Documents
Culture Documents
Configure Kerberos Authentication For SharePoint 2010 Products PDF
Configure Kerberos Authentication For SharePoint 2010 Products PDF
Summary: This document covers the concepts of identity in SharePoint 2010 products,
how Kerberos authentication plays a critical role in authentication and delegation in
business intelligence scenarios, and the situations where Kerberos authentication should
be leveraged or may be required in solution designs. It also covers how to configure
Kerberos authentication end-to-end within your environment, including scenarios which
use various service applications in SharePoint Server. Additional tools and resources are
described to help you test and validate Kerberos configuration.
Category: Guide
Applies to: SharePoint 2010
Source: White paper (link to source content)
E-book publication date: May 2012
220 pages
Copyright 2012 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and events
depicted herein are fictitious. No association with any real company, organization, product, domain name, email address,
logo, person, place, or event is intended or should be inferred.
This book expresses the authors views and opinions. The information contained in this book is provided without any
express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will
be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
TableofContents
ConfigureKerberosAuthenticationforSharePoint2010Products..........................1
Claims primer..............................................................................................................19
Considerations when you are upgrading from Office SharePoint Server 200723
SQL aliasing................................................................................................................29
Configuration checklist...............................................................................................34
Configuration checklist...............................................................................................82
Configuration checklist...............................................................................................89
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
.......................................................................................................................................94
Scenario dependencies.............................................................................................94
Configuration checklist...............................................................................................95
Scenario dependencies...........................................................................................124
4
Configuration checklist.............................................................................................124
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
.....................................................................................................................................151
Scenario dependencies...........................................................................................153
Configuration instructions........................................................................................154
Scenario dependencies...........................................................................................155
Configuration checklist.............................................................................................155
Scenario dependencies...........................................................................................183
Configuration checklist.............................................................................................183
Scenario dependencies...........................................................................................213
Configuration checklist.............................................................................................214
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista
..................................................................................................................................243
How to reset the Claims to Windows Token Service account (SharePoint Server
2010)...........................................................................................................................245
Solution.......................................................................................................................245
6
Configure Kerberos authentication for SharePoint 2010 Products
Thisdocumentgivesyouinformationthatwillhelpyouunderstandtheconceptsof
identityinMicrosoftSharePoint2010Products,howKerberosauthenticationplaysa
veryimportantroleinauthenticationanddelegationscenarios,andthesituations
whereKerberosauthenticationshouldbeusedormayberequiredinsolutiondesigns.
Scenariosincludebusinessintelligenceimplementationswhichsecureaccesstoexternal
datasourcessuchasSQLServer.
ThedocumentalsoshowshowtoconfigureKerberosauthenticationendtoendwithin
yourenvironment,includingscenariosthatusevariousserviceapplicationsinMicrosoft
SharePointServer.Additionaltoolsandresourcesaredescribedtohelpyoutestand
validateKerberosconfiguration.The"StepbyStepConfiguration"sectionsofthis
documentcoverthefollowingscenariosforSharePointServer2010.
Scenario1:CoreConfiguration
Scenario2:KerberosAuthenticationforSQLOLTP
Scenario3:IdentityDelegationforSQLAnalysisServices
Scenario4:IdentityDelegationforSQLReportingServices
Scenario5:IdentityDelegationforExcelServices
Scenario6:IdentityDelegationforPowerPivotforSharePoint
Scenario7:IdentityDelegationforVisioServices
Scenario8:IdentityDelegationforPerformancePointServices
Scenario9:IdentityDelegationforBusinessConnectivityServices
ThesameinformationaboutConfiguringKerberosauthenticationforSharePoint2010
ProductsisavailableisalsoavailableasasetofarticleshereintheTechNetLibrary.It
beginshere:Overview of Kerberos authentication for Microsoft SharePoint 2010
Products.
7
Configure Kerberos Authentication for SharePoint 2010 Products
MicrosoftSharePoint2010Productsintroducesignificantimprovementsinhowidentity
ismanagedintheplatform.Itisveryimporttounderstandhowthesechangesaffect
solutiondesignandplatformconfigurationtoenablescenariosthatrequireuseridentity
tobedelegatedtointegratedsystems.TheKerberosversion5protocolplaysakeyrole
inenablingdelegationandsometimesmayberequiredinthesescenarios.
Thissetofarticlesgivesyouinformationthathelpsyoudothefollowing:
UnderstandtheconceptsofidentityinSharePoint2010Products
LearnhowKerberosauthenticationplaysaveryimportantroleinauthentication
anddelegationscenarios
IdentifythesituationswhereKerberosauthenticationshouldbeleveragedormay
berequiredinsolutiondesigns
ConfigureKerberosauthenticationendtoendwithinyourenvironment,including
scenariosthatusevariousserviceapplicationsinSharePointServer
TestandvalidatethatKerberosauthenticationisconfiguredcorrectlyandworking
asexpected
FindadditionaltoolsandresourcestohelpyouconfigureKerberosauthenticationin
yourenvironment
Thissetofarticlesisdividedintwomajorsections:
ThisoverviewofKerberosauthenticationinSharePoint2010Products
Thisarticlecontainsconceptualinformationabouthowtomanageidentityin
SharePoint2010Products,theKerberosprotocol,andhowKerberosauthentication
playsakeyroleinSharePoint2010solutions.
Step-by-step configuration
ThisgroupofarticlesdiscussesthestepsthatarerequiredtoconfigureKerberos
authenticationanddelegationinvariousSharePointsolutionscenarios.
8
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
Beginning to end
"TellmeeverythingthereistoknowaboutIdentityandKerberosauthenticationin
SharePoint2010Products"
IfyouareonlystartingoutandlearningaboutSharePoint2010Products,Kerberos
authentication,andclaimsauthentication,youwillwanttothereadthefirstsectionof
thisdocument.Itcoversthebasicconceptsofidentityanddelegationandoffersprimers
aboutClaimsandKerberosauthentication.Besuretofollowthelinkstoexternal
articlesandadditionalinformationtobuildasolidfoundationofknowledgebefore
continuingontothestepbystepconfigurationarticles.
IfyouhaveanexistingMicrosoftOfficeSharePointServer2007environmentalready
configuredtouseKerberosauthenticationandKerberosdelegation,youshouldreadthe
followingarticles:
Claims primer
Considerations when you are upgrading from Office SharePoint Server 2007
Ifyouhaveadditionalquestionsabouthowtoconfigurationdelegationforaparticular
featureorscenario,readthestepbystepconfigurationarticles,especiallythe
configurationchecklists.Thiswillhelpyouensurethatyourenvironmentisconfigured
correctlyafterupgrade.
9
Configure Kerberos Authentication for SharePoint 2010 Products
Step-by-step walkthrough
"IwantdetailedstepbystepinstructionsonhowtoconfigureKerberosdelegationin
SharePointServerandapplicableSharePointServerserviceapplications"
ThestepbystepconfigurationarticlescoverseveralSharePoint2010Products
scenarioswhichcanbeconfiguredtouseKerberosdelegation.Eachscenarioiscovered
indetail,includingaconfigurationchecklistandstepbystepinstructionstohelpyou
successfullyconfigureKerberosauthenticationinyourenvironment.Thescenarios
coveredincludethefollowing:
Scenario1:Core Configuration
Besuretothoroughlyreviewthefirstcoreconfigurationscenario,becauseitisa
prerequisiteforallthescenariosthatfollow.
10
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
Note:
Thescenariosinclude"SetSPN"commandsthatyoumaychoosetocopyfromthis
documentandpasteinaCommandPromptwindow.Thesecommandsincludehyphen
characters.MicrosoftWordhasanAutoFormatfeaturethattendstoconverthyphensto
dashcharacters.IfyouhavethisfeatureturnedoninWordandthendoacopyand
pasteoperation,thecommandswillnotworkcorrectly.Changethedashestohyphens
tofixthiserror.ToturnoffthisAutoFormatfeatureinWord,selectOptionsfromthe
Filemenu,clicktheProofingtab,andthenopentheAutoCorrectdialogbox.
TheStep-by-step configurationarticlescontainseveralcheckliststohelptriageyour
environmentinvariousscenarios.PayspecialattentionstoScenario1,Core
configuration,whichcoversbasictoolsandtechniquestotriageKerberosconfiguration.
11
Configure Kerberos Authentication for SharePoint 2010 Products
Incoming Identity
Theincomingauthenticationscenariorepresentsthemeansinwhichaclientpresents
itsidentitytotheplatform,orinotherwordsauthenticateswiththewebapplicationor
webservice.SharePointServerwillusetheclient'sidentitytoauthorizetheclientto
accessSharePointServersecuredresourcessuchaswebpages,documents,andsoon.
SharePoint2010Productssupporttwomodesinwhichaclientcanauthenticatewith
theplatform:ClassicmodeandClaimsmode.
Classic mode
ClassicmodeallowsthetypicalInternetInformationServices(IIS)authentication
methodsthatyoumayalreadybefamiliarwithfrompreviousversionsofSharePoint
Server.WhenaSharePointServer2010WebApplicationisconfiguredtouseclassic
mode,youhavetheoptionofusingthefollowingIISauthenticationmethods:
IntegratedWindowsauthentication
IntegratedWindowsauthenticationenablesWindowsclientstoseamlesslyauthenticate
withSharePointServerwithouthavingtomanuallyprovidecredentials(user
name/password).UsersaccessingSharePointServerfromInternetExplorerwill
authenticatebyusingthecredentialsthattheInternetExplorerprocessisrunning
underbydefaultthecredentialsthattheuserusedtologontothedesktop.Services
orapplicationsthataccessSharePointServerinWindowsintegratedmodeattemptto
authenticatebyusingthecredentialsoftherunningthread,which,bydefault,isthe
identityoftheprocess.
12
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
NTLM
NTLANManager(NTLM)isthedefaultprotocoltypewhenIntegratedWindows
authenticationisselected.Thisprotocoltakesadvantageofathreepartchallenge
responsesequencetoauthenticateclients.FormoreinformationaboutNTLM,see
Microsoft NTLM(http://go.microsoft.com/fwlink/?LinkId=196643).
Pros:
Itiseasytoconfigureandtypicallyrequiresnoadditional
infrastructure/environmentconfigurationtofunction
Itworkswhentheclientisnotpartofthedomain,orisnotinadomaintrustedby
thedomainthatSharePointServerresidesin
Cons:
ItrequiresSharePointServertocontactthedomaincontrollereverytimethata
clientauthenticationresponseneedsvalidation,increasingtraffictothedomain
controllers.
Itdoesnotallowdelegationofclientcredentialstobackendsystems,otherwise
knownasthedoublehoprule.Itisaproprietaryprotocol.
Itisaproprietaryprotocol.
Itdoesnotsupportserverauthentication.
ItisconsideredlesssecurethanKerberosauthentication
Kerberosprotocol
TheKerberosprotocolisamoresecureprotocolthatsupportsticketingauthentication.
AKerberosauthenticationservergrantsaticketinresponsetoaclientcomputer
authenticationrequest,iftherequestcontainsvalidusercredentialsandavalidService
PrincipalName(SPN).Theclientcomputerthenusesthetickettoaccessnetwork
resources.ToenableKerberosauthentication,theclientandservercomputersmust
haveatrustedconnectiontothedomainKeyDistributionCenter(KDC).TheKDC
distributessharedsecretkeystoenableencryption.Theclientandservercomputers
mustalsobeabletoaccessActiveDirectorydirectoryservices.ForActiveDirectory,the
forestrootdomainisthecenterofKerberosauthenticationreferrals.Formore
informationabouttheKerberosprotocol,seeHow the Kerberos Version 5
Authentication Protocol Works(http://go.microsoft.com/fwlink/?LinkId=196644)and
Microsoft Kerberos.(http://go.microsoft.com/fwlink/?LinkId=196645)
13
Configure Kerberos Authentication for SharePoint 2010 Products
Pros:
MostsecureIntegratedWindowsauthenticationprotocol
Allowsdelegationofclientcredentials
Supportsmutualauthenticationofclientsandservers
Produceslesstraffictodomaincontrollers
Openprotocolsupportedbymanyplatformsandvendors
Cons:
Requiresadditionalconfigurationofinfrastructureandenvironmenttofunction
correctly
RequiresclientshaveconnectivitytotheKDC(ActiveDirectorydomaincontrollerin
Windowsenvironments)overTCP/UDPport88(Kerberos),andTCP/UDPport464
(KerberosChangePasswordWindows)
Othermethods
InadditiontoNTLMandKerberosauthentication,SharePointServersupportsother
kindsofIISauthenticationsuchasbasic,digest,andcertificatebasedauthentication,
whicharenotcoveredinthisdocument.Formoreinformationabouthowthese
protocolsfunction,seeAuthentication Methods Supported in IIS 6.0 (IIS 6.0)
(http://go.microsoft.com/fwlink/?LinkId=196646).
Claims-based authentication
SupportforclaimsauthenticationisanewfeatureinSharePoint2010Productsandis
builtonWindowsIdentityFoundation(WIF).Inaclaimsmodel,SharePointServer
acceptsoneormoreclaimsaboutanauthenticatingclienttoidentifyandauthorizethe
client.TheclaimscomeintheformofSAMLtokensandarefactsabouttheclientstated
byatrustedauthority.Forexample,aclaimcouldstate,"Bobisamemberofthe
EnterpriseAdminsgroupforthedomainContoso.com."Ifthisclaimcamefroma
providertrustedbySharePointServer,theplatformcouldusethisinformationto
authenticateBobandtoauthorizehimtoaccessSharePointServerresources.Formore
informationaboutclaimsauthentication,seeA Guide to Claims-based Identity and
Access Control(http://go.microsoft.com/fwlink/?LinkID=187911).
ThekindofclaimsthatSharePoint2010Productssupportforincomingauthentication
areWindowsClaims,formsbasedauthenticationClaims,andSAMLClaims.
14
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
WindowsClaims
IntheWindowsclaimsmodesignin,SharePointServerauthenticatestheclientusing
standardIntegratedWindowsauthentication(NTLM/Kerberos),andthentranslatesthe
resultingWindowsIdentityintoaClaimsIdentity.
FormsbasedauthenticationClaims
InFormsbasedauthenticationclaimsmode,SharePointServerredirectstheclienttoa
logonpagethathoststhestandardASP.NETlogoncontrols.Thepageauthenticatesthe
clientbyusingASP.NETmembershipandroleproviders,similartohowformsbased
authenticationfunctionedinOfficeSharePointServer2007.Aftertheidentityobject
thatrepresentstheuseriscreated,SharePointServerthentranslatesthisidentityintoa
claimsidentityobject.
SAMLClaims
InSAMLClaimsmode,SharePointServeracceptsSAMLtokensfromatrustedexternal
SecurityTokenProvider(STS).Whentheuserattemptstologon,seecommentis
directedtoanexternalclaimsprovider(forexample,WindowsLiveIDclaimsprovider)
whichauthenticatestheuserandproducesaSAMLtoken.SharePointServeraccepts
andprocessesthistoken,augmentingtheclaimsandcreatingaclaimsidentityobject
fortheuser.
FormoreinformationaboutclaimsbasedauthenticationinSharePoint2010Products,
seeSharePoint Claims-Based Identity.
integratedproductsregardlessoftheincomingauthenticationmechanismused.This
meansthatevenwhereclassicauthenticationisusedtoauthenticatewithaparticular
webapplication,SharePointProductsconverttheincomingidentityintoaclaims
identitytoauthenticatewithSharePointServiceApplicationsandproductsthatare
claimsaware.Bystandardizingontheclaimsmodelforintra/interfarm
communications,theplatformcanabstractitselffromtheincomingprotocolsthatare
used.
Note:
SomeproductsintegratedwithSharePointServer,suchasSQLServerReporting
Services,arenotclaimsawareanddonottakeadvantageoftheintrafarmclaims
authenticationarchitecture.SharePointServermayalsorelyonclassicKerberos
delegationandclaimsinotherscenarios,forexamplewhentheRSSviewerwebpartis
configuredtoconsumeanauthenticatedfeed.Refertoeachproductorservice
application'sdocumentationtodeterminewhetheritcansupportclaimsbased
authenticationandidentitydelegation.
Outbound identity
OutboundidentityinSharePoint2010Productsrepresentsthescenarioswhereservices
withinthefarmhavetoauthenticatewithexternallineofbusinesssystemsand
services.Dependingonthescenario,authenticationcanbeperformedinoneoftwo
basicconceptualmodels:
Trusted subsystem
Inthetrustedsubsystem,thefrontendserviceauthenticatesandauthorizestheclient,
andthenauthenticateswithadditionalbackendserviceswithoutpassingtheclient
identitytothebackendsystem.Thebackendsystemtruststhefrontendservicetodo
authenticationandauthorizationonitsbehalf.Themostcommonwaytoimplement
thismodelistousesharedserviceaccounttoauthenticatewiththeexternalsystem:
16
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
InSharePointServer,thismodelcanbeimplementedinvariousways:
UsingtheIISapplicationpoolidentityusuallyachievedbyrunningcodeinthe
webapplicationthatelevatespermissionswhilemakingacalltoanexternalsystem.
OthermethodssuchasusingRevertToSelfcanalsousetheapplicationpool's
identitytoauthenticatewithexternalsystems.
Usingaserviceaccounttypicallyachievedbystoringapplicationcredentialsinthe
SecureStorethenusingthosecredentialstoauthenticatewithanexternalsystem.
Othermethodsincludestoringtheserviceaccountcredentialsinotherwayssuchas
embeddedconnectionstrings.
AnonymousAuthenticationthisiswheretheexternalsystemrequiresno
authentication.ThereforethefrontendSharePointServerservicedoesnothaveto
passanyidentitytothebackendsystem.
Delegation
IntheDelegationmodel,thefrontendservicefirstauthenticatestheclient,andthen
usestheclient'sidentitytoauthenticatewithanotherbackendsystemthatperformsits
ownauthenticationandauthorization:
17
Configure Kerberos Authentication for SharePoint 2010 Products
InSharePoint2010Products,thismodelcanbeimplementedinvariousways:
KerberosdelegationIftheclientauthenticateswiththefrontendservicebyusing
Kerberosauthentication,Kerberosdelegationcanbeusedtopasstheclient's
identitytothebackendsystem.
Claimsclaimsauthenticationallowstheclient'sclaimstobepassedbetween
servicesaslongasthereistrustbetweenthetwoservicesandbothareclaims
aware.
Note:
Currently,mostoftheserviceapplicationsthatareincludedwithSharePointServerdo
notallowforoutboundclaimsauthentication,butoutboundclaimsisaplatform
capabilitythatwillbetakenadvantageofinthefuture.Further,manyofthemost
commonlineofbusinesssystemstodaydonotsupportincomingclaimsauthentication,
whichmeansthatusingoutboundclaimsauthenticationmaynotbepossibleorwill
requireadditionaldevelopmenttoworkcorrectly.
boundaryregardlessoftrustrelationship.Kerberosconstraineddelegationcannotcross
domainorforestboundariesinanyscenario.
SomeSharePointServerservicescanbeconfiguredtousebasicKerberosdelegation,
butotherservicesrequirethatyouuseconstraineddelegation.Anyservicethatrelies
ontheClaimstoWindowstokenservice(C2WTS)mustuseKerberosconstrained
delegationtoallowtheC2WTStouseKerberosprotocoltransitiontotranslateclaims
intoWindowscredentials.
ThefollowingserviceapplicationsandproductsrequiretheC2WTSandKerberos
constraineddelegation:
ExcelServices
PerformancePointServices
VisioServices
Thefollowingserviceapplicationsandproductsarenotaffectedbytheserequirements,
andthereforecanusebasicdelegation,ifitisrequired:
BusinessDataConnectivityserviceandMicrosoftBusinessConnectivityServices
InfoPathFormsServices
AccessServices
MicrosoftSQLServerReportingServices(SSRS)
MicrosoftProjectServer2010
Thefollowingserviceapplicationdoesnotallowdelegationofclientcredentialsand
thereforeisnotaffectedbytheserequirements:
MicrosoftSQLServerPowerPivotforMicrosoftSharePoint
Claims primer
ForanintroductiontoClaimsconceptsandClaimsbaseauthentication,seeAn
Introduction to Claims(http://go.microsoft.com/fwlink/?LinkId=196648)andSharePoint
Claims-Based Identity(http://go.microsoft.com/fwlink/?LinkID=196647).
19
Configure Kerberos Authentication for SharePoint 2010 Products
TypicallytherearethreemainreasonstousetheKerberosprotocol:
1. DelegationofclientcredentialsTheKerberosprotocolallowsaclient'sidentityto
beimpersonatedbyaservicetoallowtheimpersonatingservicetopassthat
identitytoothernetworkservicesontheclient'sbehalf.NTLMdoesnotallowthis
delegation.(ThislimitationNTLMiscalledthe"doublehoprule").Claims
authentication,likeKerberosauthentication,canbeusedtodelegateclient
credentialsbutrequiresthebackendapplicationtobeclaimsaware.
2. SecurityFeaturessuchasAESencryption,mutualauthentication,supportfordata
integrityanddataprivacy,justtonameafew,maketheKerberosprotocolmore
securethanitsNTLMcounterpart.
3. PotentiallybetterperformanceKerberosauthenticationrequireslesstrafficto
thedomaincontrollerscomparedwithNTLM(dependingonPACverification,see
Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos
PAC Validation).IfPACverificationisdisabledornotneeded,theservicethat
authenticatestheclientdoesnothavetomakeanRPCcalltotheDC(see:You
experience a delay in the user-authentication process when you run a high-volume
server program on a domain member in Windows 2000 or Windows Server 2003).
Kerberosauthenticationalsorequireslesstrafficbetweenclientandserver
comparedwithNTLM.Clientscanauthenticatewithwebserversintwo
request/responsesvs.thetypicalthreeleghandshakewithNTLM.However,this
improvementistypicallynotnoticedonlowlatencynetworksonapertransaction
basis,butcantypicallybenoticedinoverallsystemthroughput.Rememberthat
manyenvironmentalfactorscanaffectauthenticationperformance;therefore
KerberosauthenticationandNTLMshouldbeperformancetestedinyourown
environmentbeforeyoudeterminewhetheronemethodperformsbetterthanthe
other.
20
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
ThisisanincompletelistoftheadvantagesofusingtheKerberosprotocol.Thereare
otherreasonslikemutualauthentication,crossplatforminteroperability,andtransitive
crossdomaintrust,tonameafew.However,inmostcasesonetypicallyfinds
delegationandsecuritytobetheprimarydriversinadoptionoftheKerberosprotocol.
Requireslessconfigurationthan Secure.Ifthefrontendservice
constraineddelegation. iscompromised,clientidentity
canbedelegatedtoany
serviceintheforestthat
acceptsKerberos
authentication.
Kerberosenabledservicescandelegateidentitymultipletimesacrossmultipleservices
andmultiplehops.Asanidentitytravelsfromservicetoservice,thedelegationmethod
canchangefromBasictoConstrainedbutnotinreverse.Thisisanimportantdesign
detailtounderstand:ifabackendservicerequiresBasicdelegation(forexampleto
21
Configure Kerberos Authentication for SharePoint 2010 Products
delegateacrossadomainboundary),allservicesinfrontofthebackendservicemust
usebasicdelegation.Ifanyfrontendserviceusesconstraineddelegation,thebackend
servicecannotchangetheconstrainedtokenintoanunconstrainedtokentocrossa
domainboundary.
ProtocoltransitionallowsaKerberosenabledauthenticatingservice(frontendservice)
toconvertanonKerberosidentityintoaKerberosidentitythatcanbedelegatedto
otherKerberosenabledservices(backendservice).Protocoltransitionrequires
Kerberosconstraineddelegationandthereforeprotocoltransitionedidentitiescannot
crossdomainboundaries.Dependingontheuserrightsofthefrontendservice,the
Kerberosticketreturnedbyprotocoltransitioncanbeanidentificationtokenoran
impersonationtoken.Formoreinformationaboutconstraineddelegationandprotocol
transition,seethefollowingarticles:
Asageneralbestpractice,ifKerberosdelegationisrequired,oneshoulduse
constraineddelegation,ifitispossible.Ifdelegationacrossdomainboundariesis
required,thenallservicesinthedelegationpathmustusebasicdelegation.
22
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
ConstrainedDelegationrequiredforserviceswhichusetheClaimstoWindows
TokenService.Constraineddelegationisrequiredtoallowprotocoltransitionto
convertclaimstoWindowstokens.
ServiceApplicationsInOfficeSharePointServer2007,theSSPservicesrequired
specialSPNsandserverregistrychangestoenabledelegation.InSharePoint2010
Products,serviceapplicationsuseclaimsauthenticationandtheClaimstoWindows
Tokenservice,sothesechangesarenolongerneeded.
WindowsIdentityFoundation(WIF)theWIFClaimstoWindowsTokenService
(C2WTS)isanewserviceleveragedbySharePoint2010Productstoconvertclaims
toWindowstokensfordelegationscenarios.
IfwebapplicationsarechangingURLs,makesurethatyouupdatetheService
PrincipleNamestoreflecttheDNSnames.
DeletetheSSPserviceprincipalnames,becausetheyarenolongerneededin
SharePointServer2010.
StarttheClaimstoWindowsTokenServiceontheserversthatarerunningservice
applicationsthatrequiredelegation(forexample,ExcelServices,VisioGraphics
Service).
ConfigureKerberosconstraineddelegationwith"useanyauthenticationprotocol"
toallowKerberosconstraineddelegationwiththeC2WTS.
EnsureKernelmodeauthenticationisdisabledinIIS.
23
Configure Kerberos Authentication for SharePoint 2010 Products
Inthescenarioarticlesthatfollow,webuildoutaSharePointServer2010environment
todemonstratehowtoconfiguredelegationinanumberofcommonscenariosyou
mightencounterintheenterprise.Thewalkthroughsassumeyouarebuildingouta
scaledoutSharePointfarmsimilartowhatisdescribedinthefollowingsection.
Note:
Someoftheconfigurationstepsmaychange,ormaynotworkincertainfarm
topologies.Forinstance,asingleserverinstalldoesnotsupporttheWindowsIdentity
FoundationC2WTSservicessoclaimstowindowstokendelegationscenariosarenot
possiblewiththisfarmconfiguration.
24
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
Note:
Thefarmconfigurationinthedemonstrationsisnotmeanttobeareference
architectureoranexampleofhowtodesignatopologyforproductionenvironments.
Forexample,thedemotopologyrunsallSharePointServer2010serviceapplicationson
asingleserverwhichcreatesasinglepointoffailurefortheseservices.Formore
informationonhowtodesignandbuildaproductionSharePointServerenvironment,
seeSharePoint Server 2010 Physical and Logical ArchitectureandTopologies for
SharePoint Server 2010.
25
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
ThescenariowalkthroughsassumethatallcomputersthatarerunningSharePoint
Serverandthedatasourcesusedinthescenariobelowresideinasingledomain.An
explanationandwalkthroughofmultidomain/multiforestconfigurationisnotcovered
inthisdocument.
Environment specification
AllcomputersinthedemonstrationenvironmentarevirtualizedrunningonWindows
Server2008R2HyperV.ThecomputersarejoinedtoasingleWindowsdomain,
vmlab.local,runninginWindowsServer2008ForestandDomainfunctionlevels.
ClientComputer
Windows7Professional,64bit
SharePointServerfrontendWebs
WindowsServer2008R2Enterprise,64bit
Services:
WebApplicationService
LoadbalancedwithWindowsNLB
SharePointServerApplicationServer
WindowsServer2008R2Enterprise,64bit
MicrosoftSharePointServer2010(RTM)
Services:
WIFClaimstoWindowsTokenService
ManagedMetadataService
SharePointIndex
SharePointQuery
ExcelServices
VisioGraphicsService
26
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
BusinessConnectivityServices
PerformancePointServices
SQLServices
WindowsSever2008R2Enterprise,64bit
MicrosoftSQLServer2008R2Enterprise,64bit
Active/PassiveConfiguration
SQLServerServices:
SQLDataEngine
SQLServerAnalysisServices
SQLAgent
SQLBrowser
SQLReportingServer
WindowsServer2008R2Enterprise,64bit(RTM)
MicrosoftSQL2008R2Enterprise,64bit(RTM)
MicrosoftSharePointServer2010(RTM)
WindowsNLB,Loadbalanced
ReportingServicesSharePointintegrationmode
ReportingServices,scaledoutmode
http://sp10CATheCentralAdministrationwebapplicationforthefarm.Scenario1
willnotwalkthroughtheconfigurationofthiswebapplication.
27
Configure Kerberos Authentication for SharePoint 2010 Products
http://portalandhttps://portalWebapplicationwithdemonstrationpublishing
portal.Itisusedtodemonstratehowtoconfiguredelegationforwebapplications
runningonstandardports(HTTP80,HTTPS443)
http://teams:5555Webapplicationwithdemonstrationteamsite.Itisusedto
demonstratehowtoconfiguredelegationforwebapplicationsrunningonnon
standardports,inthisexampleport5555.
28
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
SSL configuration
SomeofthewalkthroughscenarioswilluseSSLtodemonstratehowtoconfigure
delegationwithHTTPS.Itisassumedthatthecertificatesbeingusedcomefroma
trustedrootcertificateauthority,eitherinternalorpublic,oryouhaveconfiguredall
computerstotrustthecertificatesbeingused.Thedocumentwillnotcoverhowto
properlyconfigurecertificatetrustnorwillitprovideguidanceaboutdebuggingissues
relatedtoSSLcertificateinstallation.Itishighlyrecommendedtoreviewthesetopics
andtestyourSSLconfigurationbeforeconfiguringKerberosconstraineddelegationwith
SSLprotectedservices.Formoreinformationsee:
How to Set Up SSL on IIS 7: Configuring Security : Installing and Configuring IIS 7 :
The Official Microsoft IIS Site(http://go.microsoft.com/fwlink/?LinkID=193447)
Load balancing
LoadbalancingontheSharePointServerfrontendWebsandSQLServerReporting
ServicesserverswasimplementedbyusingWindowsServer2008NetworkLoad
Balancing(NLB).HowtoconfigureNLBandNLBbestpracticesarenotcoveredinthis
document.FormoreinformationonNLB,refertoOverview of Network Load Balancing.
SQL aliasing
ThefarmwasbuiltusingaSQLclientaliastoconnecttotheSQLcluster.Thisistypically
abestpracticeandwasdonetodemonstratehowKerberosauthenticationisconfigured
29
Configure Kerberos Authentication for SharePoint 2010 Products
whenSQLaliasingisused.Scenario2assumestheenvironmentisconfiguredinthis
manner,butitisnotrequiredtouseSQLaliasestocompleteanyofthescenariosbelow.
FormoreinformationonhowtoconfigureSQLaliasesseeHow to: Create a Server Alias
for Use by a Client (SQL Server Configuration Manager).
Advantages:
Theadministratorcancontrolthepermissionsofeachserviceinafinegrained
wayThisincludesdomainpermissions,localpermissionsandprivileges,delegation
rightsandothersettings.
BetterauditingandtraceabilityByensuringeachserviceleveragesitsown
identity,anadministratorcantracknetworkandsystemactivitybacktothespecific
servicebasedontheidentitycapturedinauditfiles.Forexample,ifaserveraudit
logshowslogonactivityforaparticularaccount,theaccountcouldbeusedtotrace
theactivitytoaparticularservice.
BettersecurityByleveragingseparateaccountsforeachservice,anadministrator
assuresthatifoneaccountiscompromiseditpotentiallylimitsthedamagedueto
thesecurityissuebecauseonlytheservicethatisusingthecompromisedaccountis
affected.Notethatifanyaccountbecomescompromised,aholisticsecurity
assessmentoftheentireenvironmentshouldbeperformedtodeterminethemost
appropriateactiontoaddressthesecurityissue.
Disadvantages:
IncreasedaccountmanagementcomplexityHavingmoreserviceaccounts
translatestomoreActiveDirectoryconfigurationandmorepasswordmanagement
policiestoenforce.
30
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
AdditionalconfigurationAsseeninthestepbystepguidebelow,oncea
SharePointServeradministratormakesthedecisiontoleveragealeastprivilege
model,thereareadditionalstepssheorhemustperformtoconfigurethe
environmentcorrectly.
IncreasedadministrationcomplexityTheprobabilityofmisconfigurationincreases
asthecomplexityoftheenvironmentincreases.Whenyouleveragemultiple
accounts,thereisachancethatcertainserviceswillbemisconfigured,whichcan
leadtofunctionalityissuesandtriageneededtocorrecttheissues.
BeawarethatusingseparateserviceaccountsisnotarequirementofSharePointServer
butageneralrecommendationforproductionenvironments.Thestepsintherestof
thispaperoutlinehowtoconfigureSharePointServerwhenyouareusingseparate
accounts;someofthesestepsmaynotapplywhenyouareusingsharedaccounts.
Allthescenariosassumeyouhaveyourwebapplicationsconfiguredforincomingclassic
authentication(Kerberos).Somescenariosbelowrequireclassicauthenticationandwill
notfunctionasdocumentedwithincomingclaimsauthentication.
GettheSharePointServerservicesworkingfirstwithoutdelegationtoensurethe
serviceapplicationsareconfiguredcorrectlybeforemovingontomorechallenging
configurationswithdelegation.
31
Configure Kerberos Authentication for SharePoint 2010 Products
Trytopayspecialattentiontoeachstepandavoidskippinganysteps
Workthroughscenario1andspendtimeusingthedebuggingtoolsmentionedin
thescenarioastheycanbeusedinotherscenariostotriageconfigurationissues.
Remembertoworkthroughscenario2.YoullneedacomputerrunningSQLServer
thatisconfiguredtoacceptKerberosauthenticationandwillrequirethetest
databasethatyousetupinthisscenarioforsomeofthelaterscenarios.
AlwaysdoublecheckSPNconfigurationineachscenariobyusingSetSPNXand
SetSPNQ.Seetheappendixformoreinformation.
AlwaysbesuretochecktheservereventlogsandULSlogswhenattemptingto
debugaconfigurationissue.Therearetypicallygoodpointersintheselogswhich
canquicklypointouttheissuesyouareencountering.
TurnupdiagnosticloggingforSharePointFoundation>ClaimsAuthenticationand
anyserviceapplicationsthatyouareattemptingtotriageifissuesoccur.
Rememberthateachscenariomaybeaffectedbyserviceapplicationcaching.Ifyou
makeconfigurationchangesbutdonotseechangesinplatformbehavior,try
restartingtheservicesapplicationpoolorwindowsservice.Ifthishasnoeffect,
sometimesasystemrebootwillhelp.
RememberthatKerberosticketsarecachedoncerequested.Ifyouareusingatool
likeNetMontoviewTGTandTGSrequests,youmayneedtoemptytheticketcache
ifyoudontseetherequesttrafficyouexpect.Scenario1,Configuring Kerberos
authentication: Core configuration (SharePoint Server 2010)explainshowtodothis
withtheKLISTandKerbTrayutilities.
RemembertorunNetMonwithAdministrativeprivilegestocaptureKerberos
traffic.
ForadvanceddebuggingscenariosyoumaywanttoturnonWIFtracingforthe
ClaimstoWindowsTokenServiceandWCFtracingfortheSharePointService
Applications(WCFservices).See:
WIF Tracing
Configuring Tracing
32
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
InthefirstscenarioyouwillconfiguretwoSharePointServer2010webapplicationsto
usetheKerberosprotocolforauthenticatingincomingclientrequests.For
demonstrationpurposes,onewebapplicationwillbeconfiguredtousestandardports
(80/443)andtheotherwilluseanondefaultport(5555).Thisscenariowillbethebasis
ofallthefollowingscenarioswhichassumetheactivitiesbelowhavebeencompleted.
Important:
ItisarequirementtoconfigureyourwebapplicationswithclassicWindows
authenticationusingKerberosauthenticationtoensurethatthescenariosworkas
expected.WindowsClaimsauthenticationcanbeusedinsomescenariosbutmaynot
producetheresultsdetailedinthescenariosbelow.
Note:
IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Inthisscenarioyoudothefollowingthings:
ConfiguretwowebapplicationswithdefaultzonesthatusetheKerberosprotocol
forauthentication
Createtwotestsitecollections,oneineachwebapplication
VerifytheIISconfigurationofthewebapplication
33
Configure Kerberos Authentication for SharePoint 2010 Products
Verifythatclientscanauthenticatewiththewebapplicationandensurethatthe
Kerberosprotocolisusedforauthentication
ConfiguretheRSSViewerwebparttodisplayRSSfeedsinalocalandremoteweb
application
Crawleachwebapplicationandtestsearchingcontentineachtestsitecollection
Configuration checklist
AreaofConfiguration Description
DNS RegisteraDNSARecordforthewebapplicationsnetworked
loadedbalanced(NLB)virtualIP(VIP)
ActiveDirectory CreateaserviceaccountsforthewebapplicationsIIS
applicationpool
RegisterServicePrincipalNames(SPN)fortheweb
applicationsontheserviceaccountcreatedfortheweb
applicationsIISapplicationpool
ConfigureKerberosconstraineddelegationforservice
accounts
SharePointWebAppCreateSharePointServermanagedaccounts
CreatetheSharePointSearchServiceApplication
CreatetheSharePointwebapplications
IIS ValidatethatKerberosauthenticationisEnabled
VerifyKernelmodeauthenticationisdisabled
InstallcertificatesforSSL
Windows7Client EnsurewebapplicationURLsareintheintranetzone,ora
zoneconfiguredtoautomaticallyauthenticatewith
integratedWindowsauthentication
Firewall OpenfirewallportstoallowHTTPtrafficinondefaultand
34
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
AreaofConfiguration Description
Configuration nondefaultports
EnsureclientscanconnecttoKerberosPortsontheActive
Directory
TestBrowser Verifyauthenticationworkscorrectlyinthebrowser
Authentication
VerifyLogoninformationonthewebserverssecurityevent
log
UsethirdpartytoolstoconfirmKerberosauthenticationis
configuredcorrectly
TestSharePoint Verifybrowseraccessfromtheindexserver(s)
ServerSearchIndex
andQuery Uploadsamplecontentandperformacrawl
Testsearch
TestWFEDelegation ConfigureRSSFeedsourcesoneachsitecollection
AddRSSviewwebpartstothehomepageofeachsite
collection
35
Configure Kerberos Authentication for SharePoint 2010 Products
http://teams:5555ConfigureanewDNSARecordforthefortheteam'sweb
application
36
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Note:
ItisimportanttoensuretheDNSentriesareARecordsandnotCNAMEaliasesfor
Kerberosauthenticationtoworksuccessfullyinenvironmentswithmorethanoneweb
applicationrunningwithhostheadersandseparatededicatedserviceaccounts.See
Kerberos configuration known issues (SharePoint Server 2010)foranexplanationofthe
knownissuewithusingCNAMEwithKerberosenabledwebapplications.
http://portal vmlab\svcPortal10App
http://teams:5555 vmlab\svcTeams10App
UseSetSPN,acommandlinetoolinWindowsServer2008,toconfigureanewservice
principalname.ForafullexplanationofhowtouseSetSPN,seeSetspn.Tolearnabout
SetSPNimprovementsinWindowsServer2008,seeCare, Share and Grow! : New
features in SETSPN.EXE on Windows Server 2008.
37
Configure Kerberos Authentication for SharePoint 2010 Products
AllSharePointServerwebapplications,regardlessofportnumber,usethefollowing
SPNformat:
HTTP/<DNSHOSTname>
HTTP/<DNSFQDN>
Example:
HTTP/portal
HTTP/portal.vmlab.local
ForWebapplicationsrunningonnondefaultports(portsotherthan80/443)register
additionalSPNswithportnumber:
HTTP/<DNSHostName>:<port>
HTTP/<DNSFQDN>:<port>
Example:
HTTP/teams:5555
HTTP/teams.vmlab.local:5555
Note:
SeetheappendixforanexplanationofwhyitisrecommendedtoconfigureSPNswith
andwithoutportnumberforHTTPservicesrunningonnondefaultports(80,443).
TechnicallythecorrectwaytorefertoaHTTPservicethatrunsonanondefaultportis
toincludetheportnumberintheSPNbutbecauseofknownissuesdescribedinthe
appendixweneedtoconfigureSPNswithoutportaswell.NotethattheSPNswithout
portfortheteamswebapplicationdoesnotmeanserviceswillbeaccessedusingthe
defaultports(80,443)inourexample.
Inourexampleweconfiguredthefollowingserviceprincipalnamesforthetwo
accountswecreatedinthepreviousstep:
38
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
HTTP/portal.vmlab.local
HTTP/Teams.vmlab.local
HTTP/Teams:5555
HTTP/Teams.vmlab.local:5555
Tocreatetheserviceprincipalnamesthefollowingcommandswereexecuted:
SetSPNSHTTP/Portalvmlab\svcportal10App
SetSPNSHTTP/Portal.vmlab.localvmlab\svcportal10App
SetSPNSHTTP/Teamsvmlab\svcTeams10App
SetSPNSHTTP/Teams.vmlab.localvmlab\svcTeams10App
SetSPNSHTTP/Teams:5555vmlab\svcTeams10App
SetSPNSHTTP/Teams.vmlab.local:5555vmlab\svcTeams10App
Important:
DonotconfigureserviceprincipalnameswithHTTPSevenifthewebapplicationuses
SSL.
Inourexampleweusedanewcommandlineswitch,S,introducedinWindowsServer
2008thatchecksfortheexistenceoftheSPNbeforecreatingtheSPNontheaccount.If
theSPNalreadyexists,thenewSPNisnotcreatedandyouseeanerrormessage.
39
Configure Kerberos Authentication for SharePoint 2010 Products
IfduplicateSPNsarefound,youhavetoresolvetheissuebyeitherusingadifferentDNS
nameforthewebapplication,therebychangingtheSPN,orbyremovingtheexisting
SPNfromtheaccountitwasdiscoveredon.
Important:
BeforedeletinganexistingSPN,besureitisnolongerneeded,otherwiseyoumaybreak
Kerberosauthenticationforanotherapplicationinyourenvironment.
InthisscenariowewillconfigureKerberosconstraineddelegationtoallowtheRSSview
webparttoreadasecuredlocalRSSfeedandsecuredremoteRSSfeedfromaremote
40
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
webapplication.InlaterscenarioswewillconfigureKerberosconstraineddelegationfor
otherSharePointServer2010serviceapplications.
Thefollowingdiagramconceptuallydescribeswhatwillbeconfiguredinthisscenario:
Wehavetwowebapplications,eachwiththeirownsitecollectionwithasitepage
hosingtwoRSSviewerwebparts.Thewebapplicationseachhaveasingledefaultzone
configuredtouseKerberosauthenticationsoallfeedscomingfromthesewebsiteswill
requireauthentication.IneachsiteoneRSSviewerwillbeconfiguredtoreadalocalRSS
feedfromalistandtheotherwillbeconfiguredtoreadanauthenticationfeedinthe
remotesite.
Toaccomplishthis,Kerberosconstraineddelegationwillbeconfiguredtoallow
delegationbetweentheIISapplicationpoolserviceaccounts.Thefollowingdiagram
conceptuallydescribestheconstraineddelegationpathsneeded:
41
Configure Kerberos Authentication for SharePoint 2010 Products
RememberthatweidentifythewebapplicationbyservicenameusingtheService
PrincipalName(SPN)assignedtotheidentityoftheIISapplicationpool.Theservice
accountsprocessingrequestsmustbeallowedtodelegatetheclientidentitytothe
designatedservices.Alltogetherwehavethefollowingconstraineddelegationpathsto
configure:
HTTP/Portal.vmlab.local
HTTP/Teams
HTTP/Teams.vmlab.local
HTTP/Teams:5555
HTTP/Teams.vmlab.local:5555
42
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
HTTP/Portal.vmlab.local
HTTP/Teams
HTTP/Teams.vmlab.local
HTTP/Teams:5555
HTTP/Teams.vmlab.local:5555
Note:
Itmayseemredundanttoconfiguredelegationfromaservicetoitself,suchasthe
portalserviceaccountdelegatingtotheportalserviceapplication,butthisisrequiredin
scenarioswhereyouhavemultipleserversrunningtheservice.Thisistoaddressthe
scenariowhereoneservermayneedtodelegatetoanotherserverrunningthesame
service;forinstanceaWFEprocessingarequestwithaRSSviewerwhichusesthelocal
webapplicationasthedatasource.Dependingonfarmtopologyandconfiguration
thereisapossibilitythattheRSSrequestmaybeservicedbyadifferentserverwhich
wouldrequiredelegationtoworkcorrectly.
ToconfiguredelegationyoucanusetheActiveDirectoryUsersandComputersnapin.
Rightclickeachserviceaccountandopenthepropertiesdialog.Inthedialogyouwill
seeatabfordelegation(notethatthistabonlyappearsiftheobjecthasanSPN
assignedtoit;computershaveanSPNbydefault).Onthedelegationtab,selectTrust
thisuserfordelegationtospecifiedservicesonly,thenselectUseanyauthentication
protocol.
43
Configure Kerberos Authentication for SharePoint 2010 Products
ClicktheAddbuttontoaddtheservicestheuser(serviceaccount)willbeallowedto
delegateto.ToselectaSPN,youwilllookuptheobjecttheSPNisappliedto.Inour
instance,wearetryingtodelegatetoaHTTPservicewhichmeanswesearchforthe
serviceaccountoftheIISapplicationpoolthattheSPNwasassignedtointheprevious
step.
44
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
OntheSelectUsersorComputersdialogbox,clickUsersandComputers,searchforthe
IISapplicationpoolserviceaccounts(inourexamplevmlab\svcPortal10Appand
vmlab\svcTeams10AppandthenclickOK:
Youwillthenbepromptedtoselecttheservicesassignedtotheobjectsbyservice
principalname.
45
Configure Kerberos Authentication for SharePoint 2010 Products
OntheAddServicesdialogbox,clickSelectAllthenclickOK.Notethatwhenyoureturn
tothedelegationdialogyoudonotactuallyseealltheSPNsselected.ToseeallSPNs,
checktheExpandedcheckboxinthelowerlefthandcorner.
46
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Performthesestepsforeachserviceaccountinyourenvironmentthatrequires
delegation.Inourexamplethisistheserviceaccountslist
47
Configure Kerberos Authentication for SharePoint 2010 Products
SharePointServeriscompleteatthispointandthefarmtopologyandsupporting
infrastructure,forinstanceloadbalancing,isconfigured.Formoreinformationabout
howtoinstallandconfigureyourSharePointfarm,see:Deployment for SharePoint
Server 2010.
Toconfigureamanagedaccount
1. InSharePointCentralAdministration,clickSecurity.
2. UnderGeneralSecurityclickConfiguremanagedaccounts:
3. ClickRegisterManagedAccountandcreateamanagedaccountforeachservice
account.Inthisexamplewecreatedfivemanagedserviceaccounts:
Account Purpose
VMLAB\svcSP10Search SharePointSearchServiceAccount
VMLAB\svcSearchAdmin SharePointSearchAdministrationServiceAccount
48
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Account Purpose
VMLAB\svcSearchQuery SharePointSearchQueryServiceAccount
VMLAB\svcPortal10App PortalWebAppIISApplicationPoolAccount
VMLAB\svcTeams10App TeamsWebAppIISApplicationPoolAccount
Note:
ManagedaccountsinSharePointServer2010arenotthesameasmanaged
serviceaccountsinWindowsServer2008R2ActiveDirectory.
Note:
TheplacementofallSearchServicesonasingleapplicationserverisfordemonstration
purposesonly.AcompletediscussionaboutSharePointServer2010SearchTopology
optionsandbestpracticesisoutofscopeforthisdocument.
SelectClassicModeAuthentication.
Configuretheportandhostheaderforeachwebapplication.
49
Configure Kerberos Authentication for SharePoint 2010 Products
SelectNegotiateastheAuthenticationProvider.
Underapplicationpool,selectCreatenewapplicationpoolandselectthemanaged
accountcreatedinthepreviousstep.
Inthisexample,twowebapplicationswerecreatedwiththefollowingsettings:
Port:80 Port:80
HostHeader:Portal HostHeader:Teams
UseSecureSocketLayer:No UseSecureSocketLayer:No
ApplicationPoolName:SharePointPortal80 Name:SharePointTeams5555
SecurityAccount: SecurityAccount:
vmlab\svcPortal10App vmlab\svcTeams10App
Whencreatingthenewwebapplicationyouarealsocreateanewzone,thedefault
zone,configuredtousetheWindowsauthenticationprovider.Youcanseetheprovider
anditssettingsforthezoneinwebapplicationmanagementbyfirstselectingtheweb
application,thenclickingAuthenticationProvidersinthetoolbar.Theauthentication
providersdialogboxlistsallthezonesfortheselectedwebapplicationalongwiththe
authenticationproviderforeachzone.Byselectingthezone,youwillseethe
authenticationoptionsforthatzone.
50
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Theauthenticationprovidersdialogwilllistallthezonesfortheselectedweb
applicationalongwiththeauthenticationproviderforeachzone:
Byselectingthezone,youwillseetheauthenticationoptionsforthatzone:
51
Configure Kerberos Authentication for SharePoint 2010 Products
IfyoumisconfiguredtheWindowssettingsandselectedNTLMwhentheweb
applicationwascreated,youcanusetheeditauthenticationdialogforthezoneto
switchthezonefromNTLMtoNegotiate.Ifclassicmodewasnotselectedasthe
authenticationmode,youmusteithercreateanewzonebyextendingtheweb
applicationtoanewIISwebsiteordeleteandrecreatethewebapplication.
52
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Forthisexample,twositecollectionswereconfigured:
http://portal / PublishingPortal
http://teams:5555 / TeamSite
Toconfigurealternateaccessmappings
1. InCentralAdministration,clickApplicationManagement.
2. UnderWebApplicationsclickconfigurealternateaccessmappings.
53
Configure Kerberos Authentication for SharePoint 2010 Products
3. IntheSelectAlternateAccessMappingCollectiondropdown,selecttheChange
AlternateAccessMappingCollection.
4. Selecttheportalwebapplication.
5. ClickEditPublicUrlsinthetoptoolbar.
6. Inafreezone,addthehttpsURLforthewebapplication.ThisURLwillbethename
ontheSSLcertificateyouwillcreateinthenextsteps.
7. ClickSave.
YoushouldnowseetheHTTPSURLinthezonelistforthewebapplication.
54
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
IIS configuration
ToverifythatKerberosauthenticationisenabledonthewebsite
1. OpenIISmanager.
2. SelecttheIISwebsitetoverify.
3. InFeaturesView,underIIS,doubleclickAuthentication.
55
Configure Kerberos Authentication for SharePoint 2010 Products
4. SelectWindowsAuthenticationwhichshouldbeenabled.
5. OntherighthandsideunderActions,selectProviders.VerifyNegotiateisatthetop
ofthelist.
56
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Toverifythatkernelmodeauthenticationisdisabled
1. OpenIISmanager.
2. SelecttheIISwebsitetoverify.
3. InFeaturesView,underIIS,doubleclickAuthentication.
4. SelectWindowsAuthentication,whichshouldbeenabled.
5. ClickAdvancedSettings.
6. VerifybothEAPandKernelModeAuthenticationaredisabled.
57
Configure Kerberos Authentication for SharePoint 2010 Products
WorldWideWebServices(HTTPTrafficIn)
WorldWideWebServices(HTTPSTrafficIn)
58
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Makesuretheappropriateportsareopeninyourenvironment.Inourexample,we
accessSharePointServeroverHTTP(port80),sothisrulewasenabled.
Inaddition,wehavetoopenthenondefaultportusedinourexample(TCP5555).If
youhavewebsitesrunningonnondefaultports,youalsohavetoconfigurecustom
rulestoallowHTTPtrafficonthoseports.
KerberosKeyDistributionCenterPCR(TCPIn)
KerberosKeyDistributionCenterPCR(UDPIn)
KerberosKeyDistributionCenter(TCPIn)
KerberosKeyDistributionCenter(UDPIn)
Inyourenvironmentensuretheserulesareenabledandthatclientscanconnecttothe
KDC(domaincontroller)overport88.
1. ThetestuserisloggedintoaWindowsXP,Vista,orWindows7computerjoinedto
thedomainthatSharePointServerisinstalledin,orisloggedintoadomaintrusted
bytheSharePointServerdomain.
59
Configure Kerberos Authentication for SharePoint 2010 Products
2. ThetestuserisusingInternetExplorer7.0orlater(InternetExplorer6.0isno
longersupportedinSharePointServer2010;seePlan browser support (SharePoint
Server 2010)).
3. IntegratedWindowsauthenticationisenabledinthebrowser.UnderInternet
OptionsintheAdvancedtab,makesureEnableIntegratedWindows
Authentication*isenabledintheSecuritysection:
4. Localintranetisconfiguredtoautomaticallylogonclients.UnderInternetexplorer
option,intheSecuritytab,selectLocalIntranetandclicktheCustomlevelbutton.
ScrolldownandmakesurethatAutomaticlogononlyinIntranetzoneisselected.
60
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
ScrolldownandmakesureAutomaticlogononlyinIntranetzoneisselected:
61
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
ItispossibletoconfigureautomaticlogononotherzonesbutthetopicofIEsecurity
zonesbestpracticesitoutsidethescopeofthispaper.Forthisdemonstrationthe
intranetzonewillbeusedforalltests.
5. EnsurethatAutomaticallydetectintranetnetworkisselectedinInternetoptions
>Security>IntranetZone>Sites.
62
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
6. IfyouareusingfullyqualifieddomainnamestoaccesstheSharePointServerweb
applications,ensurethattheFQDNsareincludedintheintranetzone,either
explicitlyorbywildcardinclusion(forexample,*.vmlab.local).
63
Configure Kerberos Authentication for SharePoint 2010 Products
TheeasiestwaytodetermineifKerberosauthenticationisbeingusedisbylogginginto
atestworkstationandnavigatingtothewebsiteinquestion.Iftheuserisntprompted
forcredentialsandthesiteisrenderedcorrectly,youcanassumeIntegratedWindows
authenticationisworking.Thenextstepistodetermineifthenegotiateprotocolwas
usedtonegotiateKerberosauthenticationastheauthenticationproviderforthe
request.Thiscanbedoneinthefollowingways:
64
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
InthegeneralinformationfortheseeventsyoushouldseethesecurityIDbeinglogged
ontothecomputerandtheLogonProcessused,whichshouldbeKerberos.
KList
KListisacommandlineutilityincludedinthedefaultinstallationofWindowsServer
2008andWindowsServer2008R2whichcanbeusedtolistandpurgeKerberostickets
65
Configure Kerberos Authentication for SharePoint 2010 Products
onagivencomputer.TorunKLIST,openacommandpromptinWindowsServer2008
andtypeKlist.
Ifyouwanttopurgetheticketcache,runKlistwiththeoptionalpurgeparameter:Klist
purge
KerbTray
KerbTrayisafreeutilityincludedwiththeWindowsServer2000ResourceKitToolthat
canbeinstalledonyourclientcomputertoviewtheKerberosticketcache.Download
andinstallfromWindows 2000 Resource Kit Tool: Kerbtray.exe.Onceyouhaveit
installed,performthefollowingactions:
1. NavigatetothewebsitesthatuseKerberosAuthentication.
2. RunKerbTray.exe.
3. ViewtheKerberosTicketcachebyrightclickingonthekerbtrayiconinthesystem
trayandselectingListTickets.
66
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
4. Validatetheserviceticketsforthewebapplicationsyouauthenticatedareinthelist
ofcachedtickets.Inourexamplewenavigatedtothefollowingwebsiteswhich
havethefollowingSPNsregistered:
WebSiteURL SPN
http://portal HTTP/Portal.vmlab.local
http://teams:5555 HTTP/Teams.vmlab.local
67
Configure Kerberos Authentication for SharePoint 2010 Products
68
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Fiddler
FiddlerisafreeHTTPtrafficanalyzerthatcanbedownloadedfromthefollowing
location:http://www.fiddlertool.com/.Infiddleryouwillseetheclientandserver
negotiateKerberosauthenticationandyouwillbeabletoseetheclientsendthe
KerberosServiceTicketstotheserverintheHTTPheadersofeachrequest.Tovalidate
thatKerberosauthenticationisworkingcorrectlyusingfiddlerperformthefollowing
actions:
1. DownloadandinstallFiddler(www.fiddlertool.com)ontheclientcomputer.
2. Logoutofthedesktopandlogbackintoflushanycachedconnectionstotheweb
serverandforcethebrowsertonegotiateKerberosauthenticationandperformthe
authenticationhandshake.
3. StartFiddler.
4. OpenInternetExplorerandbrowsetothewebapplication(http://portalinour
example).
YoushouldseetherequestsandresponsestotheSharePointServerfrontendwebin
Fiddler.
ThefirstHTTP401isthebrowserattempttodotheGETrequestwithoutauthentication.
69
Configure Kerberos Authentication for SharePoint 2010 Products
Inresponse,theserversendsbackan"HTTP401unauthorized"andinthisresponse
indicateswhatauthenticationmethodsitsupports:
Inthenextrequest,theclientresendsthepreviousrequest,butthistimesendsthe
serviceticketforthewebapplicationintheheadersoftherequest:
70
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
IfyouselecttheAuthviewwithintheFiddlerinspectorwindowyouwillalsoseethe
KerberosticketintherequestandtheKerberosresponse:
71
Configure Kerberos Authentication for SharePoint 2010 Products
Ifauthenticatedsuccessfully,theserverwillsendbacktherequestedresource.
NetMon 3.4
NetMon3.4isafreenetworkpacketanalyzerfromMicrosoftthatcanbedownloaded
fromtheMicrosoftDownloadCenter:Microsoft Network Monitor 3.4.
InNetMonyouseeallTCPrequestandresponsestotheKDCandtheSharePointServer
webservers,givingyouacompleteviewoftrafficthatmakesupacomplete
authenticationrequest.TovalidatethatKerberosauthenticationisworkingbyusing
netmon,performthefollowingactions:
72
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
2. LogoutoftheclientthenlogbackintoflushtheKerberosticketcache.Optionally
youcanuseKerbTraytopurgetheticketcachebyrightclickingonKerbTrayand
selectingPurgeTickets.
3. StartNetMoninadministratormode.RightclicktheNetMonshortcut,andselect
RunasAdministrator.
4. Startanewcaptureontheinterfacesthatconnecttotheactivedirectorycontroller
inyourenvironmentandthewebfrontends.
5. Openinternetexplorerandbrowsetothewebapplication.
6. Afterthewebsiterenders,stopthecaptureandaddadisplayfiltertoshowthe
framesforKerberosauthenticationandHTTPtraffic.
7. IntheframeswindowyoushouldseebothHTTPandKerberosV5traffic.
73
Configure Kerberos Authentication for SharePoint 2010 Products
a. Thefirsttwoframesaretheoriginalrequest/responsewheretheclient
andservernegotiatetheuseofKerberosforauthentication
b. ThefollowingKerberosV5framesaretheclientrequestsforTicket
GrantingTicketfortheVMLAL.LocalRealmandtheKerberosservice
ticketsfortheSPNHTTP/portal.VMLAB.local
c. FinallythelastHTTPframesaretheclientusingtheserviceticketsto
authenticatewiththewebserverandtheserversuccessfully
authenticatingtheclientandreturningtheresponse
1. Eitherlogoutandthenreloginintotheclientcomputer,orclearallcachedKerberos
ticketsbyusingKerbTray.
2. StartanewNetMoncaptureontheclientcomputer.BesuretostartNetMonwith
administratorpermissions.
3. BrowsetothewebapplicationbyusingSSL(inthisexample,https://portal.)
4. StoptheNetMoncaptureandexaminetheKerberosV5traffic.Forinstructionson
howtofilterthecapturedisplay,seetheinstructionsintheNetMon 3.4sectionof
thisarticle.
5. LookfortheTGSrequesttheclientsends.IntherequestyouwillseetheSPN
requestedinthe"Sname"parameter.
74
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Notethatthe"Sname"isHTTP/portal.vmlab.localandnotHTTPS/portal.vmlab.local.
Next,browsetoSharePointCentralAdministrationandstartafullcrawlontheLocal
SharePointSitescontentsource(whichshouldcontainthetwotestsitecollectionsby
default).
75
Configure Kerberos Authentication for SharePoint 2010 Products
Test search
Ifindexingcompletedsuccessfully,youshouldseesearchableitemsinyourindexandno
errorsinthecrawllog.
76
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Note:IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperforminga
crawlontheprofilestorebesuretoconfiguretheappropriatepermissionsontheUPA
toallowthecontentaccessaccounttoaccessprofiledata.Ifyouhavenotconfigured
theUPApermissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawler
couldnotaccesstheprofileservicebecauseitreceivedanHTTP401whentryingto
accesstheservice.The401returnedisnotduetoKerberos,butinsteadisduetothe
contentaccessaccountnothavingpermissionstoreadprofiledata.
Note:
IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperformingacrawlon
theprofilestore,besuretoconfiguretheappropriatepermissionsontheUPAtoallow
thecontentaccessaccounttoaccessprofiledata.IfyouhavenotconfiguredtheUPA
permissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawlercouldnot
accesstheprofileservicebecauseitreceivedanHTTP401whentryingtoaccessthe
service.The401returnedisnotduetoKerberos,butinsteadisduetothecontent
accessaccountnothavingpermissionstoreadprofiledata.
Next,browsetoeachsitecollectionandperformasearchfortheseeddocument.Each
sitecollectionssearchqueryshouldreturntheseeddocumentuploaded.
77
Configure Kerberos Authentication for SharePoint 2010 Products
OnceRSSfeedsareenabled,createanewcustomlistandaddalistitemfortesting
purposes.NavigatetotheListtoolbarmenuandclickRSSFeedtoviewtheRSSfeed.
CopythefeedURLtouseitinthefollowingsteps.
78
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
Performthisstepforeachsitecollection.
Add RSS view web parts to the home page of each site collection
OntheportalapplicationyoullneedtoenabletheSharePointEnterpriseFeaturessite
collectionfeaturetousetheRSSviewerwebpart.OnceenabledaddtwoRSSviewer
webpartstothehomepage.Forthefirstwebpart,configurethefeedURLtopointat
thelocalRSSfeedyoucreatedinthepreviousstep.Forthesecondwebpart,configure
thefeedURLtopointattheremotefeedURL.Whencompleted,youshouldseeboth
webpartssuccessfullyrenderingcontentfromthelocalandremoteRSSfeeds.
79
Configure Kerberos Authentication for SharePoint 2010 Products
80
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
InthisscenariowewalkthroughtheprocessofconfiguringKerberosauthenticationfor
theSQLServerclusterinoursampleenvironment.Oncethatprocessiscomplete,we
validatethatSharePointServerservicesareauthenticatedwiththeclusterbyusingthe
Kerberosprotocol.
Inthisscenario,youdothefollowingthings:
ConfigureanexistingSQLServer2008R2clustertouseKerberosauthentication
VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos
authentication
Createatestdatabaseandsampledatatobeusedinlaterscenarios
81
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
ItisnotrequiredtouseKerberosauthenticationforSQLServerforcoreSharePoint
Serverdataservices(forexample,connectionstoplatformdatabases).Thesample
environmenthasasoleSQLServerclusterthathostsadditionalsampledatabasesused
inlaterscenarios.Fordelegationtoworkcorrectlyinthesescenarios,theSQLServer
clustermustacceptKerberosauthenticatedconnection.
Note:
IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Configuration checklist
Areaofconfiguration Description
ConfigureDNS CreateDNS(A)hostrecordsfortheSQLServerclusterIP
ConfigureActive CreateServicePrincipalNames(SPNs)fortheSQLServer
Directory service
VerifySQLServer UseSQLServerManagementStudiotoquerySQLconnection
Kerberosconfiguration metadatatoensuretheKerberosauthenticationprotocolis
used
82
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
vmSQL2k8r201
DefaultInstance
LocalSQLClientAlias: DNS(A): Port:1433
SPFarmSQL MySQLCluster.vmlab.local
ClusterIP:
192.168.8.135 vmSQL2k8r202
SharePoint
SQLCluster
ThisscenariodemonstratesaSharePointServerfarmconfiguredtouseaSQLaliasfora
connectiontoaSQLServerclusterthatisconfiguredtouseKerberosauthentication.
Inthisexample,weconfiguredaDNS(A)recordfortheSQLServercluster.
83
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
Technically,becauseSQLServerSPNsincludeaninstancename(ifyouareusingthe
secondnamedinstanceonthesamecomputer),youcanregistertheDNShostforthe
clusterasaCNAMEaliasandavoidtheCNAMEissuedescribedinAppendixA,Kerberos
configuration known issues (SharePoint Server 2010).However,ifyouchoosetouse
CNAMEs,youhavetoregisteranSPNusingtheDNS(A)recordhostnametheCNAME
aliases.
84
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
MSSQLSvc/<FQDN>:port
FormoreinformationaboutregisteringSPNsforSQLServer2008,seeRegistering a
Service Principal Name.
Inourexample,weconfiguredtheSQLServerSPNontheSQLServerdatabaseengine
serviceaccount(vmlab\svcSQL)withthefollowingSetSPNcommand:
SetSPNSMSSQLSVC/MySQLCluster.vmlab.local:1433vmlab\svcSQL
An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
SQL aliases
Asabestpractice,whenbuildingyourfarmyoushouldconsiderusingSQLaliasesfor
connectionstoyourSQLServercomputer.IfyouchoosetouseSQLaliases,theKerberos
SPNformatforthoseconnectionsdoesnotchange.Youcontinuetousetheregistered
DNShostname(Arecord)intheSPNforSQLServer.Forexample,ifyouregisteranalias
"SPFARMSQL"for"MySQLCluster.vmlab.local"theSPNwhenyouareconnectingto
SPFarmSQLremains"MSSQLSVC/MySQLCluster.vmlab.local:1433".
Toverifytheclusterconfiguration
1. RebootthecomputersthatarerunningSharePointServerThisactionrestartsall
servicesandforcesthemtoreconnectandreauthenticatebyusingKerberos
authentication.
85
Configure Kerberos Authentication for SharePoint 2010 Products
2. OpenSQLServerManagementStudioandrunthefollowingquery:
Select
s.session_id,
s.login_name,
s.host_name,
c.auth_scheme
from
sys.dm_exec_connections c
innerjoin
sys.dm_exec_sessions s
on c.session_id = s.session_id
Thequeryreturnsmetadataabouteachsessionandconnection.Thesessiondata
helpsidentifytheconnectionsource,andthesessioninformationrevealsthe
authenticationschemefortheconnection.
3. VerifythattheSharePointServerservicesareauthenticatingbyusingKerberos
authentication:
4. .IfKerberosauthenticationisconfiguredcorrectly,youseeKerberosinthe
auth_schemecolumnofthequeryresults.
86
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
1. InSQLServerManagementStudio,createanewdatabasecalled"Test".Keepthe
defaultsettingswhencreatingthisdatabase.
2. IntheTestdatabase,createanewtablewiththefollowingschema:
Region nvarchar(10) No
Year nvarchar(4) No
Amount money No
RowId int No
3. Savethetablewiththename"Sales".
4. InManagementStudio,populatethetablewithtestdata.Thedataitselfdoesnot
matteranddoesnotaffectthefunctionoflaterscenarios.Afewrowsofdatawill
suffice.Intheexampleenvironmentwepopulatedthetablewiththefollowingdata:
87
Configure Kerberos Authentication for SharePoint 2010 Products
88
Kerberos authentication for SQL Server Analysis Services (SharePoint Server
2010)
Inthisscenarioyoudothefollowingthings:
ConfigureAnalysisServiceinstancesintheSQLServer2008R2clustertouse
Kerberosauthentication
VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos
authentication
EnablingKerberosauthenticationforSQLServerAnalysisServicesissimilartoSQL
Server
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Configuration checklist
Areaofconfiguration Description
ConfigureActiveDirectory CreateServicePrincipalNames(SPNs)forthe
AnalysisServicesinstance
VerifySQLKerberos ConnecttotheAnalysisServicesinstanceinExcel
89
Configure Kerberos Authentication for SharePoint 2010 Products
Areaofconfiguration Description
Configuration 2010
MSOLAPSvc.3/<FQDN>
IfyouareusinganamedinstanceofAnalysisServices,notethatyoucannotspecifya
portafterthecolon.Ifyoudo,itisinterpretedaspartofthehostnameordomainname.
Instead,youmustusetheactualinstancenameforallfunctionalitytoworkcorrectly.
MSOLAPSvc.3/<FQDN>:instanceName
FormoreinformationaboutregisteringSPNsforSQLServer2008,see
http://support.microsoft.com/kb/917409.
ThisscenarioassumesadefaultAnalysisServicesinstance.Wewillconfigurethe
AnalysisServicesSPNontheAnalysisServicesserviceaccount(vmlab\svcSQLAS)with
thefollowingSetSPNcommand:
SetSPNSMSOLAPSvc.3/MySQLCluster.vmlab.localvmlab\svcSQLAS
90
Kerberos authentication for SQL Server Analysis Services (SharePoint Server
2010)
An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
1. OpenExcel2010ontheclientcomputerbyusingadomainaccountthathasaccess
toatleastonedatabaseintheAnalysisServicesinstanceandopenadata
connectiontoyourAnalysisServicesinstancebyselectingtheDatatab,clicking
FromOtherSources,andthenclickingFromAnalysisServices.
2. IntheDataConnectionWizard,typeMySQLClusterintheServernamebox,then
clickNext.IfKerberosauthenticationisworking,thenyoucanseeallthedatabases
thatyoualreadyhavethepermissiontosee.
91
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
TousetheAdventureWorks2008R2sampledatabases,downloadfromMicrosoft SQL
Server Community Projects & Samplesandfollowtheinstallationinstructions.
3. Opentheeventvieweronthedatabaseserver(vmsql2k8r201).Youshouldnowbe
abletoseeanauditsuccessinthesecuritylogsimilartotheoneyouseeinthe
verificationstepsforScenario2,Kerberos authentication for SQL OLTP (SharePoint
Server 2010).
92
Kerberos authentication for SQL Server Analysis Services (SharePoint Server
2010)
93
Configure Kerberos Authentication for SharePoint 2010 Products
InthisscenarioyouconfigureapairofloadbalancedSQLServerReportingServices
(SSRS)serversinascaledoutconfigurationrunninginSharePointintegratedmode.The
serversareconfiguredtoacceptKerberosauthenticationandtheydelegate
authenticationtoabackendSQLServercluster.
Inthisscenario,theSharePointServerfarmandReportingServicesdatasourceareboth
inthesamedomain;thereforeinthisscenarioweconfigureKerberosconstrained
delegationtoallowidentitydelegationtothebackenddatasource.Ifyouarerequired
toauthenticatewithdatasourcesinotherdomainswithinthesameforest,youhaveto
configurebasic(unconstrained)Kerberosdelegation.RememberthatReportingServices
doesnotleveragetheC2WTSandthereforecanusebasicdelegation.
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Scenario1:Core Configuration
Configuration checklist
Areaofconfiguration Description
ActiveDirectory CreateSSRSserviceaccount
ConfigureKerberosconstraineddelegation
SQLServerReporting InstallandconfigureSSRSinloadbalanced,scaleoutmode
Services
ModifyWeb.Config
ModifyReportingServer.config
ConfigureSharePoint ConfigureReportingServicesintegration
Server
Addareportservertotheintegration
Setserverdefaults
Verifyconfiguration Createadocumentlibraryforreports
ConfiguresitecollectionsettingforReportingServices
CreateandpublishatestreportinSQLServerBusiness
IntelligenceStudio
ViewthetestreportinInternetExplorer
95
Configure Kerberos Authentication for SharePoint 2010 Products
Inthisscenario,theInternetInformationServices(IIS)applicationpoolserviceaccounts
areconfiguredtodelegatetotheSQLServerReportingServices(SSRS)service.TheSSRS
serviceaccountisconfiguredtodelegatecredentialstotheSQLServerservice.Note
thatSQLServerReportingServicesinSharePointintegratedmodedoesnotleverage
intrafarmClaimsauthenticationandrequiresKerberosauthenticationfordelegated
authentication.Formoreinformation,seeClaims Authentication and Reporting
Services.
96
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
ConfigureanewDNSARecordfortheSSRShost.Inthisexamplewehaveahost
FarmReportsconfiguredtoresolvetotheloadbalancedVIP.
Service ServiceIdentity
SQLServerReportingServices vmlab\svcSQLRS
97
Configure Kerberos Authentication for SharePoint 2010 Products
HTTP/FarmReports.vmlab.local
Inthisexamplethefollowingcommandswereexecuted:
SetSPNSHTTP/FarmReportsvmlab\svcSQLRS
SetSPNSHTTP/FarmReports.vmlab.localvmlab\svcSQLRS
Configure delegation
KerberosdelegationmustbeconfiguredforSSRStodelegatetheclient'sidentityto
backenddatasource.Inthisexample,SSRSqueriesdatafromaSQLServer
transactionaldatabasebyusingtheclient'sidentity,thereforeKerberosdelegationis
required.Kerberosconstraineddelegation(KCD)isnotarequirementinthisscenario
(becauseprotocoltransitionisnotneeded),butKCDisconfiguredasabestpractice.
TheSSRSserviceaccountthatisrunningtheSSRSservicesmustbetrustedtodelegate
credentialstoeachbackendservice.Inourexample,thefollowingdelegationpathsare
needed:
98
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
HTTP/FarmReports.vmlab.local
Optionally,ifyouwishtoreportagainstAnalysisServicesdatasources,configurethe
followingdelegationpaths:
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObject'spropertiesinActiveDirectoryUsersand
Computers.
2. NavigatetotheDelegationtab.
99
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectTrustthisuserfordelegationtospecifiedservicesonly.
Note:
FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe
sameforestbutoutsideofthedomainthattheSSRSserverresidesin,configurebasic
delegationinsteadofconstraineddelegation.YoucandothisbyselectingTrustthis
computerfordelegationtoanyservice.RememberthatcrossforestKerberos
delegationisnotpossible.
4. OptionallyselectUseanyauthenticationprotocol.Thisenablesprotocoltransition.
5. ClicktheAddbuttontoselecttheserviceprincipalthatcanbedelegateto.
100
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
6. SelectUserandComputers.
7. Selecttheserviceaccountthatisrunningtheserviceyouwanttodelegateto.Inthis
example,itistheserviceaccountfortheSQLServerReportingService.
101
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor
thisaccount(HTTP/FarmReports.vmlab.local)wasconfiguredearlierinthescenario.
8. ClickOK.YouarethenaskedtoselecttheSPNsyouwanttodelegatetoonthe
followingpage.
9. SelecttheserviceorSelectAllandclickOK.
YoushouldnowseetheselectedSPNsintheservicestowhichthisaccountcan
presentdelegatedcredentialslist:
102
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.You
havetoconfiguredelegationfromtheSQLServerReportingServicesserviceaccount
tooneormorebackenddatasources(SQLOLTPorSQLASinourscenarios).
103
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe
sameforestbutoutsideofthedomaintheSSRSserverresidesin,configurebasic
delegationinsteadofconstraineddelegation.Todoso,selectTrustthiscomputerfor
delegationtoanyservice.RememberthatcrossforestKerberosdelegationisnot
possible.
Verify MSSQLSVC SPN for the service account running the service
on SQL Server (performed in Scenario 2)
VerifythattheSPNfortheAnalysisServicesserviceaccount(vmlab\svcSQL)existsby
usingthefollowingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
MSSQLSVC/MySqlCluster.vmlab.local:1433
Verify MSOLAPSvc.3 SPN for the Service Account running the SSAS
service on the SQL Server Analysis Services server (performed in
Scenario 3)
VerifythattheSPNfortheSQLServerserviceaccount(vmlab\svcSQLAS)existsbyusing
thefollowingSetSPNcommand:
SetSPNLvmlab\svcSQLAS
Youshouldseethefollowing:
MSOLAPSvc.3/MySqlCluster
MSOLAPSvc.3/MySqlCluster.vmlab.local
104
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Addthe<machineKey>element
SSRSserversinaloadbalancedconfigurationneedthesamemachinekeysetacrossall
servers.Themachinekeyelementshouldbeaddedasachildofthe<system.web>
elementinweb.config.Belowisanexamplemachinekey:
<machineKey
validationKey="54AEBD3BC893726E9B84D30F4970CB58F2086C2DAEE2F8D34A65A0632F4676DDB
BC38779F2972C6596931E13BD07A772BD4B9395BE38A43E461079E45D594E53"
decryptionKey=""validation="SHA1"decryption="AES"/>
105
Configure Kerberos Authentication for SharePoint 2010 Products
Important:
DONOTUSETHESAMPLEMACHINEKEYINOURENVIRONMENT.Generateyourown
keyvaluesforyourenvironment.
Modify ReportingServer.config
ThefollowingchangeshavetobemadetotheReportingServer.configfilesoneachSSRS
server.TheReportingServer.configfilecanbefoundintheprogramfilesdirectory
whereSSRSisinstalled:
EnableKerberosauthentication
ToenableKerberosauthentication,settheauthenticationtypeto
"RSWindowsNegotiate".Changethe<AuthenticationTypes/>
elementandadd<RSWindowsNegotiate/>
<AuthenticationTypes><RSWindowsNegotiate/></AuthenticationTypes>
ModifytheURLroot
AddtheURLforthereportservertothe<UrlRoot>tagfoundinthe<service>tagof
ReportingServer.Config
<UrlRoot>http://FarmReports/reportserver</UrlRoot>
106
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Inourexample,weconfigurethefollowingvaluesforBackConnectionHostNames:
FarmReports
FarmReports.vmlab.local
OncetheBackConnectionHostNamesvaluesareset,reboottheSSRSserver.
107
Configure Kerberos Authentication for SharePoint 2010 Products
RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal
$w.GrantAccessToProcessIdentity("vmlab\svcSQLRS")
108
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
109
Configure Kerberos Authentication for SharePoint 2010 Products
Verify configuration
110
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
IfyoudonotseetheReportingServicesfeatureinthesitecollectionsfeatureslist,you
mayneedtoactivateitfromCentralAdministration.Formoreinformation,seeHow to:
Activate the Report Server Feature in SharePoint Central Administration
(http://go.microsoft.com/fwlink/?LinkId=196878).
ClicktheReportingServicessitesettingslinktoensurethesettingsareaccessible.
111
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
NochangestoReportingServicesSiteSettingsarerequiredforthisdemonstration.
1. OpenSQLServerBusinessIntelligenceDevelopmentStudio.ClickFile,pointtoNew,
andthenclickProject.
2. SelectReportServerProjectWizardandenteraprojectname.
112
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
3. Nextconfigureanewdatasource.ChoosethetypeMicrosoftSQLServerandclick
theEditbutton.
113
Configure Kerberos Authentication for SharePoint 2010 Products
4. InConnectionPropertiesentertheinformationtoconnecttothedemoSQLServer
clustercreatedinscenario2.
114
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
5. Openquerydesigner,rightclickthequerywindowandselectAddtable.
115
Configure Kerberos Authentication for SharePoint 2010 Products
6. ChoosetheSalestable(createdinscenario2)andselectAllColumns.
116
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
7. Selectatabularreporttype.
117
Configure Kerberos Authentication for SharePoint 2010 Products
8. Inourexamplewegroupbyregion;youcanskipthisstepifyouwantto.
9. Oncetheprojectiscreated,opentheprojectpropertiesontheProjectmenu.
118
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
10. Configurethefollowingprojectproperties:
a) TargetDatasetFolderSetittothetestreportfoldercreatedearlier
b) TargetDatasetFolderSetittothetestreportfoldercreatedearlier
c) TargetReportFolderSetittothetestreportfoldercreatedearlier
d) TargetReportPartFolderSetittothetestreportfoldercreatedearlier
e) TargetServerURLSettothewebapplicationURLthatishostingthereport
119
Configure Kerberos Authentication for SharePoint 2010 Products
11. DeploythereporttotheSharePointlibrary.OnthebuildmenuselectDeploy
<projectname>.
12. Ifitissuccessful,youwillseethedeploymentsucceededmessageintheOutput
window.
120
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Clickthereportanditwillrenderinthebrowser.
121
Configure Kerberos Authentication for SharePoint 2010 Products
Tofurtherverifydelegationandthedataconnection,changedthesourcedatainSQL
ServerManagementStudioandrefreshtheSSRSreportdataconnectioninthebrowser.
Youshouldseethedatachangesreflectedinthereport.
2. UpdateReportingServer.config.Changethe<UrlRoot>tothenewhttps://URL.
3. RestarttheSQLServerReportingServicesservice.
4. InCentralAdministration,changetheReportingServicesintegrationsettingsand
changetheReportServerWebServiceURLtothenewhttps://URL.
5. RestartIISoneachinstanceofSharePointServerthatisrunningthewebapplication
service.
122
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
YoudonotneedtochangeanyoftheSPNscreatedwhenconfiguringReportingServices
withHTTPintheprevioussteps.TheSPNforanHTTPserviceoverSSLremains
HTTP/<service>.YoucanseethisbyusingNetMontoviewthefrontendwebserverthat
iscommunicatingwiththeReportingServicesServer.
NoticetheticketgrantingservicerequesthighlightedandtheSnamerequested.The
reportingserverservicewasaccessedusinghttps://andtheSNameintheticketrequest
remainedHTTP/asexpected.ToensuretheWFEwasactuallyusingSSLtocommunicate
withthereportingserver,additionaltrafficwascapturedandanalyzed:
NoticethatallrequestsfromtheWFEtothereportingserverareprotectedoverSSL.
ThisconfirmsSSLwasusedforcommunicationsbetweenthewebfrontendsandthe
reportingserver.
123
Configure Kerberos Authentication for SharePoint 2010 Products
InthisscenarioyouaddtheExcelServicesserviceapplicationtotheSharePointServer
environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto
refreshdatainaworksheetfromanexternalSQLServerdatasource.
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Tocompletethisscenarioyouneedtohavecompletedthefollowingarticles:
Scenario1:Core Configuration
Scenario2:Kerberos Authentication for SQL OLTP
Configuration checklist
AreaofConfiguration Description
ActiveDirectory CreateExcelServicesserviceaccount
Configuration
ConfigureSPNonExcelServicesserviceaccount
124
Identity delegation for Excel Services (SharePoint Server 2010)
AreaofConfiguration Description
ConfigureKerberosconstraineddelegationforserversrunning
ExcelServices
ConfigureKerberosconstraineddelegationfortheExcelServices
serviceaccount
SharePointServer StartClaimstoWindowsTokenServiceonExcelServicesServers
configuration
StarttheExcelServicesserviceinstanceontheExcelServices
server
CreatetheExcelServicesserviceapplicationandproxy
ConfigureExcelservicestrustedfilelocationandauthentication
settings
VerifyExcelService Createdocumentlibrarytohosttestworkbook
Constrained
Delegation CreatetestSQLdatabaseandtesttable
CreatetestExcelworkbookwithSQLdataconnection
PublishworkbooktoSharePointServerandrefreshdata
connection
125
Configure Kerberos Authentication for SharePoint 2010 Products
InthisscenariowewillconfiguretheSharePointServerExcelServicesserviceaccount
forKerberosconstraineddelegationtotheSQLServerservice.
126
Identity delegation for Excel Services (SharePoint Server 2010)
Note:
InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse
adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou
willneedtoconfiguredconstraineddelegationonthecomputeraccountforthe
computerrunningtheC2WTSandExcelServices.
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos
authenticationatthewebfrontend.SharePointServer2010willconverttheWindows
authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS).
Theexcelserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows
token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart
ofWindowsIdentityFramework(WIF).Theexcelserviceapplicationwillthenusethe
clientsKerberostickettoauthenticatewiththebackendDataSource.
127
Configure Kerberos Authentication for SharePoint 2010 Products
SharePointServerService IISAppPoolIdentity
ExcelServices vmlab\svcExcel
TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure
Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive
Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise
thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog.
AlthoughExcelServicesdoesnotrequireaSPNtofunction,wewillconfigureonefor
thispurpose.
Onthecommandline,runthefollowingcommand:
SETSPNSSP/ExcelServices
Note:
TheSPNisnotavalidSPN.Itisappliedtothespecifiedserviceaccounttorevealthe
delegationoptionsintheADusersandcomputersaddin.Thereareothersupported
waysofspecifyingthedelegationsettings(specificallythemsDSAllowedToDelegateTo
ADattribute)butthistopicwillnotbecoveredinthisdocument.
128
Identity delegation for Excel Services (SharePoint Server 2010)
Eachserverrunningexcelservicesmustbetrustedtodelegatecredentialstoeachback
endserviceexcelwillauthenticatewith.Inadditional,theexcelservicesserviceaccount
mustalsobeconfiguredtoallowdelegationtothesamebackendservices.
Inourexamplethefollowingdelegationpathsaredefined:
*Configuredlaterinthisscenario
**OnlyrequirediftheC2WTSisrunningaslocalsystem
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand
Computers.
2. NavigatetotheDelegationtab.
129
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectTrustthisuserfordelegationtospecifiedservicesonly.
4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis
requiredfortheserviceaccounttousetheC2WTS.
5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
130
Identity delegation for Excel Services (SharePoint Server 2010)
6. SelectUserandComputers.
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis
exampleitistheserviceaccountfortheSQLservice.
131
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
thisaccountwasconfiguredinapreviousscenario.
8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegatetoin
thefollowingwindow.
9. SelecttheservicesfortheSQLclusterandclickOK.
10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan
presenteddelegatedcredentialslist.
132
Identity delegation for Excel Services (SharePoint Server 2010)
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
Verify MSSQLSVC SPN for the Service Account running the service
on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe
followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
MSSQLSVC/MySqlCluster.vmlab.local:1433
133
Configure Kerberos Authentication for SharePoint 2010 Products
EachExcelServicesApplicationservermustruntheC2WTSlocally.TheC2WTSdoesnot
openanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTSservice
configurationfilemustbeconfiguredtospecificallytrustthelocalcallingclientidentity.
AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot
asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial
localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese
permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure
theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif
doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement
console(services.msc).
TostarttheC2WTS
1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample
wecreatedvmlab\svcC2WTS.
2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe
delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The
SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing
Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid
potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe
registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis
scenariowewilldelegatecredentialstotheSQLservicerunningwiththe
MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.
134
Identity delegation for Excel Services (SharePoint Server 2010)
4. Next,configuretherequiredlocalserverpermissionsthattheC2WTSrequires.You
willneedtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour
examplethisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe
followingpermissions:
a) AddtheserviceaccounttothelocalAdministratorsGroups.
b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe
serviceaccountthefollowingpermissions:
i. Actaspartoftheoperatingsystem
ii. Impersonateaclientafterauthentication
iii. Logonasaservice
135
Configure Kerberos Authentication for SharePoint 2010 Products
5. OpenCentralAdministration.
6. UnderSecurity>ConfigureManagedServiceAccounts,RegistertheC2WTSservice
accountasamanagedaccount.
7. Underservices,selectManageservicesonserver.
8. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningexcelservices.InthisexampleitisVMSP10APP01:
9. FindtheClaimstoWindowsTokenServiceandstartit:
10. GotoSecurity>ManageServiceAccounts.ChangetheidentityoftheC2WTSto
thenewmanagedacount.
136
Identity delegation for Excel Services (SharePoint Server 2010)
Note:
IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif
youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning
youmustrestarttheC2WTSfromtheservicesconsole.
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay
alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay
alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
1. OpentheCommandPromptwindow.
2. Type:scconfig"c2wts"depend=CryptSvc
137
Configure Kerberos Authentication for SharePoint 2010 Products
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice.
5. ChecktheDependenciestab.MakesureCryptographicServicesislisted.
6. ClickOK.
138
Identity delegation for Excel Services (SharePoint Server 2010)
RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal
$w.GrantAccessToProcessIdentity("vmlab\svcExcel")
1. OpenCentralAdministration.
2. Underservices,selectManageservicesonserver.
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningexcelservices.InthisexampleitisVMSP10APP01.
4. StarttheExcelCalculationServicesservice.
139
Configure Kerberos Authentication for SharePoint 2010 Products
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNew,andthenclickExcelServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount
(createanewmanagedaccountiftheexcelserviceaccountisnotinthelist).
140
Identity delegation for Excel Services (SharePoint Server 2010)
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
141
Configure Kerberos Authentication for SharePoint 2010 Products
3. ClickthelinkforthenewServiceApplication,ExcelServicesinthisexample.
4. IntheExcelServicesmanagementpage,click"TrustedFileLocations".
5. Addanewtrustedfilelocation.
142
Identity delegation for Excel Services (SharePoint Server 2010)
6. Specifythelocationtoyourtestlibrary.
Note:
Inourexample,wetrusttherootwebapplicationURLandallchildren.Inaproduction
environmentyoumaychoosetoconstrainthetrusttoamoregranularlocation.
7. InExternalDataSelecttrusteddataconnectionlibrariesandembedded.
143
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
ThisexamplewilluseanembeddedconnectiontoconnecttoSQLServer.Inyour
environmentyoumaychoosetocreateaseparateconnectionfileandstoreitina
trusteddataconnectionlibrary.InthatcaseyoumightselectTrusteddataconnection
librariesonly.
8. ChangetheExternalDataCacheAgeFortestingpurposes,itisconvenientto
changetheexternaldatacachelifetimetoensuredatarefreshesarecomingfrom
thedatasourceandnotthecache.UnderExternalData,changethefollowing
settings:
Automaticrefresh(periodic/onopen)=0
Manualrefresh=0
Note:
Inaproductionenvironmentyouwillwanttoconfigureacachesettinghigherthan0.
Settingthecacheto0isfortestingpurposesonly.
144
Identity delegation for Excel Services (SharePoint Server 2010)
1. OpenExcel.
2. OntheDatatab,selectFromothersources>FromSQLServer.
3. ConnecttothetestSQLdatasource.
145
Configure Kerberos Authentication for SharePoint 2010 Products
4. Selectthetestdatabaseandthetesttable(Salesinourexample).
5. ClickNext.Clicktheauthenticationsettingsbutton.EnsureWindowsAuthentication
isspecified.
146
Identity delegation for Excel Services (SharePoint Server 2010)
6. ClickFinish.
7. SelectPivotTableReport.
8. Configurethepivottable.EnsuredataisreturnedfromtheSQLsource.
147
Configure Kerberos Authentication for SharePoint 2010 Products
1. ClicktheFiletab.
2. ClickSaveandSend,thenclickSavetoSharePoint,andthenclickBrowsefora
location.
148
Identity delegation for Excel Services (SharePoint Server 2010)
3. Enterthelocationtothetrustedlibrarycreatedinprevioussteps.
4. EnsureOpenwithExcelinthebrowserisselected.
Anewbrowserwindowwillopenatthispointwithyourtestworkbookdisplayed.
Oncetheworkbookrenders,refreshthedataconnectionbyclickingDataandthen
clickingRefreshAllConnections.
149
Configure Kerberos Authentication for SharePoint 2010 Products
IfthedataconnectionrefreshesyouhavesuccessfullyconfiguredKerberosdelegation
forexcelservices.Tofurthertestconnectivity,changethesourcedataviaSQL
ManagementStudiothenrefreshtheconnection.Youshouldseethenewlychanged
datainyourworkbook.Ifyoudonotseeanychanges,andyoudonotreceiveanyerrors
onrefreshyouaremostlikelyseeingcacheddata.Bydefault,ExcelServiceswillcache
datafromexternalsourcesforfiveminutes.Youcanchangethiscachesetting;see
Configure Excel services trusted file location and authentication settingsinthisarticlefor
moreinformation.
150
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
WhenaPowerPivotworkbookisuploadedinSharePointServer,italreadycontainsthe
PowerPivotdatathattheworkbookuses.WhentheuseropensthePowerPivot
workbookinExcelWebAccessandinteractswiththeslicers,thePowerPivotSystem
ServiceloadsthedataintheworkbookdirectlyintoitsAnalysisServicesengine.No
accessismadetothedataconnectionembeddedintheworkbook.
WhenadatarefreshjobforaPowerPivotworkbookstartsexecuting,thePowerPivot
SystemServiceperformsaWindowsloginusingthecredentialsstoredintheSharePoint
ServerSecureStoreService.SincetheWindowsidentityiscreatedontheapplication
server,theconnectionfromthePowerPivotAnalysisServicesVertipaqengine(onthe
samecomputer,VMSP10APP01)toMySQLClusteristhefirstNTLMhop.
151
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
152
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
Whiletheyareoutsidethescopeofthescenariosdefinedinthispaper,themajorsteps
toconfigureidentitydelegationforPowerPivotareasfollows:
1. ChangetheserviceaccountoftheC2WTSWindowsservicetoadomainaccount
(e.g.VMLAB\svcC2WTS).ConfiguringtheC2WTSisalargetopicandiscoveredin
detailintheotherscenariosinthisdocument:
ConfigureandStarttheClaimstoWindowsTokenServiceonExcelServices
Servers
ConfigureandStarttheClaimstoWindowsTokenServiceonVisioGraphics
Servers
ConfigureandStarttheClaimstoWindowsTokenServiceonPerformancePoint
ServicesServers
2. ConfiguredelegationfromtheVMLAB\svcSQLaccounttotheSPNforthelinkedSQL
ServerinstanceConfigurationChecklist.
Areaofconfiguration Description
PowerPivotinstallation InstallSQLServerPowerPivotforSharePointonthe
applicationserver
Scenario dependencies
Strictlyspeaking,thefollowingKerberosauthenticationscenariosarenotrequiredby
PowerPivotforSharePoint.HoweveritexpeditesyourPowerPivotforSharePoint
153
Configure Kerberos Authentication for SharePoint 2010 Products
installationprocessifyousuccessfullycompletedthem,asthecomponentsthemselves
areprerequisitesforPowerPivotforSharePoint.
Scenario1:Core Configuration
Configuration instructions
InstallPowerPivotforSharePointontheapplicationserver(vmsp10app01).Fordetailed
instructions,seeHow to: Install PowerPivot for SharePoint in a Three-tier SharePoint
FarmintheMSDNLibraryonline.Ifyouhavealreadyperformedthedependent
scenariosinthispaper,youcanskipthesectionsintheMSDNarticlethathavealready
beencoveredbythescenariodependencies.
Important:
TheapplicationpoolfortheSQLServerPowerPivotServiceApplicationmustberun
usingthedomainaccountoftheSharePointServerfarmadministrator.Innootheruser
contextcanthePowerPivotSystemServiceretrievetheunattendedaccountcredentials
fromtheSecureStoreService.
154
Identity delegation for Visio Services (SharePoint Server 2010)
Inthisscenario,youaddaVisioServicesserviceapplicationtotheSharePointServer
environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto
refreshdatafromanexternalSQLServerdatasourceinaVisiowebdrawing.
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Scenariodependencies
Tocompletethisscenarioyouwillneedtohavecompleted:
Scenario1:Core Configuration
Scenario2:Kerberos authentication for SQL OLTP
Configurationchecklist
AreaofConfiguration Description
ActiveDirectory CreateVisioServicesserviceaccount
Configuration
ConfigureSPNonVisioServicesserviceaccount
155
Configure Kerberos Authentication for SharePoint 2010 Products
AreaofConfiguration Description
ConfigureKerberosconstraineddelegationforservers
runningVisioServices
ConfigureKerberosconstraineddelegationfortheVisio
Servicesserviceaccount
SharePointServer StartClaimstoWindowsTokenServiceonVisioServices
configuration Servers
GranttheVisioServicesserviceaccountpermissionsonthe
webapplicationcontentdatabase
StarttheVisioServicesserviceinstanceontheVisioServices
server
CreatetheVisioServicesserviceapplicationandproxy
VerifyVisioServices ConfiguretheVisioservicescachesettings
ConstrainedDelegation
CreatedocumentlibrarytohosttestVisioDiagram
CreateatestVisiowebdrawingwithSQLServerdata
connectedshapes
PublishtheVisiodrawingtoSharePointServerandrefresh
dataconnection
156
Identity delegation for Visio Services (SharePoint Server 2010)
AppServer
VMSP10APP01
vmSQL2k8r202
SQLCluster
DNS(A):
MySQLCluster.vmlab.local
Inthisscenario,wewillconfiguretheSharePointServerVisioservicesapplication
serversandserviceaccountsforKerberosconstraineddelegationtotheSQLServer
service.
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos
authenticationatthewebfrontend.SharePointServer2010willconverttheWindows
authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS).
TheVisioserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows
token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart
157
Configure Kerberos Authentication for SharePoint 2010 Products
ofWindowsIdentityFoundation(WIF).TheVisioserviceapplicationwillthenusethe
clientsKerberostickettoauthenticatewiththebackenddatasource.
SharePointServerservice IISAppPoolIdentity
VisioServices vmlab\svcVisio
TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure
Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive
Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise
thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog.
AlthoughVisioServicesdoesnotrequireaSPNtofunction,wewillconfigureoneforthis
purpose.
Onthecommandline,runthefollowingcommand:
SETSPNSSP/VisioServicessvc\VisioServices
158
Identity delegation for Visio Services (SharePoint Server 2010)
Note:
TheSPNisnotavalidSPN.Itisappliedtothespecifiedserviceaccounttorevealthe
delegationoptionsintheADusersandcomputersaddin.Thereareothersupported
waysofspecifyingthedelegationsettings(specificallythemsDSAllowedToDelegateTo
ADattribute)butthistopicwillnotbecoveredinthisdocument.
EachserverrunningVisioservicesmustbetrustedtodelegatecredentialstoeachback
endserviceVisiowillauthenticatewith.Inadditional,theVisioservicesserviceaccount
mustalsobeconfiguredtoallowdelegationtothesamebackendservices.
Inourexamplethefollowingdelegationpathsaredefined:
*Configuredlaterinthisscenario
**Optional.Constraineddelegationonthecomputeraccountisonlyrequiredwhen
runningtheC2WTSasLocalSystem
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand
Computers.
159
Configure Kerberos Authentication for SharePoint 2010 Products
2. NavigatetotheDelegationtab.
3. SelectTrustthisuserfordelegationtospecifiedservicesonly.
4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis
requiredfortheVisioserviceaccounttousetheC2WTS.
5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
160
Identity delegation for Visio Services (SharePoint Server 2010)
6. SelectUserandComputers.
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis
exampleitistheserviceaccountfortheSQLServerservice.
Note:
theserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
thisaccountwasconfiguredinapreviousscenario.
8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegateto.
161
Configure Kerberos Authentication for SharePoint 2010 Products
9. SelecttheservicesfortheSQLServerclusterandclickOK.
10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan
presenteddelegatedcredentialslist.
162
Identity delegation for Visio Services (SharePoint Server 2010)
11. Repeatthesestepsforeachdelegationpath(ComputerandUser)definedinthe
beginningofthissection.
Verify MSSQLSVC SPN for the Service Account running the service
on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe
followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
MSSQLSVC/MySqlCluster.vmlab.local:1433
163
Configure Kerberos Authentication for SharePoint 2010 Products
EachVisioGraphicsServiceapplicationservermustruntheC2WTSlocally.TheC2WTS
doesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTS
serviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcallingclient
identity.
AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot
asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial
localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese
permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure
theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif
doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement
console(services.msc).
TostarttheC2WTS
1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample
wecreatedvmlab\svcC2WTS.
2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe
delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The
SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing
Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid
potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe
registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis
scenariowewilldelegatecredentialstotheSQLServerservicerunningwiththe
MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.
164
Identity delegation for Visio Services (SharePoint Server 2010)
4. ConfiguretherequiredlocalserverpermissionsthattheC2WTSrequires.Youwill
needtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour
example,thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe
followingpermissions:
a) AddtheserviceaccounttothelocalAdministratorsGroups.
b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe
serviceaccountthefollowingpermissions:
i. Actaspartoftheoperatingsystem
ii. Impersonateaclientafterauthentication
iii. Logonasaservice
165
Configure Kerberos Authentication for SharePoint 2010 Products
5. OpenCentralAdministration.
6. InSecurity,intheConfigureManagedServiceAccountssection,registertheC2WTS
serviceaccountasamanagedaccount.
7. Underservices,selectManageservicesonserver.
8. Intheserverselectionboxintheupperrightcorner,selecttheserver(s)thatisor
arerunningtheVisioGraphicsService.InthisexampleitisVMSP10APP01.
9. FindtheClaimstoWindowsTokenServiceandstartit.
10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof
theC2WTStothenewmanagedacount.
166
Identity delegation for Visio Services (SharePoint Server 2010)
Note:
IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif
youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning
youmustrestarttheC2WTSfromtheservicesconsole.
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay
alsobenecessarytoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
1. OpenaCommandPromptwindow.
2. Type:scconfig"c2wts"depend=CryptSvc
167
Configure Kerberos Authentication for SharePoint 2010 Products
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice.
5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
168
Identity delegation for Visio Services (SharePoint Server 2010)
RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal
$w.GrantAccessToProcessIdentity("vmlab\svcVisio")
1. OpenCentralAdministration.
2. Underservices,selectManageservicesonserver.
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningexcelservices.InthisexampleitisVMSP10APP01.
4. StarttheVisioGraphicsService.
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNew,andthenselectVisioGraphicsService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount
(createanewmanagedaccountiftheVisioserviceaccountisnotinthelist).
170
Identity delegation for Visio Services (SharePoint Server 2010)
171
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
Disablingtherenderingcacheisnotrecommendedforproductionenvironments.
RemembertoreenablethecacheonceyouhavecompletedtestingdelegationinVisio
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelecttheVisioGraphicsServiceapplicationcreatedinthepreviousstep.
4. SelectGlobalSettings.
5. IntheMinimumCacheAgesetting,setthecacheto0(nocache).
172
Identity delegation for Visio Services (SharePoint Server 2010)
Note:
Settingtheminimumcacheageto0isfortestingpurposesonlyandshouldnotbeused
inaproductionenvironment.
2. CreateanewBasicDiagramintheGeneralsectionunderHome.
3. OntheDataRibbonTab,selectLinkDatatoShapes.
173
Configure Kerberos Authentication for SharePoint 2010 Products
4. Inthedataselectordialogbox,selectMicrosoftSQLServerdatabase.
5. SpecifytheSQLServerclustercreatedinScenario2andselectWindows
Authentication.
174
Identity delegation for Visio Services (SharePoint Server 2010)
6. SelecttheTestdatabaseandtheSalesTable.
175
Configure Kerberos Authentication for SharePoint 2010 Products
7. Specifyafriendlynamefortheconnectionandsavetheconnectiontothe
documentlibrarycreatedinthepreviousstep.
176
Identity delegation for Visio Services (SharePoint Server 2010)
8. IntheDataSelectordialog,selectthenewlycreatedconnectionandpressFinish.
177
Configure Kerberos Authentication for SharePoint 2010 Products
Youshouldnowseetheexternaldatawindowatthebottomofthedrawingwindow
withthesampledatathatwascreatedearlier.
9. Dragthefirstdatarowontothedrawingsurface.Thiswillcreateanewshapethatis
linkedtothedatarow.Notethatthetestdrawingismeanttotestdelegationandis
notmeanttodemonstratehowtocreateafullyfunctioning,productionreadyweb
drawing.
178
Identity delegation for Visio Services (SharePoint Server 2010)
Publish the Visio drawing to SharePoint Server and refresh the data
connection
1. PublishthedrawingtothetestSharePointdocumentlibrary.OntheFiletabclick
SaveandSend,SavetoSharePoint,Browseforalocation,andthenWebDrawing.
2. Browsetothetestdocumentlibrary,specifyanameforthetestdrawing,andthen
clickSave.
179
Configure Kerberos Authentication for SharePoint 2010 Products
Thedrawingopensinthebrowser.
3. Intherefreshdisablednotification,selectEnable(always).
180
Identity delegation for Visio Services (SharePoint Server 2010)
4. Thedataconnectionshouldautomaticallyrefreshandnoerrorsshouldoccur.
5. OpenSQLServerManagementStudioandmodifythedatarowdisplayedintheweb
drawing.
6. RefreshthedataconnectionbypressingtheRefreshbuttonatthetopofthe
drawingwindow.Ifdelegationisconfiguredcorrectlyyoushouldseeyourdata
refresh.
181
Configure Kerberos Authentication for SharePoint 2010 Products
182
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
Inthisscenario,youwilladdthePerformancePointServicesserviceapplicationtothe
SharePointServerenvironmentandconfigureKerberosconstraineddelegationtoallow
theservicetopulldatafromanexternalAnalysisServicescubeandhavetheoptionto
pulldatafromSQLServer.
Note:
IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Tocompletethisscenarioyouwillneedtohavecompleted:
Scenario1:Core Configuration
Configuration checklist
Areaofconfiguration Description
183
Configure Kerberos Authentication for SharePoint 2010 Products
Areaofconfiguration Description
ActiveDirectory CreatePerformancePointServicesserviceaccount
configuration
CreateanSPNfortheserviceaccountrunningthe
PerformancePointServiceontheApplicationServer
VerifyAnalysisServicesSPNonSQLServerAnalysisServices
serviceaccount,vmlab\svcSQLAS(performedinScenario3)
and
(Optional)verifytheSQLServerdatabaseengineserviceaccount,
vmlab\svcSQL(performedinScenario2).
ConfigureKerberosconstraineddelegationforClaimsto
WindowsServicesserviceaccounttoAnalysisServices
ConfigureKerberosconstraineddelegationforthe
PerformancePoint
ServicesserviceaccounttoAnalysisServices
SharePointServer StartClaimstoWindowsTokenServiceonPerformancePoint
configuration ServicesServers
StartthePerformancePointServicesserviceinstanceonthe
PerformancePointServicesserver
CreatethePerformancePointServicesserviceapplicationand
proxy
ChecktheidentityonPerformancePointapplication
GrantthePerformancePointServicesserviceaccount
permissionsonthewebapplicationcontentdatabase
ConfigurePerformancePointservicestrustedfilelocationand
authenticationsettings
Verify Createdocumentlibrarytohostatestdashboard
PerformancePoint
Serviceconstrained CreateadatasourcethatreferenceanexistingSQLServer
184
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
Areaofconfiguration Description
delegation AnalysisServicescube
CreateatrustedPerformancePointcontentlist
CreatetestPerformancePointdashboard
PublishdashboardtoSharePointServer
InthisscenariowewillconfigurethePerformancePointServicesserviceaccountfor
KerberosconstraineddelegationtotheSQLServerservice.
185
Configure Kerberos Authentication for SharePoint 2010 Products
Note:
InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse
adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou
willneedtoconfigureconstraineddelegationonthecomputeraccountforthe
computerrunningtheC2WTSandExcelServices.
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos
authenticationatthewebfrontend.SharePointServer2010willconverttheWindows
authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS).
ThePerformancePointserviceapplicationwillaccepttheclaimstokenandconvertit
intoaWindowstoken(Kerberos)usingthelocalClaimstoWindowsTokenService
(C2WTS)thatisapartofWindowsIdentityFramework(WIF).ThePerformancePoint
serviceapplicationwillthenusetheclientsKerberostickettoauthenticatewiththe
backendDataSource.
186
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
SharePointServerservice IISAppPoolIdentity
PerformancePointServices vmlab\svcPPS
*NOTE:Youcanoptionallyreuseasingledomainaccountformultipleservices.This
configurationisnotcoveredinthefollowingsections.
Onthecommandline,runthefollowingcommand:
187
Configure Kerberos Authentication for SharePoint 2010 Products
SETSPNSSP/PPSvmlab\svcPPS
Note:
TheSPNisnotavalidSPN.Itisappliedtothespecifiedserviceaccounttorevealthe
delegationoptionsintheADusersandcomputersaddin.Thereareothersupported
waysofspecifyingthedelegationsettings(specificallythemsDSAllowedToDelegateTo
ADattribute)butthistopicwillnotbecoveredinthisdocument.
SetSPNLvmlab\svcSQLAS
Youshouldseethefollowing:
MSOLAPSvc.3/MySqlCluster
VerifytheSPNfortheSQLServerserviceaccount(vmlab\svcSQL)existswiththe
followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
188
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
EachserverrunningPerformancePointservicesmustbetrustedtodelegatecredentials
toeachbackendservicewithwhichPerformancePointwillauthenticate.Inaddition,
thePerformancePointservicesserviceaccountmustalsobeconfiguredtoallow
delegationtothesamebackendservices.NoticealsothatHTTP/Portaland
HTTP/Portal.vmlab.localareconfiguredtodelegateinordertoincludeaSharePointlist
asanoptionaldatasourceforyourPerformancePointdashboard.
Inourexamplethefollowingdelegationpathsaredefined:
PrincipalType PrincipalName
User Vmlab\svcC2WTS
User Vmlab\svcPPS
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand
Computers.
2. NavigatetotheDelegationtab.
189
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectTrustthiscomputerfordelegationtospecifiedservicesonly.
4. SelectUseanyauthenticationprotocol.
5. Clicktheaddbuttontoselecttheserviceprincipal.
6. SelectUserandComputers.
190
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto(SQLServer,
SQLServerAnalysisServices,orboth).
Note:
TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor
thisaccountwasconfiguredinapreviousscenario.SeetheKerberosAuthenticationfor
SQLOLTPandKerberosAuthenticationforSQLAnalysisServicessectionsofthis
document.
8. ClickOK.
9. SelecttheSPNsyouwouldliketodelegateto,andthenclickOK.
191
Configure Kerberos Authentication for SharePoint 2010 Products
10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan
presenteddelegatedcredentialslist.
192
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
EachPerformancePointServicesApplicationservermustruntheC2WTSlocally.The
C2WTSdoesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,the
C2WTSserviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcalling
clientidentity.
AsarecommendedpracticeyoushouldruntheC2WTSusingadedicatedservice
accountandnotasLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccount
requiresspeciallocalpermissionsoneachserverthattheservicerunson.Besureto
configurethesepermissionswhenyouchoosetoruntheC2WTSwithadomainaccount.
ToensuretheC2WTSaccountpicksuptheneededprivileges,reboottheserverafteryou
haveconfiguredtheC2WTS.
*NOTE:IfyouchoosetoconfiguretheC2WTSaslocalsystemyoudonotneedto
configureanyadditionallocalprivileges.
TostarttheC2WTS
1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample
wecreatedvmlab\svcC2WTS.
2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe
delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The
SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing
Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid
potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe
registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis
scenariowedelegatecredentialstotheSQLServerservicethatisrunningwiththe
MSOLAPsvc.3/MySqlCluster.vmlab.localserviceprincipalname.
194
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
4. Next,configuretherequiredlocalserverpermissionstheC2WTSrequires.Youhave
toconfigurethesepermissionsoneachservertheC2WTSrunson.Inourexample
thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthefollowing
permissions:
a) AddtheserviceaccounttothelocalAdministratorsGroups.
195
Configure Kerberos Authentication for SharePoint 2010 Products
b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe
serviceaccountthefollowingpermissions:
i. Actaspartoftheoperatingsystem
ii. Impersonateaclientafterauthentication
iii. Logonasaservice
5. OpenCentralAdministration.
6. IntheSecuritysection,underConfigureManagedServiceAccounts,registerthe
C2WTSserviceaccountasamanagedaccount.
7. Underservices,selectManageservicesonserver.
8. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningPerformancePointservices.InthisexampleitisVMSP10APP01.
9. FindtheClaimstoWindowsTokenServiceandstartit:
10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof
theC2WTStothenewmanagedacount.
196
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
Note:
IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif
youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning
youmustrestarttheC2WTSfromtheservicesconsole.
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceit
mayalsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththe
C2WTS.
1. Openthecommandpromptwindow.
2. Type:scconfigc2wtsdepend=CryptSvc
197
Configure Kerberos Authentication for SharePoint 2010 Products
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice.
5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
198
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
7. Reboottheserver.MakesurethattheC2WTShasstartedoncethecomputer
reboots.
1. OpenCentralAdministration.
2. Underservices,selectManageservicesonserver.
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s)
runningPerformancePointservices.InthisexampleitisVMSP10APP01:
4. StartthePerformancePointServicesservice.
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
199
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectNew,andthenclickPerformancePointServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount
orcreateanewmanagedaccountifyoudidnotperformthissteppreviously.
200
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
Note:
ConfiguringtheUnattendedServicesAccountisoptionalinthisscenarioandonlyusedif
youwanttoalsotestNTLMauthentication.
Youcancreateandregisteranewserviceaccountforanexistingapplicationpool
dedicatedforPerformancePointServicesbeforethissteporwhenyoucreatethenew
PerformancePointService.Toassociatetheserviceaccountwithanexistingapplication
pooldedicatedtoPerformancePointorverifyanexistingaccount,dothefollowing.
201
Configure Kerberos Authentication for SharePoint 2010 Products
1. NavigatetoSharePointCentralAdministration.FindConfiguremanagedaccounts
intheSecuritysection.
2. Selectthedropdownboxandselecttheapplicationpool.
3. SelecttheActiveDirectoryaccount.
RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal
$w.GrantAccessToProcessIdentity("vmlab\svcPPS")
202
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
3. ClickthelinkforthenewServiceApplication,PerformancePointServicesandclick
theManagebuttonintheribbon.
4. InthePerformancePointservicesmanagementscreen,clickTrustedDataSource
Locations.
203
Configure Kerberos Authentication for SharePoint 2010 Products
5. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource
Location.
6. TypetheURLofthelocation,selecttheSiteCollection(andsubtree)option,and
thenclickOK.
7. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource
Location.
204
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
8. TypetheURLofthelocation,selecttheSite(andsubtree)option,andthenclickOK.
205
Configure Kerberos Authentication for SharePoint 2010 Products
1. OpenPerformancePointDashboardDesignerandrightclickdatasourcetocreatea
connection.
2. SelectAnalysisServices.
206
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
3. Specifytheserver,database,andcubeandselectPeruserIdentity.
207
Configure Kerberos Authentication for SharePoint 2010 Products
4. ClickTestDataSourcetotesttheconnection.
208
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
5. Createareportanddashboard.
6. Makesureyouhaveadataconnectionbydraggingmeasuresanddimensionsfrom
thedetailspainintothereportdesigner.
209
Configure Kerberos Authentication for SharePoint 2010 Products
7. Yourreportcanbeincludedinthedashboard.
SelectReportsandthendragMyReportontotheDashboardContentpage.
1. Selectthebrightfilebuttonicon.
210
Identity delegation for PerformancePoint Services (SharePoint Server 2010)
2. ClickDeployinthefileselection.
3. SelectaMasterPagetowhichyouwanttopublish.
4. Clicktherefreshbuttoninyourbrowser.
Ifthedataconnectionrefreshes,youhavesuccessfullyconfiguredKerberos
delegationforPerformancePointServices.
211
Configure Kerberos Authentication for SharePoint 2010 Products
212
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
InthisscenarioyouconfiguretheBusinessDataConnectivityserviceapplicationtouse
KerberosconstraineddelegationtoauthenticatewithSQLServer.Onceitisconfigured,
youcreateanewexternalcontenttypeandexternallisttotestauthenticationandread
operationswithinaSharePointsite.
Inthisscenario,theSharePointServerFarmandBCSdatasourcearebothinthesame
domain.Therefore,weconfigureKerberosconstraineddelegationtoallowidentity
delegationtothebackenddatasource.Ifyouarerequiredtoauthenticatewithdata
sourcesinotherdomainswithinthesameforest,youhavetoconfigurebasic
(unconstrained)Kerberosdelegation.RememberthatBCSdoesnotleveragetheC2WTS;
thereforeyoucanusebasicdelegation.
Note:
IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing
hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Tocompletethisscenarioyouhavetohavecompletedthefollowing:
Scenario1:Core Configuration
Scenario2:Kerberos Authentication for SQL OLTP
213
Configure Kerberos Authentication for SharePoint 2010 Products
Configuration checklist
Areaofconfiguration Description
ActiveDirectoryconfiguration CreateBCSApplicationServiceAccount
ValidateServicePrincipalNames
ConfigureDelegation
SharePointServerconfiguration StarttheBCSServiceInstance
CreatetheBCSServiceApplication
Verification CreateaBCSExternalContentType
ConfigureBCSSecurity
CreateaBCSExternalList
Opentheexternallistinthebrowser
214
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
vmSQL2k8r201
DefaultInstance
Port:1433
vmSP10WFE01
vmSQL2k8r202
vmSP10WFE02
SQLCluster
DNS(A):
MySQLCluster.vmlab.local
215
Configure Kerberos Authentication for SharePoint 2010 Products
SharePointServerservice IISAppPoolIdentity
BusinessConnectivityService vmlab\svcBDC
Configure delegation
ToallowBCStodelegatetheclientsidentityKerberosdelegationmustbeconfigured.
AlthoughconstraineddelegationistechnicallynotrequiredlikeExcelServices,
unconstraineddelegationcanbeusedforBCS,itisabestpracticetolimitthescopeof
delegationtheserviceisallowedtoperformthereforeconstraineddelegationwillbe
configuredinthisexample.
EachIISapplicationpoolserviceaccounthostingthesiterunningtheECTmustbe
configuredtoallowdelegationtothebackendservices.
Inourexamplethefollowingdelegationpathsareneeded:
216
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
Toconfigureconstraineddelegation
1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand
Computers.
2. NavigatetotheDelegationtab.
217
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectTrustthisuserfordelegationtospecifiedservicesonly.
Note:
IfyouneedBCStoauthenticatewithdatasourceswithinthesameforestbutoutsideof
thedomainthatSharePointServerresidesinyouwillwanttoselectTrustthiscomputer
fordelegationtoanyservicetoconfigurebasicdelegationinsteadofconstrained
delegation.TheBCSexternalcontenttypewillexecuteinthewebapplicationsIIS
workerprocessanddoesnotleveragetheC2WTS.RememberthatcrossforestKerberos
delegationisnotpossible.
4. ClicktheAddbuttontoselecttheserviceprincipalallowedtodelegateto.
5. SelectUserandComputers.
218
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
6. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis
exampleitistheserviceaccountfortheSQLServerservice.
Note:
TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor
thisaccountwasconfiguredinapreviousscenario.
7. ClickOK.
8. SelecttheSPNsyouwouldliketodelegate,andthenclickOK.
219
Configure Kerberos Authentication for SharePoint 2010 Products
9. SelecttheservicesfortheSQLServerclusterandclickOK.
YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan
presenteddelegatedcredentialslist.
10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.
Verify MSSQLSVC SPN for the Service Account running the service
on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe
followingSetSPNcommand:
220
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
MSSQLSVC/MySqlCluster.vmlab.local:1433
1. OpenCentralAdministration.
2. UnderServices,selectManageservicesonserver.
3. IntheServerSelectionboxintheupperrightcorner,selecttheserver(s)running
ExcelServices.Inthisexample,itisVMSP10APP01.
4. StarttheBusinessDataConnectivityServiceservice.
221
Configure Kerberos Authentication for SharePoint 2010 Products
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNewthenBusinessDataConnectivityService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount
(createanewmanagedaccountiftheBDCserviceaccountisnotinthelist).
222
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
Verification
1. OpenSharePointDesigner2010.
2. Openthetestsitecollectionathttp://portal.
223
Configure Kerberos Authentication for SharePoint 2010 Products
3. Onthelefthandnavigation,clickExternalContentTypes.
4. SelectExternalContentTypeintheNewsectionoftheribbonintheupperleft
handcornerofthepage.
224
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
5. GivetheExternalContentTypeadisplayname.
225
Configure Kerberos Authentication for SharePoint 2010 Products
6. ThenselectClickheretodiscoverexternaldatasourcesanddefineoperations.
7. ClickAddConnection.
226
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
8. SelectSQLServerfromtheDataSourceTypedropdownlistandaddthe
informationtoconnecttothetestdatabase.BesuretoselectConnectwiththe
UsersIdentitytotestdelegation.
227
Configure Kerberos Authentication for SharePoint 2010 Products
9. Expandthenewconnection.Rightclickthetesttable(Sales)andselectCreateAll
Operations.
10. Youshouldseeanerrorexplainingthereisntauniqueidentifierdefined.Selectthe
identifiercolumnandselecttheMaptoIdentifiercheckbox.ClickFinishtoaccept
thedefaultoptionsandcreatetheECToperations.
228
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
11. ClickSave(CTRL+S).ThiswillpublishtheECTtotheBDCserviceapplication
metadatastore.
1. OpenCentralAdministration.
2. SelectManageServiceApplicationsunderApplicationManagement.
229
Configure Kerberos Authentication for SharePoint 2010 Products
3. ClickthelinkforthenewServiceApplication,BusinessDataServicesinthis
example.
4. SelectSetMetadataStorePermissions.
230
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
5. Inourexample,weconfiguredEnterpriseAdminswithallpermissionsandAll
AuthenticatedUserswithallpermissionsexcepttheSetPermissionspermission.
6. EnsurethePropagatepermissionscheckboxisselectedandclickOKtosaveyour
changes.
1. OpenSharePointDesigner2010.
2. Openthetestsitecollectionathttp://portal.
231
Configure Kerberos Authentication for SharePoint 2010 Products
3. SelectExternalContentTypesontheleftside.
232
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
233
Configure Kerberos Authentication for SharePoint 2010 Products
4. Clickthecontenttypethatyoucreatedearlier.
5. Intheribbon,clickCreateLists&Form.
6. Ifyouarepromptedtosavetheexternalcontenttype,clickYes.
7. OntheCreateListandFormdialogbox,typealistnameintheListNametextbox,
andthenclickOK.
2. Openthetestsitecollectionathttp://portal.
234
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
3. Click"ListsandLibraries"inthelefthandnavigation.
4. SelecttheexternallistatthebottomoftheListandLibrarieslist.
5. ClickthePreviewinBrowserbutton.
235
Configure Kerberos Authentication for SharePoint 2010 Products
InternetExplorerwillopenanddisplaytheselectedsiteandexternallist.
236
Identity delegation for Business Connectivity Services (SharePoint Server 2010)
6. Validatetheexternaldataisdisplayedcorrectly.Tofurthervalidatetheconnection,
changethesourcedatainSQLServerManagementStudioandrefreshthebrowser
page.Youshouldseethedatachangesreflectedinthebrowser.
237
Configure Kerberos Authentication for SharePoint 2010 Products
Example:
Ifthewebapplicationisrunningathttp://intranet.contoso.com:1234,theclientwill
requestaticketforaservicewithaSPNequaltohttp/intranet.contoso.cominsteadof
http/intranet.contoso.com:1234.
Detailsregardingtheissuecanbefoundinthefollowingarticles:
Toworkaroundthisissue,registerSPNswithandwithoutportnumber.Example:
http://intranet.contoso.com:12345
http/intranet
http/intranet.contoso.com
http/intranet:12345
238
Kerberos configuration known issues (SharePoint Server 2010)
http/intranet.contoso.com:12345
Werecommendthatyouregisterthenondefaultporttoensurethatiftheissueis
resolvedinsomefutureservicepackorhotfix,theapplicationsusingtheworkaround
willstillcontinuetofunction.
Notethatthisworkaroundwillnotworkifthefollowingconditionsaretrue:
Thereismorethanonewebapplicationrunningonanondefaultport
Thewebapplicationseitherbindtothehostnameoftheserverorbindtothesame
hostheader(ondifferentports)
ThewebapplicationIISapplicationpoolsusedifferentserviceaccounts
http://server.contoso.com:5000AppPoolId:contoso\svcA
http://server.contoso.com:5001AppPoolId:contoso\svcB
Iftheseconditionsaretrue,followingtherecommendationinthisworkaroundwillyield
duplicateSPNsregisteredtodifferentserviceaccountswhichwillbreakKerberos
authentication.
Ifyouhavemultiplewebsitessharingacommonhostnamerunningonmultipleports,
andyouusedifferentIISapplicationpoolidentitiesforthewebapplications,thenyou
cannotuseKerberosauthenticationonallwebsites.(OneapplicationcanuseKerberos,
therestwillrequireanotherauthenticationprotocol.)TouseKerberosonall
applicationsinthisscenario,youwouldneedtoeither:
1. Runallwebapplicationsunder1sharedserviceaccount
2. Runeachsitewithitsownhostheader
Example:
ARecord:wfe01.contoso.com
239
Configure Kerberos Authentication for SharePoint 2010 Products
CNAME:intranet.contoso.com(aliaseswfe01.contoso.com)
Iftheclientattemptstoauthenticatewithhttp://intranet.contoso.com,theclientdoes
notcorrectlyformtheSPNandrequestsaKerberosticketforhttp/wfe01.contoso.com
insteadofhttp/intranet.contoso.com
Detailsregardingtheissuecanbefoundinthefollowingarticles:
http://support.microsoft.com/kb/911149/en-us
http://support.microsoft.com/kb/938305/en-us
Toworkaroundthisissue,configureKerberosenabledservicesusingDNSArecords
insteadofCNAMEaliases.ThehotfixmentionedinKBarticlewillcorrectthisissuefor
InternetExplorerbutwillnotcorrecttheissueforthe.NETframework(whichisusedby
MicrosoftOfficeSharePointServerforwebservicecommunication).
Note:
KernelModeAuthenticationisnotsupportedinSharePoint2010Products.This
informationisprovidedforinformationalpurposesonly.
BeginninginIISversion7.0,thereisanewauthenticationfeaturecalledKernelMode
Authentication.WhenanIISwebsiteisconfiguredtouseKernelModeauthentication,
HTTP.syswillauthenticatetheclientsrequestsinsteadoftheapplicationpoolsworker
process.BecauseHTTP.sysrunsinkernelmodethisyieldsbetterperformancebutalso
introducesabitofcomplexitywhenconfiguringKerberos.ThisisduetoHTTP.sys
runningunderthecomputersidentityandnotundertheidentityoftheworkerprocess.
WhenHTTP.sysreceivesaKerberosticket,bydefaultitwillattempttodecrypttheticket
usingtheserversencryptionkey(akasecret)andnotthekeyfortheidentitytheworker
processisrunningunder.
IfasinglewebserverisconfiguredtouseKernelModeauthentication,Kerberoswill
workwithoutanyadditionalconfigurationoradditionalSPNsbecausetheserverwill
automaticallyregisteraHOSTSPNwhenitisaddedtothedomain.Ifmultipleweb
240
Kerberos configuration known issues (SharePoint Server 2010)
serversareloadbalanced,thedefaultKernelModeAuthenticationconfigurationwill
notwork,oratleastwillintermittentlyfail,becausetheclienthasnowayofensuring
theservicetickettheyreceivedintheTGSrequestwillworkwiththeserver
authenticatingtherequest.
Toworkaroundthisissueyoucandothefollowing:
TurnoffKernelModeAuthentication
ConfigureHTTP.systousetheIISapplicationpoolsidentitywhendecryptingservice
tickets.SeeInternet Information Services (IIS) 7.0 Kernel Mode Authentication
Settings.
YoumayalsoneedahotfixwhenconfiguringHTTP.systousetheapplicationpools
credentials:FIX: You receive a Stop 0x0000007e error message on a blue screen
when the AppPoolCredentials attribute is set to true and you use a domain account
as the application pool identity in IIS 7.0
Setting Description
AuthPersistNonNTLM OptionalBooleanattribute.
SpecifieswhetherIISautomaticallyreauthenticatesevery
nonNTLM(forexample,Kerberos)request,eventhoseon
thesameconnection.Falseenablesmultiple
authenticationsforthesameconnections.
ThedefaultisFalse.
Note:
AsettingofTruemeansthattheclientwillbe
authenticatedonlyonceonthesameconnection.IISwill
cacheatokenorticketontheserverforaTCPsessionthat
241
Configure Kerberos Authentication for SharePoint 2010 Products
Setting Description
staysestablished.
authPersistSingleRequestOptionalBooleanattribute.
SettingthisflagtoTruespecifiesthatauthentication
persistsonlyforasinglerequestonaconnection.IIS
resetstheauthenticationattheendofeachrequest,and
forcesreauthenticationonthenextrequestofthe
session.
ThedefaultvalueisFalse.
ForinstructionsonhowtoconfigureauthenticationpersistenceinIIS7.0,seeYou may
experience slow performance when you use Integrated Windows authentication together
with the Kerberos authentication protocol in IIS 7.0andImplementing Access Control.
IfyoususpectyouhaveduplicateSPNsinyourenvironment,usetheSetSPNX
commandtoqueryforallduplicateSPNsinyourenvironment(Windows2008orgreater
only).IfanySPNsarereturnedyoushouldinvestigatewhytheSPNshavebeen
registeredanddeleteanySPNsthatareduplicatesandarenotneeded.Ifyouhavetwo
servicesrunningwithtwodifferentidentitiesandbothusethesameSPN(duplicateSPN
issue)youneedtoreconfigureoneofthoseservicestoeitheruseadifferentSPNor
shareacommonserviceidentity.
242
Kerberos configuration known issues (SharePoint Server 2010)
IfyoususpectaSPNhasnotbeenregistered,ornotregisteredinaformatrequired,you
canusetheSetSPNQ<insertSPN>toqueryfortheexistenceofaparticularSPN.
Note:
Whenadjustingmaximumtokensize,beawarethatifyouconfigurethemaximum
tokensizebeyondthemaximumvaluefortheregistrysetting,youmayseeKerberos
authenticationerrors.Werecommendnotexceeding65535decimal,FFFFhexadecimal,
formaximumtokensize.
YoumayneedtoinstallahotfixforKerberosauthenticationonallcomputersthatare
runningWindowsServer2008orWindowsVistainyourenvironment.Thisincludesall
computersthatarerunningSharePointServer2010,SQLServer,orWindowsServer
2008thatSharePointServerattemptstoauthenticatewithbyusingKerberos
243
Configure Kerberos Authentication for SharePoint 2010 Products
authentication.Followtheinstructionsinthesupportpagetoapplythehotfixifyou
experiencethesymptomsdocumentedinthesupportcase.
244
How to reset the Claims to Windows Token Service account (SharePoint Server
2010)
Scenario:TheClaimstoWindowsTokenServiceaccountischangedunintentionallyor
otherwiseneedstoberesetbacktodefault.
Solution
TheClaimstoWindowsTokenServicecannotberesettotheLocalSystemaccountby
usingCentralAdministration.ThefollowingWindowsPowerShellcmdletscanbeusedto
resettheClaimstoWindowsTokenServicebacktoLocalSystem.
LaunchtheSharePointManagementShellfromthecomputerthatisrunningSharePoint
Server.
Runthefollowingcmdlettoviewalistofservices.
Get-SPServiceInstance
FindandcopytheIdoftheClaimsToWindowsTokenService.Rightclickinthe
WindowsPowerShellwindowandchooseMark.Thiswillallowyoutoselectandcopy
theIdwithyourmousecursor.AfterhighlightingtheId,pressENTERonyourkeyboard.
TestyourIdbyrunningthefollowingcmdlet.
245
Configure Kerberos Authentication for SharePoint 2010 Products
GetSPServiceInstanceidentity<PastetheC2WTSId>
RightclickinthePowerShellwindowandpastetheIdyoucopiedearlier.
Next,setavariablebyrunningthiscmdlet:
$claims=getspserviceinstanceidentity<PastetheC2WTSId>
RunthesecmdletstoresettheC2WTSbacktoLocalSystem:
$claims.Service.ProcessIdentity.CurrentIdentityType=0//The0inthepreceding
lineisIdentityType.LocalSystem$claims.Service.ProcessIdentity.Update()
$claims.Service.ProcessIdentity.Deploy()$claims.Service.ProcessIdentity//
ThisoutputdemonstratesthatthecmdletwassuccessfulCurrentIdentityType:
LocalSystemCurrentSecurityIdentifier:S1518ManagedAccount:ProcessAccount
:S1518Username:NTAUTHORITY\SYSTEM
246