Configure Kerberos Authentication For SharePoint 2010 Products

Configure Kerberos Authentication for SharePoint 2010 Products
Tom Wisnowski
Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, PejJavaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, PrashShirolkar, Norm Warren, Josh Zimmerman
Summary: This document covers the concepts of identity in SharePoint 2010 products, how Kerberos authentication plays a critical role in authentication and delegation in business intelligence scenarios, and the situations where Kerberos authentication should be leveraged or may be required in solution designs. It also covers how to configure Kerberos authentication end-to-end within your environment, including scenarios which use various service applications in SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration. Category: Guide Applies to: SharePoint 2010 Source: White paper (link to source content) E-book publication date: May 2012 220 pages
Copyright 2012 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the authors views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
TableofContents
ConfigureKerberosAuthenticationforSharePoint2010Products..........................1 Configure Kerberos authentication for SharePoint 2010 Products...........................7 Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.....8 Who should read these articles about Kerberos authentication?..........................9 Identity scenarios in SharePoint 2010 Products....................................................11 Claims primer.............................................................................................................. 19 Kerberos protocol primer........................................................................................... 20 Benefits of the Kerberos protocol............................................................................. 20 Kerberos delegation, constrained delegation, and protocol transition ................21 Kerberos authentication changes in Windows 2008R2 and Windows 7............22 Kerberos configuration changes in SharePoint 2010 Products...........................23 Considerations when you are upgrading from Office SharePoint Server 2007 23 Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)................................................................................................................ 24 Environment and farm topology................................................................................ 24 Web Application specification................................................................................... 27 SQL aliasing................................................................................................................ 29 SharePoint Server Services and service accounts...............................................30 C2WTS Service Identity............................................................................................. 31
Tips for working through the scenarios...................................................................31 Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)............................................................................................................................. 33 Configuration checklist............................................................................................... 34 Step-by-step configuration instructions...................................................................35 Kerberos authentication for SQL OLTP (SharePoint Server 2010)........................81 Configuration checklist............................................................................................... 82 Scenario environment details .................................................................................... 83 Step-by-step configuration instructions...................................................................83 Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)............................................................................................................................. 89 Configuration checklist............................................................................................... 89 Step-by-step configuration instructions...................................................................90 Identity delegation for SQL Server Reporting Services (SharePoint Server 2010) .......................................................................................................................................94 Scenario dependencies............................................................................................. 94 Configuration checklist............................................................................................... 95 Scenario environment details .................................................................................... 96 Cross-domain Kerberos delegation......................................................................... 96 Step-by-step configuration instructions...................................................................97 SSL configuration for Reporting Services.............................................................122 Identity delegation for Excel Services (SharePoint Server 2010).........................124 Scenario dependencies........................................................................................... 124
4
Configuration checklist............................................................................................. 124 Step-by-step configuration instructions.................................................................127 Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010) .....................................................................................................................................151 Scenarios requiring Kerberos authentication.......................................................152 Scenario dependencies........................................................................................... 153 Configuration instructions........................................................................................ 154 Identity delegation for Visio Services (SharePoint Server 2010)..........................155 Scenario dependencies........................................................................................... 155 Configuration checklist............................................................................................. 155 Scenario environment details .................................................................................. 157 Step-by-step configuration instructions.................................................................158 Identity delegation for PerformancePoint Services (SharePoint Server 2010) ...183 Scenario dependencies........................................................................................... 183 Configuration checklist............................................................................................. 183 Scenario environment details .................................................................................. 185 Step-by-step Configuration instructions................................................................187 Identity delegation for Business Connectivity Services (SharePoint Server 2010) .....................................................................................................................................213 Scenario dependencies........................................................................................... 213 Configuration checklist............................................................................................. 214 Scenario Environment Details................................................................................ 215
Step-by-step configuration instructions.................................................................216 Kerberos configuration known issues (SharePoint Server 2010).........................238 Kerberos authentication and non-default ports....................................................238 Kerberos authentication and DNS CNAMEs........................................................239 Kerberos authentication and Kernel Mode Authentication.................................240 Kerberos authentication and session-based authentication..............................241 Kerberos authentication and duplicate/missing SPN issues..............................242 Kerberos Max Token Size....................................................................................... 243 Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista ..................................................................................................................................243 How to reset the Claims to Windows Token Service account (SharePoint Server 2010)........................................................................................................................... 245 Solution ....................................................................................................................... 245
Configure Kerberos authentication for SharePoint 2010 Products
Configure Kerberos authentication for SharePoint 2010 Products

Published:July15,2010
Thisdocumentgivesyouinformationthatwillhelpyouunderstandtheconceptsof identityinMicrosoftSharePoint2010Products,howKerberosauthenticationplaysa veryimportantroleinauthenticationanddelegationscenarios,andthesituations whereKerberosauthenticationshouldbeusedormayberequiredinsolutiondesigns. Scenariosincludebusinessintelligenceimplementationswhichsecureaccesstoexternal datasourcessuchasSQLServer. ThedocumentalsoshowshowtoconfigureKerberosauthenticationendtoendwithin yourenvironment,includingscenariosthatusevariousserviceapplicationsinMicrosoft SharePointServer.Additionaltoolsandresourcesaredescribedtohelpyoutestand validateKerberosconfiguration.The"StepbyStepConfiguration"sectionsofthis documentcoverthefollowingscenariosforSharePointServer2010. ThesameinformationaboutConfiguringKerberosauthenticationforSharePoint2010 ProductsisavailableisalsoavailableasasetofarticleshereintheTechNetLibrary.It beginshere:Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.
7
Scenario1:CoreConfiguration Scenario2:KerberosAuthenticationforSQLOLTP Scenario3:IdentityDelegationforSQLAnalysisServices Scenario4:IdentityDelegationforSQLReportingServices Scenario5:IdentityDelegationforExcelServices Scenario6:IdentityDelegationforPowerPivotforSharePoint Scenario7:IdentityDelegationforVisioServices Scenario8:IdentityDelegationforPerformancePointServices Scenario9:IdentityDelegationforBusinessConnectivityServices
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

Published:December2,2010
MicrosoftSharePoint2010Productsintroducesignificantimprovementsinhowidentity ismanagedintheplatform.Itisveryimporttounderstandhowthesechangesaffect solutiondesignandplatformconfigurationtoenablescenariosthatrequireuseridentity tobedelegatedtointegratedsystems.TheKerberosversion5protocolplaysakeyrole inenablingdelegationandsometimesmayberequiredinthesescenarios. Thissetofarticlesgivesyouinformationthathelpsyoudothefollowing: UnderstandtheconceptsofidentityinSharePoint2010Products LearnhowKerberosauthenticationplaysaveryimportantroleinauthentication anddelegationscenarios IdentifythesituationswhereKerberosauthenticationshouldbeleveragedormay berequiredinsolutiondesigns ConfigureKerberosauthenticationendtoendwithinyourenvironment,including scenariosthatusevariousserviceapplicationsinSharePointServer TestandvalidatethatKerberosauthenticationisconfiguredcorrectlyandworking asexpected FindadditionaltoolsandresourcestohelpyouconfigureKerberosauthenticationin yourenvironment
Thissetofarticlesisdividedintwomajorsections: ThisoverviewofKerberosauthenticationinSharePoint2010Products Thisarticlecontainsconceptualinformationabouthowtomanageidentityin SharePoint2010Products,theKerberosprotocol,andhowKerberosauthentication playsakeyroleinSharePoint2010solutions.

Step-by-step configuration
ThisgroupofarticlesdiscussesthestepsthatarerequiredtoconfigureKerberos authenticationanddelegationinvariousSharePointsolutionscenarios.
8
Who should read these articles about Kerberos authentication?

IdentityanddelegationinSharePoint2010Productsisabroadtopic,withmanyfacets anddepthsofunderstanding.Thissetofarticlesaddressesthetopicfromboth conceptualandtechnicallevelsandiswrittentoaddresstheneedsofvarious audiences:
Beginning to end
"TellmeeverythingthereistoknowaboutIdentityandKerberosauthenticationin SharePoint2010Products" IfyouareonlystartingoutandlearningaboutSharePoint2010Products,Kerberos authentication,andclaimsauthentication,youwillwanttothereadthefirstsectionof thisdocument.Itcoversthebasicconceptsofidentityanddelegationandoffersprimers aboutClaimsandKerberosauthentication.Besuretofollowthelinkstoexternal articlesandadditionalinformationtobuildasolidfoundationofknowledgebefore continuingontothestepbystepconfigurationarticles.
Upgrading from Office SharePoint Server 2007

"Tellmewhatischangedfrom2007andwhatIshouldprepareforinupgradingto2010" IfyouhaveanexistingMicrosoftOfficeSharePointServer2007environmentalready configuredtouseKerberosauthenticationandKerberosdelegation,youshouldreadthe followingarticles:
Identity scenarios in SharePoint 2010 Products Claims primer Kerberos authentication changes in Windows 2008 R2 and Windows 7 Kerberos configuration changes in SharePoint 2010 Products Considerations when you are upgrading from Office SharePoint Server 2007
Ifyouhaveadditionalquestionsabouthowtoconfigurationdelegationforaparticular featureorscenario,readthestepbystepconfigurationarticles,especiallythe configurationchecklists.Thiswillhelpyouensurethatyourenvironmentisconfigured correctlyafterupgrade.

9
Step-by-step walkthrough
"IwantdetailedstepbystepinstructionsonhowtoconfigureKerberosdelegationin SharePointServerandapplicableSharePointServerserviceapplications" ThestepbystepconfigurationarticlescoverseveralSharePoint2010Products scenarioswhichcanbeconfiguredtouseKerberosdelegation.Eachscenarioiscovered indetail,includingaconfigurationchecklistandstepbystepinstructionstohelpyou successfullyconfigureKerberosauthenticationinyourenvironment.Thescenarios coveredincludethefollowing: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP Scenario3:Kerberos Authentication for SQL Analysis Services Scenario4:Identity Delegation for SQL Reporting Services Scenario5:Identity Delegation for Excel Services Scenario6:Identity Delegation for PowerPivot for SharePoint 2010 Scenario7:Identity Delegation for Visio Services Scenario8:Identity Delegation for Performance Point Services Scenario9:Identity Delegation for Business Connectivity Services
Besuretothoroughlyreviewthefirstcoreconfigurationscenario,becauseitisa prerequisiteforallthescenariosthatfollow.
10
Note: Thescenariosinclude"SetSPN"commandsthatyoumaychoosetocopyfromthis documentandpasteinaCommandPromptwindow.Thesecommandsincludehyphen characters.MicrosoftWordhasanAutoFormatfeaturethattendstoconverthyphensto dashcharacters.IfyouhavethisfeatureturnedoninWordandthendoacopyand pasteoperation,thecommandswillnotworkcorrectly.Changethedashestohyphens tofixthiserror.ToturnoffthisAutoFormatfeatureinWord,selectOptionsfromthe Filemenu,clicktheProofingtab,andthenopentheAutoCorrectdialogbox.
Existing SharePoint 2010 Product environments

"IhaveanexistingSharePoint2010ProductenvironmentandIcannotseemtoget Kerberosauthenticationworking.HowdoIvalidateanddebugmyconfiguration?" TheStep-by-step configurationarticlescontainseveralcheckliststohelptriageyour environmentinvariousscenarios.PayspecialattentionstoScenario1,Core configuration,whichcoversbasictoolsandtechniquestotriageKerberosconfiguration.
Identity scenarios in SharePoint 2010 Products

WhenlearningaboutidentityinthecontextofauthenticationinSharePoint2010 Products,youcanconceptuallylookathowtheplatformhandlesidentityinthreekey scenarios:Incomingauthentication,inter/intrafarmauthenticationandoutgoing authentication.
11
Incoming Identity
Theincomingauthenticationscenariorepresentsthemeansinwhichaclientpresents itsidentitytotheplatform,orinotherwordsauthenticateswiththewebapplicationor webservice.SharePointServerwillusetheclient'sidentitytoauthorizetheclientto accessSharePointServersecuredresourcessuchaswebpages,documents,andsoon. SharePoint2010Productssupporttwomodesinwhichaclientcanauthenticatewith theplatform:ClassicmodeandClaimsmode.
Classic mode
ClassicmodeallowsthetypicalInternetInformationServices(IIS)authentication methodsthatyoumayalreadybefamiliarwithfrompreviousversionsofSharePoint Server.WhenaSharePointServer2010WebApplicationisconfiguredtouseclassic mode,youhavetheoptionofusingthefollowingIISauthenticationmethods: IntegratedWindowsauthentication IntegratedWindowsauthenticationenablesWindowsclientstoseamlesslyauthenticate withSharePointServerwithouthavingtomanuallyprovidecredentials(user name/password).UsersaccessingSharePointServerfromInternetExplorerwill authenticatebyusingthecredentialsthattheInternetExplorerprocessisrunning underbydefaultthecredentialsthattheuserusedtologontothedesktop.Services orapplicationsthataccessSharePointServerinWindowsintegratedmodeattemptto authenticatebyusingthecredentialsoftherunningthread,which,bydefault,isthe identityoftheprocess.
12
NTLM NTLANManager(NTLM)isthedefaultprotocoltypewhenIntegratedWindows authenticationisselected.Thisprotocoltakesadvantageofathreepartchallenge responsesequencetoauthenticateclients.FormoreinformationaboutNTLM,see Microsoft NTLM(http://go.microsoft.com/fwlink/?LinkId=196643). Pros: Itiseasytoconfigureandtypicallyrequiresnoadditional infrastructure/environmentconfigurationtofunction Itworkswhentheclientisnotpartofthedomain,orisnotinadomaintrustedby thedomainthatSharePointServerresidesin
Cons: ItrequiresSharePointServertocontactthedomaincontrollereverytimethata clientauthenticationresponseneedsvalidation,increasingtraffictothedomain controllers. Itdoesnotallowdelegationofclientcredentialstobackendsystems,otherwise knownasthedoublehoprule.Itisaproprietaryprotocol. Itisaproprietaryprotocol. Itdoesnotsupportserverauthentication. ItisconsideredlesssecurethanKerberosauthentication
Kerberosprotocol TheKerberosprotocolisamoresecureprotocolthatsupportsticketingauthentication. AKerberosauthenticationservergrantsaticketinresponsetoaclientcomputer authenticationrequest,iftherequestcontainsvalidusercredentialsandavalidService PrincipalName(SPN).Theclientcomputerthenusesthetickettoaccessnetwork resources.ToenableKerberosauthentication,theclientandservercomputersmust haveatrustedconnectiontothedomainKeyDistributionCenter(KDC).TheKDC distributessharedsecretkeystoenableencryption.Theclientandservercomputers mustalsobeabletoaccessActiveDirectorydirectoryservices.ForActiveDirectory,the forestrootdomainisthecenterofKerberosauthenticationreferrals.Formore informationabouttheKerberosprotocol,seeHow the Kerberos Version 5 Authentication Protocol Works(http://go.microsoft.com/fwlink/?LinkId=196644)and Microsoft Kerberos.(http://go.microsoft.com/fwlink/?LinkId=196645)
13
Pros: MostsecureIntegratedWindowsauthenticationprotocol Allowsdelegationofclientcredentials Supportsmutualauthenticationofclientsandservers Produceslesstraffictodomaincontrollers Openprotocolsupportedbymanyplatformsandvendors
Cons: Requiresadditionalconfigurationofinfrastructureandenvironmenttofunction correctly RequiresclientshaveconnectivitytotheKDC(ActiveDirectorydomaincontrollerin Windowsenvironments)overTCP/UDPport88(Kerberos),andTCP/UDPport464 (KerberosChangePasswordWindows)
Othermethods InadditiontoNTLMandKerberosauthentication,SharePointServersupportsother kindsofIISauthenticationsuchasbasic,digest,andcertificatebasedauthentication, whicharenotcoveredinthisdocument.Formoreinformationabouthowthese protocolsfunction,seeAuthentication Methods Supported in IIS 6.0 (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=196646).
Claims-based authentication
SupportforclaimsauthenticationisanewfeatureinSharePoint2010Productsandis builtonWindowsIdentityFoundation(WIF).Inaclaimsmodel,SharePointServer acceptsoneormoreclaimsaboutanauthenticatingclienttoidentifyandauthorizethe client.TheclaimscomeintheformofSAMLtokensandarefactsabouttheclientstated byatrustedauthority.Forexample,aclaimcouldstate,"Bobisamemberofthe EnterpriseAdminsgroupforthedomainContoso.com."Ifthisclaimcamefroma providertrustedbySharePointServer,theplatformcouldusethisinformationto authenticateBobandtoauthorizehimtoaccessSharePointServerresources.Formore informationaboutclaimsauthentication,seeA Guide to Claims-based Identity and Access Control(http://go.microsoft.com/fwlink/?LinkID=187911). ThekindofclaimsthatSharePoint2010Productssupportforincomingauthentication areWindowsClaims,formsbasedauthenticationClaims,andSAMLClaims.
14
WindowsClaims IntheWindowsclaimsmodesignin,SharePointServerauthenticatestheclientusing standardIntegratedWindowsauthentication(NTLM/Kerberos),andthentranslatesthe resultingWindowsIdentityintoaClaimsIdentity. FormsbasedauthenticationClaims InFormsbasedauthenticationclaimsmode,SharePointServerredirectstheclienttoa logonpagethathoststhestandardASP.NETlogoncontrols.Thepageauthenticatesthe clientbyusingASP.NETmembershipandroleproviders,similartohowformsbased authenticationfunctionedinOfficeSharePointServer2007.Aftertheidentityobject thatrepresentstheuseriscreated,SharePointServerthentranslatesthisidentityintoa claimsidentityobject. SAMLClaims InSAMLClaimsmode,SharePointServeracceptsSAMLtokensfromatrustedexternal SecurityTokenProvider(STS).Whentheuserattemptstologon,seecommentis directedtoanexternalclaimsprovider(forexample,WindowsLiveIDclaimsprovider) whichauthenticatestheuserandproducesaSAMLtoken.SharePointServeraccepts andprocessesthistoken,augmentingtheclaimsandcreatingaclaimsidentityobject fortheuser. FormoreinformationaboutclaimsbasedauthenticationinSharePoint2010Products, seeSharePoint Claims-Based Identity.
Note about incoming claims authentication and the Claims to Windows Token Service (C2WTS)
SomeserviceapplicationsrequirethatyouusetheWindowsIdentityFoundation(WIF) ClaimstoWindowsTokenService(C2WTS)totranslateclaimswithinthefarmto Windowscredentialsforoutboundauthentication.Itisimportanttounderstandthat C2WTSonlyfunctionsiftheincomingauthenticationmethodiseitherclassicmodeor Windowsclaims.Ifclaimsisconfigured,theC2WTSrequiresonlyWindowsclaims;the webapplicationcannotusemultipleformsofclaimsonthewebapplication,otherwise theC2WTSwillnotfunction.
Identity within a SharePoint 2010 Products environment

SharePoint2010Productsenvironmentsuseclaimsauthenticationforintraandinter farmcommunicationswithmostSharePointserviceapplicationsandSharePoint
15
integratedproductsregardlessoftheincomingauthenticationmechanismused.This meansthatevenwhereclassicauthenticationisusedtoauthenticatewithaparticular webapplication,SharePointProductsconverttheincomingidentityintoaclaims identitytoauthenticatewithSharePointServiceApplicationsandproductsthatare claimsaware.Bystandardizingontheclaimsmodelforintra/interfarm communications,theplatformcanabstractitselffromtheincomingprotocolsthatare used. Note: SomeproductsintegratedwithSharePointServer,suchasSQLServerReporting Services,arenotclaimsawareanddonottakeadvantageoftheintrafarmclaims authenticationarchitecture.SharePointServermayalsorelyonclassicKerberos delegationandclaimsinotherscenarios,forexamplewhentheRSSviewerwebpartis configuredtoconsumeanauthenticatedfeed.Refertoeachproductorservice application'sdocumentationtodeterminewhetheritcansupportclaimsbased authenticationandidentitydelegation.
Outbound identity
OutboundidentityinSharePoint2010Productsrepresentsthescenarioswhereservices withinthefarmhavetoauthenticatewithexternallineofbusinesssystemsand services.Dependingonthescenario,authenticationcanbeperformedinoneoftwo basicconceptualmodels:
Trusted subsystem
Inthetrustedsubsystem,thefrontendserviceauthenticatesandauthorizestheclient, andthenauthenticateswithadditionalbackendserviceswithoutpassingtheclient identitytothebackendsystem.Thebackendsystemtruststhefrontendservicetodo authenticationandauthorizationonitsbehalf.Themostcommonwaytoimplement thismodelistousesharedserviceaccounttoauthenticatewiththeexternalsystem:
16
InSharePointServer,thismodelcanbeimplementedinvariousways: UsingtheIISapplicationpoolidentityusuallyachievedbyrunningcodeinthe webapplicationthatelevatespermissionswhilemakingacalltoanexternalsystem. OthermethodssuchasusingRevertToSelfcanalsousetheapplicationpool's identitytoauthenticatewithexternalsystems. Usingaserviceaccounttypicallyachievedbystoringapplicationcredentialsinthe SecureStorethenusingthosecredentialstoauthenticatewithanexternalsystem. Othermethodsincludestoringtheserviceaccountcredentialsinotherwayssuchas embeddedconnectionstrings. AnonymousAuthenticationthisiswheretheexternalsystemrequiresno authentication.ThereforethefrontendSharePointServerservicedoesnothaveto passanyidentitytothebackendsystem.
Delegation
IntheDelegationmodel,thefrontendservicefirstauthenticatestheclient,andthen usestheclient'sidentitytoauthenticatewithanotherbackendsystemthatperformsits ownauthenticationandauthorization:
17
InSharePoint2010Products,thismodelcanbeimplementedinvariousways: KerberosdelegationIftheclientauthenticateswiththefrontendservicebyusing Kerberosauthentication,Kerberosdelegationcanbeusedtopasstheclient's identitytothebackendsystem. Claimsclaimsauthenticationallowstheclient'sclaimstobepassedbetween servicesaslongasthereistrustbetweenthetwoservicesandbothareclaims aware.
Note: Currently,mostoftheserviceapplicationsthatareincludedwithSharePointServerdo notallowforoutboundclaimsauthentication,butoutboundclaimsisaplatform capabilitythatwillbetakenadvantageofinthefuture.Further,manyofthemost commonlineofbusinesssystemstodaydonotsupportincomingclaimsauthentication, whichmeansthatusingoutboundclaimsauthenticationmaynotbepossibleorwill requireadditionaldevelopmenttoworkcorrectly.
Delegation across domain and forest boundaries

ThescenariosinthissetofarticlesaboutKerberosauthenticationrequirethatthe SharePointServerserviceandexternaldatasourcesresideinthesameWindows domain,whichisrequiredforKerberosconstraineddelegation.TheKerberosprotocol supportstwokindsofdelegation,basic(unconstrained)andconstrained.BasicKerberos delegationcancrossdomainboundariesinasingleforest,butcannotcrossaforest
18
boundaryregardlessoftrustrelationship.Kerberosconstraineddelegationcannotcross domainorforestboundariesinanyscenario. SomeSharePointServerservicescanbeconfiguredtousebasicKerberosdelegation, butotherservicesrequirethatyouuseconstraineddelegation.Anyservicethatrelies ontheClaimstoWindowstokenservice(C2WTS)mustuseKerberosconstrained delegationtoallowtheC2WTStouseKerberosprotocoltransitiontotranslateclaims intoWindowscredentials. ThefollowingserviceapplicationsandproductsrequiretheC2WTSandKerberos constraineddelegation: ExcelServices PerformancePointServices VisioServices
Thefollowingserviceapplicationsandproductsarenotaffectedbytheserequirements, andthereforecanusebasicdelegation,ifitisrequired: BusinessDataConnectivityserviceandMicrosoftBusinessConnectivityServices InfoPathFormsServices AccessServices MicrosoftSQLServerReportingServices(SSRS) MicrosoftProjectServer2010
Thefollowingserviceapplicationdoesnotallowdelegationofclientcredentialsand thereforeisnotaffectedbytheserequirements: MicrosoftSQLServerPowerPivotforMicrosoftSharePoint
Claims primer
ForanintroductiontoClaimsconceptsandClaimsbaseauthentication,seeAn Introduction to Claims(http://go.microsoft.com/fwlink/?LinkId=196648)andSharePoint Claims-Based Identity(http://go.microsoft.com/fwlink/?LinkID=196647).
19
Kerberos protocol primer

ForaconceptualoverviewoftheKerberosprotocol,seeMicrosoft Kerberos (Windows) (http://go.microsoft.com/fwlink/?LinkID=196645),Kerberos Explained (http://go.microsoft.com/fwlink/?LinkId=196649),andAsk the Directory Services Team: Kerberos for the Busy Admin(http://go.microsoft.com/fwlink/?LinkId=196650).
Benefits of the Kerberos protocol

BeforeexaminingthedetailsofhowoneconfiguresSharePointServer(oranyweb application)tousetheKerberosprotocol,let'stalkabouttheKerberosprotocol generallyandwhyyoumightwanttouseit. TypicallytherearethreemainreasonstousetheKerberosprotocol: 1. DelegationofclientcredentialsTheKerberosprotocolallowsaclient'sidentityto beimpersonatedbyaservicetoallowtheimpersonatingservicetopassthat identitytoothernetworkservicesontheclient'sbehalf.NTLMdoesnotallowthis delegation.(ThislimitationNTLMiscalledthe"doublehoprule").Claims authentication,likeKerberosauthentication,canbeusedtodelegateclient credentialsbutrequiresthebackendapplicationtobeclaimsaware. 2. SecurityFeaturessuchasAESencryption,mutualauthentication,supportfordata integrityanddataprivacy,justtonameafew,maketheKerberosprotocolmore securethanitsNTLMcounterpart. 3. PotentiallybetterperformanceKerberosauthenticationrequireslesstrafficto thedomaincontrollerscomparedwithNTLM(dependingonPACverification,see
Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos PAC Validation).IfPACverificationisdisabledornotneeded,theservicethat authenticatestheclientdoesnothavetomakeanRPCcalltotheDC(see:You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003).
Kerberosauthenticationalsorequireslesstrafficbetweenclientandserver comparedwithNTLM.Clientscanauthenticatewithwebserversintwo request/responsesvs.thetypicalthreeleghandshakewithNTLM.However,this improvementistypicallynotnoticedonlowlatencynetworksonapertransaction basis,butcantypicallybenoticedinoverallsystemthroughput.Rememberthat manyenvironmentalfactorscanaffectauthenticationperformance;therefore KerberosauthenticationandNTLMshouldbeperformancetestedinyourown environmentbeforeyoudeterminewhetheronemethodperformsbetterthanthe other.
20
ThisisanincompletelistoftheadvantagesofusingtheKerberosprotocol.Thereare otherreasonslikemutualauthentication,crossplatforminteroperability,andtransitive crossdomaintrust,tonameafew.However,inmostcasesonetypicallyfinds delegationandsecuritytobetheprimarydriversinadoptionoftheKerberosprotocol.
Kerberos delegation, constrained delegation, and protocol transition

TheKerberosversion5protocolontheWindowsplatformsupportstwokindsofidentity delegation:basic(unconstrained)delegationandconstraineddelegation:
Type Advantages Disadvantages
Basic delegation
Cancrossdomainboundariesina singleforest Requireslessconfigurationthan constraineddelegation.
Doesnotsupportprotocol transition Secure.Ifthefrontendservice iscompromised,clientidentity canbedelegatedtoany serviceintheforestthat acceptsKerberos authentication.
Constrained delegation CantransitionnonKerberos incomingauthenticationprotocol toKerberos(example:NTLMto Kerberos,ClaimstoKerberos) Moresecure.Identitiescanonly bedelegatedtospecifiedservice. Cannotcrossdomain boundaries Requiresadditionalsetup configuration
Kerberosenabledservicescandelegateidentitymultipletimesacrossmultipleservices andmultiplehops.Asanidentitytravelsfromservicetoservice,thedelegationmethod canchangefromBasictoConstrainedbutnotinreverse.Thisisanimportantdesign detailtounderstand:ifabackendservicerequiresBasicdelegation(forexampleto

21
delegateacrossadomainboundary),allservicesinfrontofthebackendservicemust usebasicdelegation.Ifanyfrontendserviceusesconstraineddelegation,thebackend servicecannotchangetheconstrainedtokenintoanunconstrainedtokentocrossa domainboundary. ProtocoltransitionallowsaKerberosenabledauthenticatingservice(frontendservice) toconvertanonKerberosidentityintoaKerberosidentitythatcanbedelegatedto otherKerberosenabledservices(backendservice).Protocoltransitionrequires Kerberosconstraineddelegationandthereforeprotocoltransitionedidentitiescannot crossdomainboundaries.Dependingontheuserrightsofthefrontendservice,the Kerberosticketreturnedbyprotocoltransitioncanbeanidentificationtokenoran impersonationtoken.Formoreinformationaboutconstraineddelegationandprotocol transition,seethefollowingarticles:
Kerberos Protocol Transition and Constrained Delegation
(http://technet.microsoft.com/enus/library/cc739587(WS.10).aspx)
Protocol Transition with Constrained Delegation Technical Supplement
(http://msdn.microsoft.com/enus/library/ff650469.aspx)
Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop Scenarios(http://support.microsoft.com/kb/2005838)
Asageneralbestpractice,ifKerberosdelegationisrequired,oneshoulduse constraineddelegation,ifitispossible.Ifdelegationacrossdomainboundariesis required,thenallservicesinthedelegationpathmustusebasicdelegation.
Kerberos authentication changes in Windows 2008R2 and Windows 7

WindowsServer2008R2andWindows7introducenewfeaturestoKerberos authentication.Foranoverviewofthechanges,seeChanges in Kerberos Authentication (http://go.microsoft.com/fwlink/?LinkId=196655)andKerberos Enhancements(http://go.microsoft.com/fwlink/?LinkId=196656).Inaddition,youshould makeyourselffamiliarwithIIS7.0KernelModeauthentication(Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings, (http://go.microsoft.com/fwlink/?LinkId=196657))eventhoughitisnotsupportedin SharePointServerfarms.
22
Kerberos configuration changes in SharePoint 2010 Products

MostofthebasicconceptsofconfiguringKerberosauthenticationinSharePoint2010 Productshavenotchanged.Youstillhavetoconfigureserviceprincipalnamesandyou stillhavetoconfiguredelegationsettingsoncomputerandserviceaccounts.However thereareseveralchangesthatyoushouldbeawareof: ConstrainedDelegationrequiredforserviceswhichusetheClaimstoWindows TokenService.Constraineddelegationisrequiredtoallowprotocoltransitionto convertclaimstoWindowstokens. ServiceApplicationsInOfficeSharePointServer2007,theSSPservicesrequired specialSPNsandserverregistrychangestoenabledelegation.InSharePoint2010 Products,serviceapplicationsuseclaimsauthenticationandtheClaimstoWindows Tokenservice,sothesechangesarenolongerneeded. WindowsIdentityFoundation(WIF)theWIFClaimstoWindowsTokenService (C2WTS)isanewserviceleveragedbySharePoint2010Productstoconvertclaims toWindowstokensfordelegationscenarios.
Considerations when you are upgrading from Office SharePoint Server 2007
IfyouareupgradinganOfficeSharePointServer2007farmtoSharePointServer2010, thereareseveralthingsyoushouldconsiderasyoucompletetheupgrade: IfwebapplicationsarechangingURLs,makesurethatyouupdatetheService PrincipleNamestoreflecttheDNSnames. DeletetheSSPserviceprincipalnames,becausetheyarenolongerneededin SharePointServer2010. StarttheClaimstoWindowsTokenServiceontheserversthatarerunningservice applicationsthatrequiredelegation(forexample,ExcelServices,VisioGraphics Service). ConfigureKerberosconstraineddelegationwith"useanyauthenticationprotocol" toallowKerberosconstraineddelegationwiththeC2WTS. EnsureKernelmodeauthenticationisdisabledinIIS.
23
Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

Inthescenarioarticlesthatfollow,webuildoutaSharePointServer2010environment todemonstratehowtoconfiguredelegationinanumberofcommonscenariosyou mightencounterintheenterprise.Thewalkthroughsassumeyouarebuildingouta scaledoutSharePointfarmsimilartowhatisdescribedinthefollowingsection. Note: Someoftheconfigurationstepsmaychange,ormaynotworkincertainfarm topologies.Forinstance,asingleserverinstalldoesnotsupporttheWindowsIdentity FoundationC2WTSservicessoclaimstowindowstokendelegationscenariosarenot possiblewiththisfarmconfiguration.
Environment and farm topology

Thefollowingdiagramillustratesthefarmtopologyusedwhenconfiguringthescenarios inthesectionsbelow.Thefarmtopologyisloadbalancedandscaledoutbetween multipletierstodemonstratehowidentitydelegationwouldworkinmultiserver,multi hopscenarios.
24
Note: Thefarmconfigurationinthedemonstrationsisnotmeanttobeareference architectureoranexampleofhowtodesignatopologyforproductionenvironments. Forexample,thedemotopologyrunsallSharePointServer2010serviceapplicationson asingleserverwhichcreatesasinglepointoffailurefortheseservices.Formore informationonhowtodesignandbuildaproductionSharePointServerenvironment, seeSharePoint Server 2010 Physical and Logical ArchitectureandTopologies for SharePoint Server 2010.
25
Note: ThescenariowalkthroughsassumethatallcomputersthatarerunningSharePoint Serverandthedatasourcesusedinthescenariobelowresideinasingledomain.An explanationandwalkthroughofmultidomain/multiforestconfigurationisnotcovered inthisdocument.
Environment specification
AllcomputersinthedemonstrationenvironmentarevirtualizedrunningonWindows Server2008R2HyperV.ThecomputersarejoinedtoasingleWindowsdomain, vmlab.local,runninginWindowsServer2008ForestandDomainfunctionlevels. ClientComputer Windows7Professional,64bit
SharePointServerfrontendWebs WindowsServer2008R2Enterprise,64bit Services: WebApplicationService LoadbalancedwithWindowsNLB
SharePointServerApplicationServer WindowsServer2008R2Enterprise,64bit MicrosoftSharePointServer2010(RTM) Services: WIFClaimstoWindowsTokenService ManagedMetadataService SharePointIndex SharePointQuery ExcelServices VisioGraphicsService
26
BusinessConnectivityServices PerformancePointServices
SQLServices WindowsSever2008R2Enterprise,64bit MicrosoftSQLServer2008R2Enterprise,64bit Active/PassiveConfiguration SQLServerServices: SQLDataEngine SQLServerAnalysisServices SQLAgent SQLBrowser
SQLReportingServer WindowsServer2008R2Enterprise,64bit(RTM) MicrosoftSQL2008R2Enterprise,64bit(RTM) MicrosoftSharePointServer2010(RTM) WindowsNLB,Loadbalanced ReportingServicesSharePointintegrationmode ReportingServices,scaledoutmode
Web Application specification

ThescenariosinthewalkthroughreferenceasetofSharePointServer2010web applicationsyouwillconfigureinScenario1.Thefollowingwebapplicationsareload balancedusingWindowsNLBacrossthetwoSharePointServerwebfrontendsinthe demonstrationenvironment: http://sp10CATheCentralAdministrationwebapplicationforthefarm.Scenario1 willnotwalkthroughtheconfigurationofthiswebapplication.
27
http://portalandhttps://portalWebapplicationwithdemonstrationpublishing portal.Itisusedtodemonstratehowtoconfiguredelegationforwebapplications runningonstandardports(HTTP80,HTTPS443) http://teams:5555Webapplicationwithdemonstrationteamsite.Itisusedto demonstratehowtoconfiguredelegationforwebapplicationsrunningonnon standardports,inthisexampleport5555.
28
SSL configuration
SomeofthewalkthroughscenarioswilluseSSLtodemonstratehowtoconfigure delegationwithHTTPS.Itisassumedthatthecertificatesbeingusedcomefroma trustedrootcertificateauthority,eitherinternalorpublic,oryouhaveconfiguredall computerstotrustthecertificatesbeingused.Thedocumentwillnotcoverhowto properlyconfigurecertificatetrustnorwillitprovideguidanceaboutdebuggingissues relatedtoSSLcertificateinstallation.Itishighlyrecommendedtoreviewthesetopics andtestyourSSLconfigurationbeforeconfiguringKerberosconstraineddelegationwith SSLprotectedservices.Formoreinformationsee:
Active Directory Certificate Services Overview (http://go.microsoft.com/fwlink/?LinkId=196660) Active Directory Certificate Services Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=196661)
Configuring Server Certificates in IIS 7 (http://go.microsoft.com/fwlink/?LinkId=196662) How to Set Up SSL on IIS 7: Configuring Security : Installing and Configuring IIS 7 : The Official Microsoft IIS Site(http://go.microsoft.com/fwlink/?LinkID=193447) Add a Binding to a Site (IIS 7)(http://go.microsoft.com/fwlink/?LinkId=196663) Configure a Host Header for a Web Site (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=196664)(HowtouseSSLwithhost headers) Create a Self-Signed Server Certificate in IIS 7
(http://go.microsoft.com/fwlink/?LinkId=196665)
Load balancing
LoadbalancingontheSharePointServerfrontendWebsandSQLServerReporting ServicesserverswasimplementedbyusingWindowsServer2008NetworkLoad Balancing(NLB).HowtoconfigureNLBandNLBbestpracticesarenotcoveredinthis document.FormoreinformationonNLB,refertoOverview of Network Load Balancing.
SQL aliasing
ThefarmwasbuiltusingaSQLclientaliastoconnecttotheSQLcluster.Thisistypically abestpracticeandwasdonetodemonstratehowKerberosauthenticationisconfigured
29
whenSQLaliasingisused.Scenario2assumestheenvironmentisconfiguredinthis manner,butitisnotrequiredtouseSQLaliasestocompleteanyofthescenariosbelow. FormoreinformationonhowtoconfigureSQLaliasesseeHow to: Create a Server Alias for Use by a Client (SQL Server Configuration Manager).
SharePoint Server Services and service accounts

Thescenariosbelowimplementaleastprivilegemodelwhereeachserviceinthe SharePointfarmleveragesaseparate,distinctActiveDirectoryaccountforitsservice identity.Usingaleastprivilegemodelhasadvantagesanddisadvantages: Advantages: Theadministratorcancontrolthepermissionsofeachserviceinafinegrained wayThisincludesdomainpermissions,localpermissionsandprivileges,delegation rightsandothersettings. BetterauditingandtraceabilityByensuringeachserviceleveragesitsown identity,anadministratorcantracknetworkandsystemactivitybacktothespecific servicebasedontheidentitycapturedinauditfiles.Forexample,ifaserveraudit logshowslogonactivityforaparticularaccount,theaccountcouldbeusedtotrace theactivitytoaparticularservice. BettersecurityByleveragingseparateaccountsforeachservice,anadministrator assuresthatifoneaccountiscompromiseditpotentiallylimitsthedamagedueto thesecurityissuebecauseonlytheservicethatisusingthecompromisedaccountis affected.Notethatifanyaccountbecomescompromised,aholisticsecurity assessmentoftheentireenvironmentshouldbeperformedtodeterminethemost appropriateactiontoaddressthesecurityissue.
Disadvantages: IncreasedaccountmanagementcomplexityHavingmoreserviceaccounts translatestomoreActiveDirectoryconfigurationandmorepasswordmanagement policiestoenforce.
30
AdditionalconfigurationAsseeninthestepbystepguidebelow,oncea SharePointServeradministratormakesthedecisiontoleveragealeastprivilege model,thereareadditionalstepssheorhemustperformtoconfigurethe environmentcorrectly. IncreasedadministrationcomplexityTheprobabilityofmisconfigurationincreases asthecomplexityoftheenvironmentincreases.Whenyouleveragemultiple accounts,thereisachancethatcertainserviceswillbemisconfigured,whichcan leadtofunctionalityissuesandtriageneededtocorrecttheissues.
BeawarethatusingseparateserviceaccountsisnotarequirementofSharePointServer butageneralrecommendationforproductionenvironments.Thestepsintherestof thispaperoutlinehowtoconfigureSharePointServerwhenyouareusingseparate accounts;someofthesestepsmaynotapplywhenyouareusingsharedaccounts.
C2WTS Service Identity

Thestepsbelowassumealeastprivilegesecuritymodelandleveragediscreteservice accountsforeachSharePointServerservice.TheC2WTSisconfiguredtouseaseparate ActiveDirectoryaccountinsteadofthedefaultlocalsystemaccounttofollowthis designtenant.Whenyouuseadistinctaccount,theindividualdelegationrightsgranted totheC2WTScanbemanagedseparatelyfromotherservicesontheserverthatarealso usingthelocalsystemaccount.Notethatthisisnotaproductrequirement,buta recommendedpractice.
Tips for working through the scenarios

ThescenariosbelowwalkthroughvariousactivitiesneededtoconfigureKerberos delegationacrossdifferentfunctionsoftheSharePointServerplatform.Asyougo througheachsection: Allthescenariosassumeyouhaveyourwebapplicationsconfiguredforincomingclassic authentication(Kerberos).Somescenariosbelowrequireclassicauthenticationandwill notfunctionasdocumentedwithincomingclaimsauthentication. GettheSharePointServerservicesworkingfirstwithoutdelegationtoensurethe serviceapplicationsareconfiguredcorrectlybeforemovingontomorechallenging configurationswithdelegation.
31
Trytopayspecialattentiontoeachstepandavoidskippinganysteps Workthroughscenario1andspendtimeusingthedebuggingtoolsmentionedin thescenarioastheycanbeusedinotherscenariostotriageconfigurationissues. Remembertoworkthroughscenario2.YoullneedacomputerrunningSQLServer thatisconfiguredtoacceptKerberosauthenticationandwillrequirethetest databasethatyousetupinthisscenarioforsomeofthelaterscenarios. AlwaysdoublecheckSPNconfigurationineachscenariobyusingSetSPNXand SetSPNQ.Seetheappendixformoreinformation. AlwaysbesuretochecktheservereventlogsandULSlogswhenattemptingto debugaconfigurationissue.Therearetypicallygoodpointersintheselogswhich canquicklypointouttheissuesyouareencountering. TurnupdiagnosticloggingforSharePointFoundation>ClaimsAuthenticationand anyserviceapplicationsthatyouareattemptingtotriageifissuesoccur. Rememberthateachscenariomaybeaffectedbyserviceapplicationcaching.Ifyou makeconfigurationchangesbutdonotseechangesinplatformbehavior,try restartingtheservicesapplicationpoolorwindowsservice.Ifthishasnoeffect, sometimesasystemrebootwillhelp. RememberthatKerberosticketsarecachedoncerequested.Ifyouareusingatool likeNetMontoviewTGTandTGSrequests,youmayneedtoemptytheticketcache ifyoudontseetherequesttrafficyouexpect.Scenario1,Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)explainshowtodothis withtheKLISTandKerbTrayutilities. RemembertorunNetMonwithAdministrativeprivilegestocaptureKerberos traffic. ForadvanceddebuggingscenariosyoumaywanttoturnonWIFtracingforthe ClaimstoWindowsTokenServiceandWCFtracingfortheSharePointService Applications(WCFservices).See:
WIF Tracing How to: Enable Tracing Configuring Tracing
32
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

InthefirstscenarioyouwillconfiguretwoSharePointServer2010webapplicationsto usetheKerberosprotocolforauthenticatingincomingclientrequests.For demonstrationpurposes,onewebapplicationwillbeconfiguredtousestandardports (80/443)andtheotherwilluseanondefaultport(5555).Thisscenariowillbethebasis ofallthefollowingscenarioswhichassumetheactivitiesbelowhavebeencompleted. Important: ItisarequirementtoconfigureyourwebapplicationswithclassicWindows authenticationusingKerberosauthenticationtoensurethatthescenariosworkas expected.WindowsClaimsauthenticationcanbeusedinsomescenariosbutmaynot producetheresultsdetailedinthescenariosbelow. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)
Inthisscenarioyoudothefollowingthings: ConfiguretwowebapplicationswithdefaultzonesthatusetheKerberosprotocol forauthentication Createtwotestsitecollections,oneineachwebapplication VerifytheIISconfigurationofthewebapplication

33
Verifythatclientscanauthenticatewiththewebapplicationandensurethatthe Kerberosprotocolisusedforauthentication ConfiguretheRSSViewerwebparttodisplayRSSfeedsinalocalandremoteweb application Crawleachwebapplicationandtestsearchingcontentineachtestsitecollection
Configuration checklist
AreaofConfiguration Description
DNS ActiveDirectory
RegisteraDNSARecordforthewebapplicationsnetworked loadedbalanced(NLB)virtualIP(VIP) CreateaserviceaccountsforthewebapplicationsIIS applicationpool RegisterServicePrincipalNames(SPN)fortheweb applicationsontheserviceaccountcreatedfortheweb applicationsIISapplicationpool ConfigureKerberosconstraineddelegationforservice accounts
SharePointWebApp CreateSharePointServermanagedaccounts CreatetheSharePointSearchServiceApplication CreatetheSharePointwebapplications IIS ValidatethatKerberosauthenticationisEnabled VerifyKernelmodeauthenticationisdisabled InstallcertificatesforSSL Windows7Client EnsurewebapplicationURLsareintheintranetzone,ora zoneconfiguredtoautomaticallyauthenticatewith integratedWindowsauthentication OpenfirewallportstoallowHTTPtrafficinondefaultand
34
Firewall

Configuration
nondefaultports EnsureclientscanconnecttoKerberosPortsontheActive Directory
TestBrowser Authentication
Verifyauthenticationworkscorrectlyinthebrowser VerifyLogoninformationonthewebserverssecurityevent log UsethirdpartytoolstoconfirmKerberosauthenticationis configuredcorrectly
TestSharePoint Verifybrowseraccessfromtheindexserver(s) ServerSearchIndex Uploadsamplecontentandperformacrawl andQuery Testsearch TestWFEDelegation ConfigureRSSFeedsourcesoneachsitecollection AddRSSviewwebpartstothehomepageofeachsite collection
Step-by-step configuration instructions

Configure DNS
ConfigureDNSforthewebapplicationsinyourenvironment.Inthisexamplewehave2 webapplications,http://portalandhttp://teams:5555,whichbothresolvetothesame NLBVIP(192.168.24.140/24) ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records.
SharePoint Server Web apps

http://portalConfigureanewDNSARecordfortheportalwebapplication.Inthis examplewehaveahost"portal"configuredtoresolvetotheloadbalancedVIP.
35
http://teams:5555ConfigureanewDNSARecordforthefortheteam'sweb application
36
Note: ItisimportanttoensuretheDNSentriesareARecordsandnotCNAMEaliasesfor Kerberosauthenticationtoworksuccessfullyinenvironmentswithmorethanoneweb applicationrunningwithhostheadersandseparatededicatedserviceaccounts.See Kerberos configuration known issues (SharePoint Server 2010)foranexplanationofthe knownissuewithusingCNAMEwithKerberosenabledwebapplications.
Configure Active Directory

NextyouwillconfiguretheActiveDirectoryaccountsforthewebapplicationsinyour environment.Asabestpracticeyoushouldconfigureeachwebapplicationtoruninits ownIISapplicationpoolwithitsownsecuritycontext(applicationpoolidentity).
SharePoint Service Application Service Accounts

InourexamplewehavetwoSharePointServerwebapplicationsrunningintwo separateIISapplicationpoolsrunningwiththeirownapplicationpoolidentities.
WebApplication(defaultzone) IIS AppPoolIdentity
http://portal http://teams:5555
vmlab\svcPortal10App vmlab\svcTeams10App
Service Principal Names (SPNs)

Foreachserviceaccount,configureasetofserviceprincipalnamesthatmaptotheDNS hostnamesassignedtoeachwebapplication. UseSetSPN,acommandlinetoolinWindowsServer2008,toconfigureanewservice principalname.ForafullexplanationofhowtouseSetSPN,seeSetspn.Tolearnabout SetSPNimprovementsinWindowsServer2008,seeCare, Share and Grow! : New features in SETSPN.EXE on Windows Server 2008.
37
AllSharePointServerwebapplications,regardlessofportnumber,usethefollowing SPNformat: HTTP/<DNSHOSTname> HTTP/<DNSFQDN>
Example: HTTP/portal HTTP/portal.vmlab.local
ForWebapplicationsrunningonnondefaultports(portsotherthan80/443)register additionalSPNswithportnumber: HTTP/<DNSHostName>:<port> HTTP/<DNSFQDN>:<port>
Example: Note: SeetheappendixforanexplanationofwhyitisrecommendedtoconfigureSPNswith andwithoutportnumberforHTTPservicesrunningonnondefaultports(80,443). TechnicallythecorrectwaytorefertoaHTTPservicethatrunsonanondefaultportis toincludetheportnumberintheSPNbutbecauseofknownissuesdescribedinthe appendixweneedtoconfigureSPNswithoutportaswell.NotethattheSPNswithout portfortheteamswebapplicationdoesnotmeanserviceswillbeaccessedusingthe defaultports(80,443)inourexample. Inourexampleweconfiguredthefollowingserviceprincipalnamesforthetwo accountswecreatedinthepreviousstep: HTTP/teams:5555 HTTP/teams.vmlab.local:5555
38

DNSHost IISAppPoolIdentity ServicePrincipalNames
Portal.vmlab.local
vmlab\svcPortal10App
HTTP/portal HTTP/portal.vmlab.local
Teams.vmlab.local
vmlab\svcTeams10App
HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555
Tocreatetheserviceprincipalnamesthefollowingcommandswereexecuted:
SetSPNSHTTP/Portalvmlab\svcportal10App SetSPNSHTTP/Portal.vmlab.localvmlab\svcportal10App SetSPNSHTTP/Teamsvmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.localvmlab\svcTeams10App SetSPNSHTTP/Teams:5555vmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.local:5555vmlab\svcTeams10App
Important: DonotconfigureserviceprincipalnameswithHTTPSevenifthewebapplicationuses SSL. Inourexampleweusedanewcommandlineswitch,S,introducedinWindowsServer 2008thatchecksfortheexistenceoftheSPNbeforecreatingtheSPNontheaccount.If theSPNalreadyexists,thenewSPNisnotcreatedandyouseeanerrormessage.
39
IfduplicateSPNsarefound,youhavetoresolvetheissuebyeitherusingadifferentDNS nameforthewebapplication,therebychangingtheSPN,orbyremovingtheexisting SPNfromtheaccountitwasdiscoveredon. Important: BeforedeletinganexistingSPN,besureitisnolongerneeded,otherwiseyoumaybreak Kerberosauthenticationforanotherapplicationinyourenvironment.
Service Principal Names and SSL

ItiscommontoconfuseKerberosServicePrincipalNameswithURLsforhttpweb applicationsbecausetheSPNandURIformatsareverysimilarinsyntax,butits importanttounderstandthattheyaretwoveryseparateanduniquethings.Kerberos serviceprincipalnamesareusedtoidentifyaservice,andwhenthatserviceisanhttp application,theserviceschemeis"HTTP"regardlessiftheserviceisaccesswithSSLor not.Thismeansthatevenifyouaccessthewebapplicationusing"https://someapp"you donot,andshouldnot,configureaserviceprincipalnamewithHTTPS,forexample "HTTPS/someapp".
Configure Kerberos constrained delegation for computers and service accounts

Dependingonthescenario,somefunctionalityinSharePointServer2010mayrequire constraineddelegationtofunctionproperly.Forexample,iftheRSSviewerwebpartis configuredtodisplayaRSSfeedfromanauthenticatedsourceitwillrequiredelegation toconsumethesourcefeed.Inothersituationsitmayberequiredtoconfigure constraineddelegationtoallowserviceapplications(suchasExcelServices)todelegate theclientsidentitytobackendsystems. InthisscenariowewillconfigureKerberosconstraineddelegationtoallowtheRSSview webparttoreadasecuredlocalRSSfeedandsecuredremoteRSSfeedfromaremote
40
webapplication.InlaterscenarioswewillconfigureKerberosconstraineddelegationfor otherSharePointServer2010serviceapplications. Thefollowingdiagramconceptuallydescribeswhatwillbeconfiguredinthisscenario:
Wehavetwowebapplications,eachwiththeirownsitecollectionwithasitepage hosingtwoRSSviewerwebparts.Thewebapplicationseachhaveasingledefaultzone configuredtouseKerberosauthenticationsoallfeedscomingfromthesewebsiteswill requireauthentication.IneachsiteoneRSSviewerwillbeconfiguredtoreadalocalRSS feedfromalistandtheotherwillbeconfiguredtoreadanauthenticationfeedinthe remotesite. Toaccomplishthis,Kerberosconstraineddelegationwillbeconfiguredtoallow delegationbetweentheIISapplicationpoolserviceaccounts.Thefollowingdiagram conceptuallydescribestheconstraineddelegationpathsneeded:
41
RememberthatweidentifythewebapplicationbyservicenameusingtheService PrincipalName(SPN)assignedtotheidentityoftheIISapplicationpool.Theservice accountsprocessingrequestsmustbeallowedtodelegatetheclientidentitytothe designatedservices.Alltogetherwehavethefollowingconstraineddelegationpathsto configure:
PrincipalType PrincipalName DelegatesToService
User
svcPortal10App
HTTP/Portal HTTP/Portal.vmlab.local HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555
42

User
svcTeams10App
HTTP/Portal HTTP/Portal.vmlab.local HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555
Note: Itmayseemredundanttoconfiguredelegationfromaservicetoitself,suchasthe portalserviceaccountdelegatingtotheportalserviceapplication,butthisisrequiredin scenarioswhereyouhavemultipleserversrunningtheservice.Thisistoaddressthe scenariowhereoneservermayneedtodelegatetoanotherserverrunningthesame service;forinstanceaWFEprocessingarequestwithaRSSviewerwhichusesthelocal webapplicationasthedatasource.Dependingonfarmtopologyandconfiguration thereisapossibilitythattheRSSrequestmaybeservicedbyadifferentserverwhich wouldrequiredelegationtoworkcorrectly. ToconfiguredelegationyoucanusetheActiveDirectoryUsersandComputersnapin. Rightclickeachserviceaccountandopenthepropertiesdialog.Inthedialogyouwill seeatabfordelegation(notethatthistabonlyappearsiftheobjecthasanSPN assignedtoit;computershaveanSPNbydefault).Onthedelegationtab,selectTrust thisuserfordelegationtospecifiedservicesonly,thenselectUseanyauthentication protocol.
43
ClicktheAddbuttontoaddtheservicestheuser(serviceaccount)willbeallowedto delegateto.ToselectaSPN,youwilllookuptheobjecttheSPNisappliedto.Inour instance,wearetryingtodelegatetoaHTTPservicewhichmeanswesearchforthe serviceaccountoftheIISapplicationpoolthattheSPNwasassignedtointheprevious step.
44
OntheSelectUsersorComputersdialogbox,clickUsersandComputers,searchforthe IISapplicationpoolserviceaccounts(inourexamplevmlab\svcPortal10Appand vmlab\svcTeams10AppandthenclickOK:
Youwillthenbepromptedtoselecttheservicesassignedtotheobjectsbyservice principalname.
45
OntheAddServicesdialogbox,clickSelectAllthenclickOK.Notethatwhenyoureturn tothedelegationdialogyoudonotactuallyseealltheSPNsselected.ToseeallSPNs, checktheExpandedcheckboxinthelowerlefthandcorner.
46
Performthesestepsforeachserviceaccountinyourenvironmentthatrequires delegation.Inourexamplethisistheserviceaccountslist
Configure SharePoint Server

OnceActiveDirectoryandDNSareconfigured,itstimetocreatethewebapplicationin yourSharePointServer2010Farm.Thispaperassumesthattheinstallationof
47
SharePointServeriscompleteatthispointandthefarmtopologyandsupporting infrastructure,forinstanceloadbalancing,isconfigured.Formoreinformationabout howtoinstallandconfigureyourSharePointfarm,see:Deployment for SharePoint Server 2010.
Configure managed service accounts

Beforecreatingyourwebapplications,configuretheservicesaccountscreatedinthe previousstepsasmanagedserviceaccountsinSharePointServer.Doingsoaheadof timewillallowyoutoskipthisstepwhencreatingthewebapplicationsthemselves. Toconfigureamanagedaccount 1. InSharePointCentralAdministration,clickSecurity.
2. UnderGeneralSecurityclickConfiguremanagedaccounts:
3. ClickRegisterManagedAccountandcreateamanagedaccountforeachservice account.Inthisexamplewecreatedfivemanagedserviceaccounts:
Account Purpose
VMLAB\svcSP10Search VMLAB\svcSearchAdmin
SharePointSearchServiceAccount SharePointSearchAdministrationServiceAccount
48

Account Purpose
VMLAB\svcSearchQuery VMLAB\svcPortal10App VMLAB\svcTeams10App Note:
SharePointSearchQueryServiceAccount PortalWebAppIISApplicationPoolAccount TeamsWebAppIISApplicationPoolAccount
ManagedaccountsinSharePointServer2010arenotthesameasmanaged serviceaccountsinWindowsServer2008R2ActiveDirectory.
Create the SharePoint Server Search Service Application

InthisexamplewewillconfiguretheSharePointServerSearchServiceApplicationto ensurethenewlycreatewebapplicationcanbecrawledandsearchedupon successfully.CreateanewSharePointServerSearchWebApplicationandplacethe Search,QueryandAdministrationServicesontheapplicationserver,inourexample vmSP10App01.ForadetailedexplanationonhowtoconfiguretheSearchService Application,seeStep-by-Step: Provisioning the Search Service Application. Note: TheplacementofallSearchServicesonasingleapplicationserverisfordemonstration purposesonly.AcompletediscussionaboutSharePointServer2010SearchTopology optionsandbestpracticesisoutofscopeforthisdocument.
Create the Web Application

BrowsetoCentralAdministrationandnavigatetoManageWebApplicationsinthe ApplicationManagementsection.Inthetoolbar,selectNewandcreateyourweb application.Ensurethatthefollowingisconfigured: SelectClassicModeAuthentication. Configuretheportandhostheaderforeachwebapplication.
49
SelectNegotiateastheAuthenticationProvider. Underapplicationpool,selectCreatenewapplicationpoolandselectthemanaged accountcreatedinthepreviousstep.
Inthisexample,twowebapplicationswerecreatedwiththefollowingsettings:
Setting http://PortalWebApplication http://TeamsWebApplication
Authentication ClassicMode IISWebSite
ClassicMode
Name:SharePointPortal80 Name:SharePointTeams5555 Port:80 HostHeader:Portal Port:80 HostHeader:Teams AuthProvider:Negotiate AllowAnonymous:No UseSecureSocketLayer:No http://Teams:5555
Security Configuration
AuthProvider:Negotiate AllowAnonymous:No UseSecureSocketLayer:No
PublicURL
http://Portal:80
ApplicationPoolName:SharePointPortal80 Name:SharePointTeams5555 SecurityAccount: vmlab\svcPortal10App Whencreatingthenewwebapplicationyouarealsocreateanewzone,thedefault zone,configuredtousetheWindowsauthenticationprovider.Youcanseetheprovider anditssettingsforthezoneinwebapplicationmanagementbyfirstselectingtheweb application,thenclickingAuthenticationProvidersinthetoolbar.Theauthentication providersdialogboxlistsallthezonesfortheselectedwebapplicationalongwiththe authenticationproviderforeachzone.Byselectingthezone,youwillseethe authenticationoptionsforthatzone. SecurityAccount: vmlab\svcTeams10App
50
Theauthenticationprovidersdialogwilllistallthezonesfortheselectedweb applicationalongwiththeauthenticationproviderforeachzone:
Byselectingthezone,youwillseetheauthenticationoptionsforthatzone:
51
IfyoumisconfiguredtheWindowssettingsandselectedNTLMwhentheweb applicationwascreated,youcanusetheeditauthenticationdialogforthezoneto switchthezonefromNTLMtoNegotiate.Ifclassicmodewasnotselectedasthe authenticationmode,youmusteithercreateanewzonebyextendingtheweb applicationtoanewIISwebsiteordeleteandrecreatethewebapplication.

52
Create site collections

Totestwhetherauthenticationisworkingcorrectly,youwillneedtocreateatleastone sitecollectionineachwebapplication.Thecreationandconfigurationofthesite collectionwillnotaffectKerberosfunctionality,sofollowexistingguidanceonhowto createasitecollectioninCreate a site collection (SharePoint Foundation 2010). Forthisexample,twositecollectionswereconfigured:
WebApplication SiteCollectionPath SiteCollectionTemplate
http://portal http://teams:5555
/ /
PublishingPortal TeamSite
Create alternate access mappings

TheportalwebapplicationwillbeconfiguredtouseHTTPSaswellasHTTPto demonstratehowdelegationworkswithSSLprotectedservices.ToconfigureSSL,the portalwebapplicationwillneedasecondSharePointServeralternateaccessmapping (AAM)fortheHTTPSendpoint. Toconfigurealternateaccessmappings 1. InCentralAdministration,clickApplicationManagement. 2. UnderWebApplicationsclickconfigurealternateaccessmappings.
53
3. IntheSelectAlternateAccessMappingCollectiondropdown,selecttheChange AlternateAccessMappingCollection.
4. Selecttheportalwebapplication.
5. ClickEditPublicUrlsinthetoptoolbar.
6. Inafreezone,addthehttpsURLforthewebapplication.ThisURLwillbethename ontheSSLcertificateyouwillcreateinthenextsteps.
7. ClickSave. YoushouldnowseetheHTTPSURLinthezonelistforthewebapplication.
54
IIS configuration
Install SSL certificates
YouwillneedtoconfigureanSSLcertificateoneachSharePointServerhostingtheweb applicationserviceforeachwebapplicationthatusesSSL.Again,thetopicofhowto configureanSSLcertificateandcertificatetrustisoutofscopeforthisdocument.See theSSLConfigurationsectioninthisdocumentforreferencestomaterialabout configuringSSLcertificatesinIIS.
Verify that Kerberos authentication is enabled

ToverifythatKerberosauthenticationisenabledonthewebsite 1. OpenIISmanager. 2. SelecttheIISwebsitetoverify. 3. InFeaturesView,underIIS,doubleclickAuthentication.
55
4. SelectWindowsAuthenticationwhichshouldbeenabled.
5. OntherighthandsideunderActions,selectProviders.VerifyNegotiateisatthetop ofthelist.
56
Verify that Kernel mode authentication is disabled

KernelmodeauthenticationisnotsupportedinSharePointServer2010.Bydefault,all SharePointServerWebApplicationsshouldhaveKernelModeAuthenticationdisabled bydefaultontheircorrespondingIISwebsites.Eveninsituationswheretheweb applicationwasconfiguredonanexistingIISwebsite,SharePointServerdisableskernel modeauthenticationasitprovisionsanewwebapplicationontheexistingIISsite. Toverifythatkernelmodeauthenticationisdisabled 1. OpenIISmanager. 2. SelecttheIISwebsitetoverify. 3. InFeaturesView,underIIS,doubleclickAuthentication. 4. SelectWindowsAuthentication,whichshouldbeenabled. 5. ClickAdvancedSettings. 6. VerifybothEAPandKernelModeAuthenticationaredisabled.
57
Configure the firewall

Beforetestingauthentication,ensureclientscanaccesstheSharePointServerweb applicationsontheconfiguredHTTPports.Inaddition,ensureclientscanauthenticate withActiveDirectoryandrequestKerberosticketsfromtheKDCoverthestandard Kerberosports.
Open firewall ports to allow HTTP traffic in on default and non-default ports
TypicallyyouhavetoconfigurethefirewalloneachfrontendWebtoallowincoming requestsoverportsTCP80andTCP443.OpenWindowsFirewallwithAdvanced SecurityandbrowsetothefollowingInboundRules:
WorldWideWebServices(HTTPTrafficIn) WorldWideWebServices(HTTPSTrafficIn)
58
Makesuretheappropriateportsareopeninyourenvironment.Inourexample,we accessSharePointServeroverHTTP(port80),sothisrulewasenabled. Inaddition,wehavetoopenthenondefaultportusedinourexample(TCP5555).If youhavewebsitesrunningonnondefaultports,youalsohavetoconfigurecustom rulestoallowHTTPtrafficonthoseports.
Ensure that clients can connect to Kerberos ports on the Active Directory role
TouseKerberosauthentication,clientswillhavetorequestticketgrantingtickets(TGT) andservicetickets(ST)fromtheKeyDistributionCenter(KDC)overUDPorTCPport88. Bydefault,whenyouinstalltheActiveDirectoryRoleinWindowsServer2008andlater, therolewillconfigurethefollowingincomingrulestoallowthiscommunicationby default:
KerberosKeyDistributionCenterPCR(TCPIn) KerberosKeyDistributionCenterPCR(UDPIn) KerberosKeyDistributionCenter(TCPIn) KerberosKeyDistributionCenter(UDPIn)
Inyourenvironmentensuretheserulesareenabledandthatclientscanconnecttothe KDC(domaincontroller)overport88.
Test browser authentication

AfterconfiguringActiveDirectory,DNSandSharePointServeryoucannowtestwhether Kerberosauthenticationisconfiguredcorrectlybybrowsingtoyourwebapplications. Whentestinginthebrowser,ensurethefollowingconditionsaremet: 1. ThetestuserisloggedintoaWindowsXP,Vista,orWindows7computerjoinedto thedomainthatSharePointServerisinstalledin,orisloggedintoadomaintrusted bytheSharePointServerdomain.
59
2. ThetestuserisusingInternetExplorer7.0orlater(InternetExplorer6.0isno longersupportedinSharePointServer2010;seePlan browser support (SharePoint Server 2010)). 3. IntegratedWindowsauthenticationisenabledinthebrowser.UnderInternet OptionsintheAdvancedtab,makesureEnableIntegratedWindows Authentication*isenabledintheSecuritysection:
4. Localintranetisconfiguredtoautomaticallylogonclients.UnderInternetexplorer option,intheSecuritytab,selectLocalIntranetandclicktheCustomlevelbutton. ScrolldownandmakesurethatAutomaticlogononlyinIntranetzoneisselected.
60
ScrolldownandmakesureAutomaticlogononlyinIntranetzoneisselected:
61
Note: ItispossibletoconfigureautomaticlogononotherzonesbutthetopicofIEsecurity zonesbestpracticesitoutsidethescopeofthispaper.Forthisdemonstrationthe intranetzonewillbeusedforalltests. 5. EnsurethatAutomaticallydetectintranetnetworkisselectedinInternetoptions >Security>IntranetZone>Sites.
62
6. IfyouareusingfullyqualifieddomainnamestoaccesstheSharePointServerweb applications,ensurethattheFQDNsareincludedintheintranetzone,either explicitlyorbywildcardinclusion(forexample,*.vmlab.local).
63
TheeasiestwaytodetermineifKerberosauthenticationisbeingusedisbylogginginto atestworkstationandnavigatingtothewebsiteinquestion.Iftheuserisntprompted forcredentialsandthesiteisrenderedcorrectly,youcanassumeIntegratedWindows authenticationisworking.Thenextstepistodetermineifthenegotiateprotocolwas usedtonegotiateKerberosauthenticationastheauthenticationproviderforthe request.Thiscanbedoneinthefollowingways:
Front-end Web security logs

IfKerberosauthenticationisworkingcorrectlyyouwillseeLogoneventsinthesecurity eventlogsonthefrontendwebswitheventID=4624.
64
InthegeneralinformationfortheseeventsyoushouldseethesecurityIDbeinglogged ontothecomputerandtheLogonProcessused,whichshouldbeKerberos.
KList
KListisacommandlineutilityincludedinthedefaultinstallationofWindowsServer 2008andWindowsServer2008R2whichcanbeusedtolistandpurgeKerberostickets
65
onagivencomputer.TorunKLIST,openacommandpromptinWindowsServer2008 andtypeKlist.
Ifyouwanttopurgetheticketcache,runKlistwiththeoptionalpurgeparameter:Klist purge
KerbTray
KerbTrayisafreeutilityincludedwiththeWindowsServer2000ResourceKitToolthat canbeinstalledonyourclientcomputertoviewtheKerberosticketcache.Download andinstallfromWindows 2000 Resource Kit Tool: Kerbtray.exe.Onceyouhaveit installed,performthefollowingactions: 1. NavigatetothewebsitesthatuseKerberosAuthentication. 2. RunKerbTray.exe. 3. ViewtheKerberosTicketcachebyrightclickingonthekerbtrayiconinthesystem trayandselectingListTickets.
66
4. Validatetheserviceticketsforthewebapplicationsyouauthenticatedareinthelist ofcachedtickets.Inourexamplewenavigatedtothefollowingwebsiteswhich havethefollowingSPNsregistered:

WebSiteURL SPN
http://portal
HTTP/Portal.vmlab.local
http://teams:5555 HTTP/Teams.vmlab.local
67
68
Fiddler
FiddlerisafreeHTTPtrafficanalyzerthatcanbedownloadedfromthefollowing location:http://www.fiddlertool.com/.Infiddleryouwillseetheclientandserver negotiateKerberosauthenticationandyouwillbeabletoseetheclientsendthe KerberosServiceTicketstotheserverintheHTTPheadersofeachrequest.Tovalidate thatKerberosauthenticationisworkingcorrectlyusingfiddlerperformthefollowing actions: 1. DownloadandinstallFiddler(www.fiddlertool.com)ontheclientcomputer. 2. Logoutofthedesktopandlogbackintoflushanycachedconnectionstotheweb serverandforcethebrowsertonegotiateKerberosauthenticationandperformthe authenticationhandshake. 3. StartFiddler. 4. OpenInternetExplorerandbrowsetothewebapplication(http://portalinour example). YoushouldseetherequestsandresponsestotheSharePointServerfrontendwebin Fiddler.
ThefirstHTTP401isthebrowserattempttodotheGETrequestwithoutauthentication.
69
Inresponse,theserversendsbackan"HTTP401unauthorized"andinthisresponse indicateswhatauthenticationmethodsitsupports:
Inthenextrequest,theclientresendsthepreviousrequest,butthistimesendsthe serviceticketforthewebapplicationintheheadersoftherequest:
70
IfyouselecttheAuthviewwithintheFiddlerinspectorwindowyouwillalsoseethe KerberosticketintherequestandtheKerberosresponse:
71
Ifauthenticatedsuccessfully,theserverwillsendbacktherequestedresource.
NetMon 3.4
NetMon3.4isafreenetworkpacketanalyzerfromMicrosoftthatcanbedownloaded fromtheMicrosoftDownloadCenter:Microsoft Network Monitor 3.4. InNetMonyouseeallTCPrequestandresponsestotheKDCandtheSharePointServer webservers,givingyouacompleteviewoftrafficthatmakesupacomplete authenticationrequest.TovalidatethatKerberosauthenticationisworkingbyusing netmon,performthefollowingactions:
72
1. DownloadandinstallNetMon3.4(Microsoft Network Monitor 3.4). 2. LogoutoftheclientthenlogbackintoflushtheKerberosticketcache.Optionally youcanuseKerbTraytopurgetheticketcachebyrightclickingonKerbTrayand selectingPurgeTickets. 3. StartNetMoninadministratormode.RightclicktheNetMonshortcut,andselect RunasAdministrator. 4. Startanewcaptureontheinterfacesthatconnecttotheactivedirectorycontroller inyourenvironmentandthewebfrontends. 5. Openinternetexplorerandbrowsetothewebapplication. 6. Afterthewebsiterenders,stopthecaptureandaddadisplayfiltertoshowthe framesforKerberosauthenticationandHTTPtraffic.
7. IntheframeswindowyoushouldseebothHTTPandKerberosV5traffic.
73
a. Thefirsttwoframesaretheoriginalrequest/responsewheretheclient andservernegotiatetheuseofKerberosforauthentication b. ThefollowingKerberosV5framesaretheclientrequestsforTicket GrantingTicketfortheVMLAL.LocalRealmandtheKerberosservice ticketsfortheSPNHTTP/portal.VMLAB.local c. FinallythelastHTTPframesaretheclientusingtheserviceticketsto authenticatewiththewebserverandtheserversuccessfully authenticatingtheclientandreturningtheresponse
Test Kerberos Authentication over SSL

ToclearlydemonstratetheSPNsrequestedwhenaclientaccessesanSSLprotected resource,youcanuseatoollikeNetmontocapturethetrafficbetweenclientand serverandexaminetheKerberosserviceticketrequests. 1. Eitherlogoutandthenreloginintotheclientcomputer,orclearallcachedKerberos ticketsbyusingKerbTray. 2. StartanewNetMoncaptureontheclientcomputer.BesuretostartNetMonwith administratorpermissions. 3. BrowsetothewebapplicationbyusingSSL(inthisexample,https://portal.) 4. StoptheNetMoncaptureandexaminetheKerberosV5traffic.Forinstructionson howtofilterthecapturedisplay,seetheinstructionsintheNetMon 3.4sectionof thisarticle. 5. LookfortheTGSrequesttheclientsends.IntherequestyouwillseetheSPN requestedinthe"Sname"parameter.
74
Notethatthe"Sname"isHTTP/portal.vmlab.localandnotHTTPS/portal.vmlab.local.
Test SharePoint Server Search Index and Query

Verify browser access from the index server(s)
Beforerunningacrawl,ensurethattheindexservercanaccessthewebapplications andauthenticatesuccessfully.Logintotheindexserverandopenthetestsite collectionsinthebrowser.Ifthesitesrendersuccessfullyandnoauthenticationdialogs appear,proceedtothenextstep.Ifanyissuesoccurwhileaccessingthesitesinthe browsers,gobackoverthepreviousstepstoensureallconfigurationactionswere performedcorrectly.
Upload sample content and perform a crawl

Ineachsitecollectionuploada"seed"document(onethatiseasilyidentifiablein search)toadocumentlibraryinthesitecollection.Forinstance,createatextdocument containingthewords"alpha,beta,delta"andsaveittoadocumentlibraryineachsite collection. Next,browsetoSharePointCentralAdministrationandstartafullcrawlontheLocal SharePointSitescontentsource(whichshouldcontainthetwotestsitecollectionsby default).
75
Test search
Ifindexingcompletedsuccessfully,youshouldseesearchableitemsinyourindexandno errorsinthecrawllog.
76
Note:IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperforminga crawlontheprofilestorebesuretoconfiguretheappropriatepermissionsontheUPA toallowthecontentaccessaccounttoaccessprofiledata.Ifyouhavenotconfigured theUPApermissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawler couldnotaccesstheprofileservicebecauseitreceivedanHTTP401whentryingto accesstheservice.The401returnedisnotduetoKerberos,butinsteadisduetothe contentaccessaccountnothavingpermissionstoreadprofiledata. Note: IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperformingacrawlon theprofilestore,besuretoconfiguretheappropriatepermissionsontheUPAtoallow thecontentaccessaccounttoaccessprofiledata.IfyouhavenotconfiguredtheUPA permissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawlercouldnot accesstheprofileservicebecauseitreceivedanHTTP401whentryingtoaccessthe service.The401returnedisnotduetoKerberos,butinsteadisduetothecontent accessaccountnothavingpermissionstoreadprofiledata. Next,browsetoeachsitecollectionandperformasearchfortheseeddocument.Each sitecollectionssearchqueryshouldreturntheseeddocumentuploaded.
77
Test front-end Web delegation

Asalaststepinthisscenario,youusetheRSSviewerwebpartoneachsitecollectionto ensurethatdelegationisworkingbothlocallyandremotely.
Configure RSS feed sources on each site collection

FortheportalapplicationyouhavetoenableRSSfeedsontheSiteCollection.Toturn onRSSfeedsfollowtheinstructionsinManage RSS FeedsonOffice.com. OnceRSSfeedsareenabled,createanewcustomlistandaddalistitemfortesting purposes.NavigatetotheListtoolbarmenuandclickRSSFeedtoviewtheRSSfeed. CopythefeedURLtouseitinthefollowingsteps.
78
Performthisstepforeachsitecollection.
Add RSS view web parts to the home page of each site collection
OntheportalapplicationyoullneedtoenabletheSharePointEnterpriseFeaturessite collectionfeaturetousetheRSSviewerwebpart.OnceenabledaddtwoRSSviewer webpartstothehomepage.Forthefirstwebpart,configurethefeedURLtopointat thelocalRSSfeedyoucreatedinthepreviousstep.Forthesecondwebpart,configure thefeedURLtopointattheremotefeedURL.Whencompleted,youshouldseeboth webpartssuccessfullyrenderingcontentfromthelocalandremoteRSSfeeds.
79
80
Kerberos authentication for SQL OLTP (SharePoint Server 2010)

InthisscenariowewalkthroughtheprocessofconfiguringKerberosauthenticationfor theSQLServerclusterinoursampleenvironment.Oncethatprocessiscomplete,we validatethatSharePointServerservicesareauthenticatedwiththeclusterbyusingthe Kerberosprotocol. Inthisscenario,youdothefollowingthings: ConfigureanexistingSQLServer2008R2clustertouseKerberosauthentication VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos authentication Createatestdatabaseandsampledatatobeusedinlaterscenarios
81
Note: ItisnotrequiredtouseKerberosauthenticationforSQLServerforcoreSharePoint Serverdataservices(forexample,connectionstoplatformdatabases).Thesample environmenthasasoleSQLServerclusterthathostsadditionalsampledatabasesused inlaterscenarios.Fordelegationtoworkcorrectlyinthesescenarios,theSQLServer clustermustacceptKerberosauthenticatedconnection. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:

Areaofconfiguration Description
ConfigureDNS ConfigureActive Directory VerifySQLServer Kerberosconfiguration
CreateDNS(A)hostrecordsfortheSQLServerclusterIP CreateServicePrincipalNames(SPNs)fortheSQLServer service UseSQLServerManagementStudiotoquerySQLconnection metadatatoensuretheKerberosauthenticationprotocolis used
82
Scenario environment details

SQLDatabaseEngineIdentity Vmlab\svcSQL SQL vmSQL2k8r201 DefaultInstance Port:1433
LocalSQLClientAlias: SPFarmSQL
DNS(A): MySQLCluster.vmlab.local ClusterIP: 192.168.8.135
vmSQL2k8r202
SharePoint
SQLCluster
ThisscenariodemonstratesaSharePointServerfarmconfiguredtouseaSQLaliasfora connectiontoaSQLServerclusterthatisconfiguredtouseKerberosauthentication.

Configure DNS
ConfigureDNSfortheSQLServerclusterinyourenvironment.Inthisexamplewehave oneSQLServercluster,MySqlCluster.vmlab.local,runningonport1433atclusterIP 192.168.8.135/4.TheclusterisActive/PassivewiththeSQLServerdatabaseengine runningonthedefaultinstanceofthefirstnode. ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records. Inthisexample,weconfiguredaDNS(A)recordfortheSQLServercluster.
83
Note: Technically,becauseSQLServerSPNsincludeaninstancename(ifyouareusingthe secondnamedinstanceonthesamecomputer),youcanregistertheDNShostforthe clusterasaCNAMEaliasandavoidtheCNAMEissuedescribedinAppendixA,Kerberos configuration known issues (SharePoint Server 2010).However,ifyouchoosetouse CNAMEs,youhavetoregisteranSPNusingtheDNS(A)recordhostnametheCNAME aliases.

ForSQLServertoauthenticateclientsusingKerberosauthentication,youhaveto registeraserviceprincipalname(SPN)ontheserviceaccountthatisrunningSQLServer. ServiceprincipalnamesfortheSQLServerdatabaseengineusethefollowingformatfor configurationsthatareusingthedefaultinstanceandnotaSQLServernamedinstance:
84
MSSQLSvc/<FQDN>:port FormoreinformationaboutregisteringSPNsforSQLServer2008,seeRegistering a Service Principal Name. Inourexample,weconfiguredtheSQLServerSPNontheSQLServerdatabaseengine serviceaccount(vmlab\svcSQL)withthefollowingSetSPNcommand:

SetSPNSMSSQLSVC/MySQLCluster.vmlab.local:1433vmlab\svcSQL
SQL Server named instances

IfyouuseSQLServernamedinstancesinsteadofthedefaultinstance,youhaveto registerSPNsspecifictotheSQLServerinstanceandfortheSQLServerbrowserservice. SeethefollowingarticlesformoreinformationaboutconfiguringKerberos authenticationfornamesinstances:
Registering a Service Principal Name An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005
SQL aliases
Asabestpractice,whenbuildingyourfarmyoushouldconsiderusingSQLaliasesfor connectionstoyourSQLServercomputer.IfyouchoosetouseSQLaliases,theKerberos SPNformatforthoseconnectionsdoesnotchange.Youcontinuetousetheregistered DNShostname(Arecord)intheSPNforSQLServer.Forexample,ifyouregisteranalias "SPFARMSQL"for"MySQLCluster.vmlab.local"theSPNwhenyouareconnectingto SPFarmSQLremains"MSSQLSVC/MySQLCluster.vmlab.local:1433".
Verify SQL Server Kerberos configuration

WhenDNSandServicePrincipalNamesareconfigured,youcanrebootthecomputers thatarerunningSharePointServerandverifythatSharePointServerservicesnow authenticatewithSQLServerbyusingKerberosauthentication. Toverifytheclusterconfiguration 1. RebootthecomputersthatarerunningSharePointServerThisactionrestartsall servicesandforcesthemtoreconnectandreauthenticatebyusingKerberos authentication.
85
2. OpenSQLServerManagementStudioandrunthefollowingquery:
Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c innerjoin sys.dm_exec_sessions s on c.session_id = s.session_id
Thequeryreturnsmetadataabouteachsessionandconnection.Thesessiondata helpsidentifytheconnectionsource,andthesessioninformationrevealsthe authenticationschemefortheconnection. 3. VerifythattheSharePointServerservicesareauthenticatingbyusingKerberos authentication:
4. .IfKerberosauthenticationisconfiguredcorrectly,youseeKerberosinthe auth_schemecolumnofthequeryresults.
86
Create a test SQL Server database and test table

TotestdelegationacrossthevariousSharePointServerserviceapplicationscoveredin thescenariosinthisdocument,youhavetoconfigureatestdatasourceforthose servicestoaccess.Inthefinalstepofthisscenario,youconfigureatestdatabasecalled "Test"andatesttablecalled"Sales"tobeusedlater. 1. InSQLServerManagementStudio,createanewdatabasecalled"Test".Keepthe defaultsettingswhencreatingthisdatabase. 2. IntheTestdatabase,createanewtablewiththefollowingschema:
ColumnName DataType AllowNulls
Region Year Amount RowId
nvarchar(10) nvarchar(4) money int
No No No No
3. Savethetablewiththename"Sales". 4. InManagementStudio,populatethetablewithtestdata.Thedataitselfdoesnot matteranddoesnotaffectthefunctionoflaterscenarios.Afewrowsofdatawill suffice.Intheexampleenvironmentwepopulatedthetablewiththefollowingdata:
87
88
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)
Inthisscenarioyoudothefollowingthings: ConfigureAnalysisServiceinstancesintheSQLServer2008R2clustertouse Kerberosauthentication VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos authentication
EnablingKerberosauthenticationforSQLServerAnalysisServicesissimilartoSQL Server Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:

ConfigureActiveDirectory CreateServicePrincipalNames(SPNs)forthe AnalysisServicesinstance VerifySQLKerberos ConnecttotheAnalysisServicesinstanceinExcel

89

Configuration
2010

ForSQLServerAnalysisServicestoauthenticateclientsbyusingKerberos authentication,youhavetoregisteraserviceprincipalname(SPN)ontheservice accountthatisrunningSQLServer.TheSPNforadefaultAnalysisServicesinstanceuses thefollowingformat: MSOLAPSvc.3/<FQDN> IfyouareusinganamedinstanceofAnalysisServices,notethatyoucannotspecifya portafterthecolon.Ifyoudo,itisinterpretedaspartofthehostnameordomainname. Instead,youmustusetheactualinstancenameforallfunctionalitytoworkcorrectly. MSOLAPSvc.3/<FQDN>:instanceName FormoreinformationaboutregisteringSPNsforSQLServer2008,see http://support.microsoft.com/kb/917409. ThisscenarioassumesadefaultAnalysisServicesinstance.Wewillconfigurethe AnalysisServicesSPNontheAnalysisServicesserviceaccount(vmlab\svcSQLAS)with thefollowingSetSPNcommand:
SetSPNSMSOLAPSvc.3/MySQLCluster.vmlab.localvmlab\svcSQLAS
SQL Server named instances

IfyouuseSQLServernamedinstancesinsteadofthedefaultinstance,youhaveto registerSPNsspecifictotheSQLServerinstanceandfortheSQLServerbrowserservice. SeethefollowingarticlesformoreinformationaboutconfiguringKerberos authenticationfornamedinstances:
Registering a Service Principal Name
90
An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005
Verify SQL Server Kerberos configuration

OncetheSPNisconfigured,verifytheKerberosconnectiontotheclusterbyusingExcel 2010. 1. OpenExcel2010ontheclientcomputerbyusingadomainaccountthathasaccess toatleastonedatabaseintheAnalysisServicesinstanceandopenadata connectiontoyourAnalysisServicesinstancebyselectingtheDatatab,clicking FromOtherSources,andthenclickingFromAnalysisServices.
2. IntheDataConnectionWizard,typeMySQLClusterintheServernamebox,then clickNext.IfKerberosauthenticationisworking,thenyoucanseeallthedatabases thatyoualreadyhavethepermissiontosee.
91
Note: TousetheAdventureWorks2008R2sampledatabases,downloadfromMicrosoft SQL Server Community Projects & Samplesandfollowtheinstallationinstructions. 3. Opentheeventvieweronthedatabaseserver(vmsql2k8r201).Youshouldnowbe abletoseeanauditsuccessinthesecuritylogsimilartotheoneyouseeinthe verificationstepsforScenario2,Kerberos authentication for SQL OLTP (SharePoint Server 2010).
92
93
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
InthisscenarioyouconfigureapairofloadbalancedSQLServerReportingServices (SSRS)serversinascaledoutconfigurationrunninginSharePointintegratedmode.The serversareconfiguredtoacceptKerberosauthenticationandtheydelegate authenticationtoabackendSQLServercluster. Inthisscenario,theSharePointServerfarmandReportingServicesdatasourceareboth inthesamedomain;thereforeinthisscenarioweconfigureKerberosconstrained delegationtoallowidentitydelegationtothebackenddatasource.Ifyouarerequired toauthenticatewithdatasourcesinotherdomainswithinthesameforest,youhaveto configurebasic(unconstrained)Kerberosdelegation.RememberthatReportingServices doesnotleveragetheC2WTSandthereforecanusebasicdelegation. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:
Scenario dependencies
Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP (Optional)Scenario3:Kerberos Authentication for SQL Analysis Services
94
ActiveDirectory
CreateSSRSserviceaccount ConfigureKerberosconstraineddelegation
SQLServerReporting Services
InstallandconfigureSSRSinloadbalanced,scaleoutmode ModifyWeb.Config ModifyReportingServer.config
ConfigureSharePoint Server
ConfigureReportingServicesintegration Addareportservertotheintegration Setserverdefaults
Verifyconfiguration
Createadocumentlibraryforreports ConfiguresitecollectionsettingforReportingServices CreateandpublishatestreportinSQLServerBusiness IntelligenceStudio ViewthetestreportinInternetExplorer
95
Inthisscenario,theInternetInformationServices(IIS)applicationpoolserviceaccounts areconfiguredtodelegatetotheSQLServerReportingServices(SSRS)service.TheSSRS serviceaccountisconfiguredtodelegatecredentialstotheSQLServerservice.Note thatSQLServerReportingServicesinSharePointintegratedmodedoesnotleverage intrafarmClaimsauthenticationandrequiresKerberosauthenticationfordelegated authentication.Formoreinformation,seeClaims Authentication and Reporting Services.
Cross-domain Kerberos delegation

Inthisexample,thedatasourcethatSSRSconnectstoresidesinthesamedomainas theSSRSservers.Insomesituationsyoumaywanttoaccessdatasourcesoutsideofthe domainthatSSRSresidesin.Toauthenticatewithdelegationcrossdomain,youhaveto configurebasic(unconstrained)delegationontheSSRSserviceaccount.Rememberthat thisispossiblebecausetheSSRSservicedoesnotrelyontheClaimstoWindowsToken Service(C2WTS),thereforedoesnotrequireprotocoltransitionthroughKerberos constraineddelegation.Alsonotethatcrossforestdelegationisnotpossible,evenwith basicdelegation.
96

Configure DNS
ConfigureDNSfortheSSRSNLBservergroupinyourenvironment.Inthisexamplewe havetwoSSRSservers,VMSSRS01andVMSSRS02,whichareloadbalancedandresolve tothesameNLBVIP(192.168.24.180/24).TheVIPwillbemappedtothehost FarmReportsandwillhavetheURLhttp://FarmReports. ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records. ConfigureanewDNSARecordfortheSSRShost.Inthisexamplewehaveahost FarmReportsconfiguredtoresolvetotheloadbalancedVIP.
Active Directory directory service

Create SSRS service account
Asabestpractice,SQLServerReportingServicesshouldrununderitsowndomain identity.Inthisexample,thefollowingaccountswerecreated:
Service ServiceIdentity
SQLServerReportingServices
vmlab\svcSQLRS
97
Configure Service Principal Names

ForSSRStoconnectandauthenticatewithexternaldatasourcesusingKerberos authentication,theReportServerWebServiceandReportManagerserviceaccounts andtheserviceaccountfortheexternaldatasourcemusthaveserviceprincipalnames configured.Refertoscenarios1and2(Core configurationandKerberos authentication for SQL OLTP)inthisseriesofarticlestoconfigureandvalidatethenecessarySPNSon theSharePointServerwebapplicationsandSQLServerserviceaccounts.FortheSSRS servers,thefollowingSPNsweredefined:
DNSHost IISAppPoolIdentity ServicePrincipalNames
FarmReports.vmlab.local vmlab\svcSQLRS
HTTP/FarmReports HTTP/FarmReports.vmlab.local
Inthisexamplethefollowingcommandswereexecuted:
SetSPNSHTTP/FarmReportsvmlab\svcSQLRS SetSPNSHTTP/FarmReports.vmlab.localvmlab\svcSQLRS
Configure delegation
KerberosdelegationmustbeconfiguredforSSRStodelegatetheclient'sidentityto backenddatasource.Inthisexample,SSRSqueriesdatafromaSQLServer transactionaldatabasebyusingtheclient'sidentity,thereforeKerberosdelegationis required.Kerberosconstraineddelegation(KCD)isnotarequirementinthisscenario (becauseprotocoltransitionisnotneeded),butKCDisconfiguredasabestpractice. TheSSRSserviceaccountthatisrunningtheSSRSservicesmustbetrustedtodelegate credentialstoeachbackendservice.Inourexample,thefollowingdelegationpathsare needed:
Principaltype Principalname Delegatestoservice
98
User
Vmlab\svcPortal10App HTTP/FarmReports HTTP/FarmReports.vmlab.local
User
Vmlab\svcSQLRS
MSSQLSVC/MySqlCluster.vmlab.local:1433
Optionally,ifyouwishtoreportagainstAnalysisServicesdatasources,configurethe followingdelegationpaths:
User
Vmlab\svcSQLRS
MSOLAPSvc.3/MySqlCluster.vmlab.local
Toconfigureconstraineddelegation 1. OpentheActiveDirectoryObject'spropertiesinActiveDirectoryUsersand Computers. 2. NavigatetotheDelegationtab.
99
3. SelectTrustthisuserfordelegationtospecifiedservicesonly. Note: FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe sameforestbutoutsideofthedomainthattheSSRSserverresidesin,configurebasic delegationinsteadofconstraineddelegation.YoucandothisbyselectingTrustthis computerfordelegationtoanyservice.RememberthatcrossforestKerberos delegationisnotpossible. 4. OptionallyselectUseanyauthenticationprotocol.Thisenablesprotocoltransition. 5. ClicktheAddbuttontoselecttheserviceprincipalthatcanbedelegateto.
100
6. SelectUserandComputers.
7. Selecttheserviceaccountthatisrunningtheserviceyouwanttodelegateto.Inthis example,itistheserviceaccountfortheSQLServerReportingService.
101
Note: TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor thisaccount(HTTP/FarmReports.vmlab.local)wasconfiguredearlierinthescenario. 8. ClickOK.YouarethenaskedtoselecttheSPNsyouwanttodelegatetoonthe followingpage.
9. SelecttheserviceorSelectAllandclickOK. YoushouldnowseetheselectedSPNsintheservicestowhichthisaccountcan presentdelegatedcredentialslist:
102
10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.You havetoconfiguredelegationfromtheSQLServerReportingServicesserviceaccount tooneormorebackenddatasources(SQLOLTPorSQLASinourscenarios).
103
Note: FortheSSRSserviceaccount,ifyouneedtoauthenticatewithdatasourceswithinthe sameforestbutoutsideofthedomaintheSSRSserverresidesin,configurebasic delegationinsteadofconstraineddelegation.Todoso,selectTrustthiscomputerfor delegationtoanyservice.RememberthatcrossforestKerberosdelegationisnot possible.
Verify MSSQLSVC SPN for the service account running the service on SQL Server (performed in Scenario 2)
VerifythattheSPNfortheAnalysisServicesserviceaccount(vmlab\svcSQL)existsby usingthefollowingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
Verify MSOLAPSvc.3 SPN for the Service Account running the SSAS service on the SQL Server Analysis Services server (performed in Scenario 3)
VerifythattheSPNfortheSQLServerserviceaccount(vmlab\svcSQLAS)existsbyusing thefollowingSetSPNcommand:
SetSPNLvmlab\svcSQLAS
MSOLAPSvc.3/MySqlCluster MSOLAPSvc.3/MySqlCluster.vmlab.local
104
SQL Server Reporting Services

Install SharePoint Server 2010
SQLServerReportingServicesrequiresSharePointServer2010tobeinstalledoneach SSRSservertorunSSRSinSharePointintegratedmode.InstallSharePointServer2010 oneachreportingserverandjoineachservertotheSharePointServerfarm.
Install and configure SSRS in load-balanced, scaled out mode

DetailedstepbystepinstructionsonhowtoconfigureSQLServerReportingServicesin aloadbalanced,scaledoutconfigurationisbeyondthescopeofthisdocument.For detailedinstructionsonhowtoinstallSSRS,seeDeployment Topologies for Reporting Services in SharePoint Integrated Mode.OnceSSRSisinstalled,besuretocompletethe additionalSSRSconfigurationstepsoutlinedbelowtocompletetheinstall.
Modify Web.config on the SSRS Servers

Thefollowingchangeshavetobemadetotheweb.configfilesoneachSSRSserver.The web.configfilecanbefoundintheProgramFilesdirectorywhereSSRSisinstalled: Addthe<machineKey>element SSRSserversinaloadbalancedconfigurationneedthesamemachinekeysetacrossall servers.Themachinekeyelementshouldbeaddedasachildofthe<system.web> elementinweb.config.Belowisanexamplemachinekey:
<machineKey validationKey="54AEBD3BC893726E9B84D30F4970CB58F2086C2DAEE2F8D34A65A0632F4676DDB BC38779F2972C6596931E13BD07A772BD4B9395BE38A43E461079E45D594E53" decryptionKey=""validation="SHA1"decryption="AES"/>
105
Important: DONOTUSETHESAMPLEMACHINEKEYINOURENVIRONMENT.Generateyourown keyvaluesforyourenvironment.
Modify ReportingServer.config
ThefollowingchangeshavetobemadetotheReportingServer.configfilesoneachSSRS server.TheReportingServer.configfilecanbefoundintheprogramfilesdirectory whereSSRSisinstalled: EnableKerberosauthentication ToenableKerberosauthentication,settheauthenticationtypeto "RSWindowsNegotiate".Changethe<AuthenticationTypes/> elementandadd<RSWindowsNegotiate/>
<AuthenticationTypes><RSWindowsNegotiate/></AuthenticationTypes>
ModifytheURLroot AddtheURLforthereportservertothe<UrlRoot>tagfoundinthe<service>tagof ReportingServer.Config

<UrlRoot>http://FarmReports/reportserver</UrlRoot>
Configure BackConnectionHostNames in the registry

ToallowSQLServerReportingServicestoauthenticatewitheachotheronasingle computer,NTLMloopbackdetectionneedstobeaddressed.Insteadofdisabling loopbackdetection,abetterpracticeistoconfiguretheBackConnectionHostNames valueintheregistryofeachSSRSserver.Formoreinformationabout
106
BackConnectionHostNames,seeYou receive an error message when you use SQL Server 2008 Reporting Services. Inourexample,weconfigurethefollowingvaluesforBackConnectionHostNames: FarmReports FarmReports.vmlab.local
OncetheBackConnectionHostNamesvaluesareset,reboottheSSRSserver.
Configure SharePoint Server

InCentralAdministration,youfindthefarmconfigurationoptionsforSSRS.Notethatin SharePointServer2010youdonotneedtoinstallaseparateSSRScomponent installationforSSRSadministrationandWebParts.ToaccesstheSSRSfarmoptions, navigatetoCentralAdministrationandthenseeReportingServicesintheGeneral ApplicationSettingssection.
107
Grant the Reporting Services service account permissions on the web application content database
ArequiredstepinconfiguringSQLServerReportingServicesinSharePointintegrated modeisallowingtheReportingServicesserviceaccountaccesstothecontentdatabases forwebapplicationshostingreports.Inthisexample,wegranttheReportingServices accountaccesstothe"portal"webapplication'scontentdatabasethroughWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcSQLRS")
Configure Reporting Services Integration

IntheReportingServiceIntegrationdialogbox,specifytheloadbalancedURLofthe reportserver.Also,selecttheActivatefeatureinallexitingcollectionsoptionto automaticallyactivatetheReportingServicesfeatureinyoursitecollections.
108
Add each report server to the integration

IntheAddareportservertotheintegrationdialogbox,specifyeachofthenodesof theReportingServicesNLBgroup.Youhavetoopenthisdialogboxforeachserverthat youareaddingtotheintegration;thereisnowaytoaddmultipleserversinasingle operation.
Set server defaults

AtthispointSSRSintegrationshouldbeconfigured.Tovalidatetheconfiguration,open theServerDefaultspage.Nochangesarerequiredfortheexampleinthisdocument.
109
Verify configuration
Create a document library for reports
CreateadocumentlibrarytohostSSRSreportsinyourSharePointsite.Inthisexample, weassumetheexistenceofadocumentlibrarycalled"reports"athttp://portal/reports.
110
Validate site collection settings for Reporting Services

Inthebrowser,navigatetotheSiteSettingsofthesitethatishostingthedocument libraryforSSRSreports.InSiteSettingsyoushouldseeanewcategorycalledReporting Services.
IfyoudonotseetheReportingServicesfeatureinthesitecollectionsfeatureslist,you mayneedtoactivateitfromCentralAdministration.Formoreinformation,seeHow to: Activate the Report Server Feature in SharePoint Central Administration (http://go.microsoft.com/fwlink/?LinkId=196878). ClicktheReportingServicessitesettingslinktoensurethesettingsareaccessible.
111
Note: NochangestoReportingServicesSiteSettingsarerequiredforthisdemonstration.
Create and publish a test report in SQL Server Business Intelligence Development Studio
AfteryouconfigureSSRSandtheintegrationwithSharePointServer,youcreateatest reporttoensureidentitydelegationisworkingcorrectly. 1. OpenSQLServerBusinessIntelligenceDevelopmentStudio.ClickFile,pointtoNew, andthenclickProject.
2. SelectReportServerProjectWizardandenteraprojectname.
112
3. Nextconfigureanewdatasource.ChoosethetypeMicrosoftSQLServerandclick theEditbutton.
113
4. InConnectionPropertiesentertheinformationtoconnecttothedemoSQLServer clustercreatedinscenario2.
114
5. Openquerydesigner,rightclickthequerywindowandselectAddtable.
115
6. ChoosetheSalestable(createdinscenario2)andselectAllColumns.
116
7. Selectatabularreporttype.
117
8. 9. Inourexamplewegroupbyregion;youcanskipthisstepifyouwantto. Oncetheprojectiscreated,opentheprojectpropertiesontheProjectmenu.
118
10. Configurethefollowingprojectproperties: a) TargetDatasetFolderSetittothetestreportfoldercreatedearlier b) TargetDatasetFolderSetittothetestreportfoldercreatedearlier c) TargetReportFolderSetittothetestreportfoldercreatedearlier d) TargetReportPartFolderSetittothetestreportfoldercreatedearlier e) TargetServerURLSettothewebapplicationURLthatishostingthereport
119
11. DeploythereporttotheSharePointlibrary.OnthebuildmenuselectDeploy <projectname>.
12. Ifitissuccessful,youwillseethedeploymentsucceededmessageintheOutput window.
120
View the test report in Internet Explorer

Openthereportdocumentlibrarycreatedinpreviousstepsofthisscenariointhe browser.Youshouldseethereportfileyoujustpublished.Ifyoudonotseethereport, youmayneedtoactivatetheReportingServicesfeaturesinyoursitecollection.For moreinformation,seeHow to: Activate the Report Server Feature in SharePoint Central Administration(http://go.microsoft.com/fwlink/?LinkID=196878).
Clickthereportanditwillrenderinthebrowser.
121
Tofurtherverifydelegationandthedataconnection,changedthesourcedatainSQL ServerManagementStudioandrefreshtheSSRSreportdataconnectioninthebrowser. Youshouldseethedatachangesreflectedinthereport.
SSL configuration for Reporting Services

Insomeenvironmentsitmayberequiredtoprotectcommunicationsbetweenfront endWebandSSRSserverswithSSL.AdetailedwalkthroughofhowtoconfigureSSLfor ReportingServicesisoutofscopeforthispaper,butatahighlevelthesearethesteps youhavetotake: 1. ConfigureeachreportingserverforSSL.SeeConfiguring a Report Server for Secure Sockets Layer (SSL) Connections(http://go.microsoft.com/fwlink/?LinkId=196881). 2. UpdateReportingServer.config.Changethe<UrlRoot>tothenewhttps://URL. 3. RestarttheSQLServerReportingServicesservice. 4. InCentralAdministration,changetheReportingServicesintegrationsettingsand changetheReportServerWebServiceURLtothenewhttps://URL. 5. RestartIISoneachinstanceofSharePointServerthatisrunningthewebapplication service.
122
YoudonotneedtochangeanyoftheSPNscreatedwhenconfiguringReportingServices withHTTPintheprevioussteps.TheSPNforanHTTPserviceoverSSLremains HTTP/<service>.YoucanseethisbyusingNetMontoviewthefrontendwebserverthat iscommunicatingwiththeReportingServicesServer.
NoticetheticketgrantingservicerequesthighlightedandtheSnamerequested.The reportingserverservicewasaccessedusinghttps://andtheSNameintheticketrequest remainedHTTP/asexpected.ToensuretheWFEwasactuallyusingSSLtocommunicate withthereportingserver,additionaltrafficwascapturedandanalyzed:
NoticethatallrequestsfromtheWFEtothereportingserverareprotectedoverSSL. ThisconfirmsSSLwasusedforcommunicationsbetweenthewebfrontendsandthe reportingserver.

123
Identity delegation for Excel Services (SharePoint Server 2010)

InthisscenarioyouaddtheExcelServicesserviceapplicationtotheSharePointServer environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto refreshdatainaworksheetfromanexternalSQLServerdatasource. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:

Tocompletethisscenarioyouneedtohavecompletedthefollowingarticles: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP
ActiveDirectory Configuration
CreateExcelServicesserviceaccount ConfigureSPNonExcelServicesserviceaccount
124

ConfigureKerberosconstraineddelegationforserversrunning ExcelServices ConfigureKerberosconstraineddelegationfortheExcelServices serviceaccount SharePointServer configuration StartClaimstoWindowsTokenServiceonExcelServicesServers StarttheExcelServicesserviceinstanceontheExcelServices server CreatetheExcelServicesserviceapplicationandproxy ConfigureExcelservicestrustedfilelocationandauthentication settings VerifyExcelService Constrained Delegation Createdocumentlibrarytohosttestworkbook CreatetestSQLdatabaseandtesttable CreatetestExcelworkbookwithSQLdataconnection PublishworkbooktoSharePointServerandrefreshdata connection
125

Kerberos constrained delegation paths
InthisscenariowewillconfiguretheSharePointServerExcelServicesserviceaccount forKerberosconstraineddelegationtotheSQLServerservice.
126
Note: InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou willneedtoconfiguredconstraineddelegationonthecomputeraccountforthe computerrunningtheC2WTSandExcelServices.
SharePoint Server logical authentication
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos authenticationatthewebfrontend.SharePointServer2010willconverttheWindows authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS). Theexcelserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart ofWindowsIdentityFramework(WIF).Theexcelserviceapplicationwillthenusethe clientsKerberostickettoauthenticatewiththebackendDataSource.

Active Directory configuration
Create Excel Services service account
AsabestpracticeExcelServicesshouldrununderitsowndomainidentity.Toconfigure theExcelServiceApplicationanActiveDirectoryaccountsmustbecreated.Inthis examplethefollowingaccountswerecreated:
127

SharePointServerService IISAppPoolIdentity
ExcelServices
vmlab\svcExcel
Configure SPN on the Excel Services service account

KerberosconstraineddelegationmustbeconfiguredifExcelServicesisgoingto delegatetheclientsidentitytoabackenddatasource.InthisexampleExcelservices willquerydatafromaSQLtransactionaldatabase,thereforeKerberosdelegationis required. TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog. AlthoughExcelServicesdoesnotrequireaSPNtofunction,wewillconfigureonefor thispurpose. Onthecommandline,runthefollowingcommand:
SETSPNSSP/ExcelServices
Note: TheSPNisnotavalidSPN.Itisappliedtothespecifiedserviceaccounttorevealthe delegationoptionsintheADusersandcomputersaddin.Thereareothersupported waysofspecifyingthedelegationsettings(specificallythemsDSAllowedToDelegateTo ADattribute)butthistopicwillnotbecoveredinthisdocument.
Configure Kerberos constrained delegation for Excel Services

ToallowexcelservicestodelegatetheclientsidentityKerberosconstraineddelegation mustbeconfigured.Itisrequiredtoconfigureconstraineddelegationwithprotocol transitionfortheconversionofclaimstokentowindowstokenviatheWIFC2WTS.
128
Eachserverrunningexcelservicesmustbetrustedtodelegatecredentialstoeachback endserviceexcelwillauthenticatewith.Inadditional,theexcelservicesserviceaccount mustalsobeconfiguredtoallowdelegationtothesamebackendservices. Inourexamplethefollowingdelegationpathsaredefined:
User *User **Computer
svcExcel svcC2WTS VMSP10APP01
MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433
*Configuredlaterinthisscenario **OnlyrequirediftheC2WTSisrunningaslocalsystem Toconfigureconstraineddelegation 1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand Computers. 2. NavigatetotheDelegationtab.
129
3. SelectTrustthisuserfordelegationtospecifiedservicesonly. 4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis requiredfortheserviceaccounttousetheC2WTS. 5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
130
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis exampleitistheserviceaccountfortheSQLservice.
131
Note: TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor thisaccountwasconfiguredinapreviousscenario. 8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegatetoin thefollowingwindow.
9. SelecttheservicesfortheSQLclusterandclickOK. 10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan presenteddelegatedcredentialslist.
132
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
Verify MSSQLSVC SPN for the Service Account running the service on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
SetSPNLvmlab\svcSQL
133
SharePoint Server configuration

Configure and Start the Claims to Windows Token Service on Excel Services Servers
TheClaimstoWindowsTokenService(C2WTS)isacomponentoftheWindowsIdentity Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstowindows tokens.ExcelservicesusestheC2WTStoconverttheusersclaimstokenintoawindows tokenwhentheservicesneedstodelegatecredentialstoabackendsystemwhichuses IntegratedWindowsauthentication.WIFisdeployedwithSharePointServer2010and theC2WTScanbestartedfromCentralAdministration. EachExcelServicesApplicationservermustruntheC2WTSlocally.TheC2WTSdoesnot openanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTSservice configurationfilemustbeconfiguredtospecificallytrustthelocalcallingclientidentity. AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement console(services.msc). TostarttheC2WTS 1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample wecreatedvmlab\svcC2WTS. 2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis scenariowewilldelegatecredentialstotheSQLservicerunningwiththe MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.
134
4. Next,configuretherequiredlocalserverpermissionsthattheC2WTSrequires.You willneedtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour examplethisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe followingpermissions: a) AddtheserviceaccounttothelocalAdministratorsGroups. b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe serviceaccountthefollowingpermissions: i. ii. iii. Actaspartoftheoperatingsystem Impersonateaclientafterauthentication Logonasaservice
135
5. OpenCentralAdministration. 6. UnderSecurity>ConfigureManagedServiceAccounts,RegistertheC2WTSservice accountasamanagedaccount.
7. Underservices,selectManageservicesonserver.
8.
Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningexcelservices.InthisexampleitisVMSP10APP01:
9. FindtheClaimstoWindowsTokenServiceandstartit: 10. GotoSecurity>ManageServiceAccounts.ChangetheidentityoftheC2WTSto thenewmanagedacount.
136
Note: IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning youmustrestarttheC2WTSfromtheservicesconsole. Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
Add Startup dependencies the WIF C2WTS service

ThereisaknownissuewiththeC2WTSwhereitmaynotautomaticallystartup successfullyonsystemreboot.Aworkaroundtotheissueistoconfigureaservice dependencyontheCryptographicServicesservice:
Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay alsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS. 1. OpentheCommandPromptwindow. 2. Type:scconfig"c2wts"depend=CryptSvc

137
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole. 4. Openthepropertiesfortheservice.
5. ChecktheDependenciestab.MakesureCryptographicServicesislisted.
6. ClickOK.
138
Grant the Excel Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgranttheExcelServicesserviceaccount accesstotheportalwebapplicationscontentdatabasebyusingWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcExcel")
Start the Excel Services service instance on the Excel Services server
BeforecreatinganExcelServicesserviceapplication,starttheexcelservicesserve serviceonthedesignatedFarmservers. 1. OpenCentralAdministration. 2. Underservices,selectManageservicesonserver.
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningexcelservices.InthisexampleitisVMSP10APP01. 4. StarttheExcelCalculationServicesservice.

139
Create the Excel Services service application and proxy

NextconfigureanewExcelServicesserviceapplicationandapplicationproxytoallow webapplicationstoconsumeExcelServices: 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNew,andthenclickExcelServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheexcelserviceaccountisnotinthelist).
140
Configure Excel services trusted file location and authentication settings

OncetheExcelServicesapplicationiscreated,configurethepropertiesonthenew serviceapplicationtospecifyatrustedhostlocationandauthenticationsettings. 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
141
3. ClickthelinkforthenewServiceApplication,ExcelServicesinthisexample.
4. IntheExcelServicesmanagementpage,click"TrustedFileLocations".
5. Addanewtrustedfilelocation.
142
6. Specifythelocationtoyourtestlibrary.
Note: Inourexample,wetrusttherootwebapplicationURLandallchildren.Inaproduction environmentyoumaychoosetoconstrainthetrusttoamoregranularlocation. 7. InExternalDataSelecttrusteddataconnectionlibrariesandembedded.
143
Note: ThisexamplewilluseanembeddedconnectiontoconnecttoSQLServer.Inyour environmentyoumaychoosetocreateaseparateconnectionfileandstoreitina trusteddataconnectionlibrary.InthatcaseyoumightselectTrusteddataconnection librariesonly. 8. ChangetheExternalDataCacheAgeFortestingpurposes,itisconvenientto changetheexternaldatacachelifetimetoensuredatarefreshesarecomingfrom thedatasourceandnotthecache.UnderExternalData,changethefollowing settings:
Automaticrefresh(periodic/onopen)=0 Manualrefresh=0 Note: Inaproductionenvironmentyouwillwanttoconfigureacachesettinghigherthan0. Settingthecacheto0isfortestingpurposesonly.
Verify Excel Services constrained delegation

Create document library to host the test workbook
Openasiteinthetrustedpaththatwasconfiguredinthepreviousstep.Createanew documentlibrarytohostatestExcelworkbook.
144
Create test Excel workbook with SQL data connection

NextcreateanExcelworkbookwithadataconnectiontothenewtestdatabase: 1. OpenExcel. 2. OntheDatatab,selectFromothersources>FromSQLServer.
3. ConnecttothetestSQLdatasource.
145
4. Selectthetestdatabaseandthetesttable(Salesinourexample).
5. ClickNext.Clicktheauthenticationsettingsbutton.EnsureWindowsAuthentication isspecified.
146
6. ClickFinish. 7. SelectPivotTableReport.
8. Configurethepivottable.EnsuredataisreturnedfromtheSQLsource.
147
Publish workbook to SharePoint Server and refresh data connection

ThelaststeptovalidatetheExcelServicesapplicationistopublishtheworkbookand testrefreshingtheembeddedSQLconnection. 1. ClicktheFiletab. 2. ClickSaveandSend,thenclickSavetoSharePoint,andthenclickBrowsefora location.
148
3. Enterthelocationtothetrustedlibrarycreatedinprevioussteps.
4. EnsureOpenwithExcelinthebrowserisselected. Anewbrowserwindowwillopenatthispointwithyourtestworkbookdisplayed. Oncetheworkbookrenders,refreshthedataconnectionbyclickingDataandthen clickingRefreshAllConnections.
149
IfthedataconnectionrefreshesyouhavesuccessfullyconfiguredKerberosdelegation forexcelservices.Tofurthertestconnectivity,changethesourcedataviaSQL ManagementStudiothenrefreshtheconnection.Youshouldseethenewlychanged datainyourworkbook.Ifyoudonotseeanychanges,andyoudonotreceiveanyerrors onrefreshyouaremostlikelyseeingcacheddata.Bydefault,ExcelServiceswillcache datafromexternalsourcesforfiveminutes.Youcanchangethiscachesetting;see Configure Excel services trusted file location and authentication settingsinthisarticlefor moreinformation.
150
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
ThefarmtopologydescribedinEnvironment and farm topologydoesnotrequire KerberosauthenticationforPowerPivotforMicrosoftSharePoint2010towork.The PowerPivotSystemServiceisclaimsaware,andusestheClaimsToWindowsToken Service(C2WTS)torecreatetheclientsWindowsidentityusingtheclientsclaimstoken inordertoconnectwiththeAnalysisServiceVertipaqenginethatrunsonthe applicationserver. WhenaPowerPivotworkbookisuploadedinSharePointServer,italreadycontainsthe PowerPivotdatathattheworkbookuses.WhentheuseropensthePowerPivot workbookinExcelWebAccessandinteractswiththeslicers,thePowerPivotSystem ServiceloadsthedataintheworkbookdirectlyintoitsAnalysisServicesengine.No accessismadetothedataconnectionembeddedintheworkbook.
WhenadatarefreshjobforaPowerPivotworkbookstartsexecuting,thePowerPivot SystemServiceperformsaWindowsloginusingthecredentialsstoredintheSharePoint ServerSecureStoreService.SincetheWindowsidentityiscreatedontheapplication server,theconnectionfromthePowerPivotAnalysisServicesVertipaqengine(onthe samecomputer,VMSP10APP01)toMySQLClusteristhefirstNTLMhop.

151
Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:

Scenarios requiring Kerberos authentication

Asyoucanseefromthediscussionabove,mostcommonsituationswithPowerPivotdo notrequireKerberosauthentication.However,therearesomeunusualedgecases whereKerberosauthenticationwouldberequired.Forexample,ifyourPowerPivot workbookcontainsadataconnectiontoaSQLServerinstancethatislinkedtoyet anotherSQLServerinstanceonaseparatecomputer,youwillneedtoconfigure Kerberosauthenticationwithidentitydelegationfordatarefreshtowork.Forexample, ifMySQLClusterislinkedtoanotherremoteSQLServerinstance,thenthelinkfrom MySQLClustertothelinkedremoteserveristhesecondhop.Inthiscase,NTLMisno longeradequate.YoumustconfigureKerberosdelegationforthedatarefreshto processsuccessfully.
152
Whiletheyareoutsidethescopeofthescenariosdefinedinthispaper,themajorsteps toconfigureidentitydelegationforPowerPivotareasfollows: 1. ChangetheserviceaccountoftheC2WTSWindowsservicetoadomainaccount (e.g.VMLAB\svcC2WTS).ConfiguringtheC2WTSisalargetopicandiscoveredin detailintheotherscenariosinthisdocument: ConfigureandStarttheClaimstoWindowsTokenServiceonExcelServices Servers ConfigureandStarttheClaimstoWindowsTokenServiceonVisioGraphics Servers ConfigureandStarttheClaimstoWindowsTokenServiceonPerformancePoint ServicesServers
2. ConfiguredelegationfromtheVMLAB\svcSQLaccounttotheSPNforthelinkedSQL ServerinstanceConfigurationChecklist.
PowerPivotinstallation
InstallSQLServerPowerPivotforSharePointonthe applicationserver
Strictlyspeaking,thefollowingKerberosauthenticationscenariosarenotrequiredby PowerPivotforSharePoint.HoweveritexpeditesyourPowerPivotforSharePoint
153
installationprocessifyousuccessfullycompletedthem,asthecomponentsthemselves areprerequisitesforPowerPivotforSharePoint. Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP (Optional)Scenario3:Kerberos Authentication for SQL Analysis Services Scenario5:Identity Delegation for Excel Services
Configuration instructions
InstallPowerPivotforSharePointontheapplicationserver(vmsp10app01).Fordetailed instructions,seeHow to: Install PowerPivot for SharePoint in a Three-tier SharePoint FarmintheMSDNLibraryonline.Ifyouhavealreadyperformedthedependent scenariosinthispaper,youcanskipthesectionsintheMSDNarticlethathavealready beencoveredbythescenariodependencies. Important: TheapplicationpoolfortheSQLServerPowerPivotServiceApplicationmustberun usingthedomainaccountoftheSharePointServerfarmadministrator.Innootheruser contextcanthePowerPivotSystemServiceretrievetheunattendedaccountcredentials fromtheSecureStoreService.
154
Identity delegation for Visio Services (SharePoint Server 2010)

Inthisscenario,youaddaVisioServicesserviceapplicationtotheSharePointServer environmentandconfigureKerberosconstraineddelegationtoallowtheserviceto refreshdatafromanexternalSQLServerdatasourceinaVisiowebdrawing. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:

Scenariodependencies
Tocompletethisscenarioyouwillneedtohavecompleted: Scenario1:Core Configuration Scenario2:Kerberos authentication for SQL OLTP
Configurationchecklist
ActiveDirectory Configuration
CreateVisioServicesserviceaccount ConfigureSPNonVisioServicesserviceaccount
155

ConfigureKerberosconstraineddelegationforservers runningVisioServices ConfigureKerberosconstraineddelegationfortheVisio Servicesserviceaccount SharePointServer configuration StartClaimstoWindowsTokenServiceonVisioServices Servers GranttheVisioServicesserviceaccountpermissionsonthe webapplicationcontentdatabase StarttheVisioServicesserviceinstanceontheVisioServices server CreatetheVisioServicesserviceapplicationandproxy VerifyVisioServices ConfiguretheVisioservicescachesettings ConstrainedDelegation CreatedocumentlibrarytohosttestVisioDiagram CreateatestVisiowebdrawingwithSQLServerdata connectedshapes PublishtheVisiodrawingtoSharePointServerandrefresh dataconnection
156

Kerberosdelegation VisioServicesIdentity Vmlab\svcVisio SPN:SP/Visio SQL SQLDatabaseEngineIdentity Vmlab\svcSQL SPN:MSSQLSVC/MySqlCluster.vmlab.local:1433
Visio c2WTS
vmSQL2k8r201 DefaultInstance Port:1433
AppServer VMSP10APP01 vmSQL2k8r202
SQLCluster DNS(A): MySQLCluster.vmlab.local
Inthisscenario,wewillconfiguretheSharePointServerVisioservicesapplication serversandserviceaccountsforKerberosconstraineddelegationtotheSQLServer service.
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos authenticationatthewebfrontend.SharePointServer2010willconverttheWindows authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS). TheVisioserviceapplicationwillaccepttheclaimstokenandconvertitintoawindows token(Kerberos)usingthelocalClaimstoWindowsTokenService(C2WTS)thatisapart

157
ofWindowsIdentityFoundation(WIF).TheVisioserviceapplicationwillthenusethe clientsKerberostickettoauthenticatewiththebackenddatasource.

Create Visio Services service account
Asabestpractice,VisioServicesshouldrununderitsowndomainidentity.Toconfigure theExcelServiceApplication,anActiveDirectoryaccountmustbecreated.Inthis example,thefollowingaccountswerecreated:
SharePointServerservice IISAppPoolIdentity
VisioServices
vmlab\svcVisio
Configure SPN on Visio Services service account

KerberosconstraineddelegationmustbeconfiguredifVisioServicesisgoingtodelegate theclientsWindowsidentitytobackenddatasource.InthisexampleVisioserviceswill querydatafromaSQLServertransactionaldatabaseastheclientthereforKerberos delegationisrequired. TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog. AlthoughVisioServicesdoesnotrequireaSPNtofunction,wewillconfigureoneforthis purpose. Onthecommandline,runthefollowingcommand:
SETSPNSSP/VisioServicessvc\VisioServices
158
Configure Kerberos constrained delegation for Visio Services

ToallowVisioServicestodelegatetheclientsidentityKerberosconstraineddelegation mustbeconfigured.Itisrequiredtoconfigureconstraineddelegationwithprotocol transitionfortheconversionofclaimstokentowindowstokenviatheWIFC2WTS. EachserverrunningVisioservicesmustbetrustedtodelegatecredentialstoeachback endserviceVisiowillauthenticatewith.Inadditional,theVisioservicesserviceaccount mustalsobeconfiguredtoallowdelegationtothesamebackendservices. Inourexamplethefollowingdelegationpathsaredefined:
User *User **Computer
Vmlab\svcVisio Vmlab\svcC2WTS
MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433
Vmlab\vmsp10app01 MSSQLSVC/MySqlCluster.vmlab.local:1433
*Configuredlaterinthisscenario **Optional.Constraineddelegationonthecomputeraccountisonlyrequiredwhen runningtheC2WTSasLocalSystem Toconfigureconstraineddelegation 1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand Computers.

159
2. NavigatetotheDelegationtab.
3. SelectTrustthisuserfordelegationtospecifiedservicesonly. 4. SelectUseanyauthenticationprotocol.Thisenablesprotocoltransitionandis requiredfortheVisioserviceaccounttousetheC2WTS. 5. Clicktheaddbuttontoselecttheserviceprincipalallowedtodelegateto.
160
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis exampleitistheserviceaccountfortheSQLServerservice. Note: theserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor thisaccountwasconfiguredinapreviousscenario. 8. ClickOK.YouwillthenbeaskedtoselecttheSPNsyouwouldliketodelegateto.

161
9. SelecttheservicesfortheSQLServerclusterandclickOK. 10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan presenteddelegatedcredentialslist.
162
11. Repeatthesestepsforeachdelegationpath(ComputerandUser)definedinthe beginningofthissection.
SetSPNLvmlab\svcSQL
163

Configure and Start the Claims to Windows Token Service on Visio Graphics Servers
TheClaimstoWindowsTokenService(C2WTS)isacomponentoftheWindowsIdentity Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstowindows tokens.TheVisiographicsserviceusestheC2WTStoconverttheusersclaimstoken intoawindowstokenwhentheservicesneedstodelegatecredentialstoabackend systemwhichusesWindowsauthentication.WIFisdeployedwithSharePointServer 2010andtheC2WTScanbestartedfromCentralAdministration. EachVisioGraphicsServiceapplicationservermustruntheC2WTSlocally.TheC2WTS doesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,theC2WTS serviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcallingclient identity. AsabestpracticeyoushouldruntheC2WTSusingadedicatedserviceaccountandnot asLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccountrequiresspecial localpermissionsoneachservertheservicerunsonsobesuretoconfigurethese permissionseachtimetheserviceisstartedonaserver.Optimallyyoushouldconfigure theserviceaccountspermissionsonthelocalserverbeforestartingtheC2WTS,butif doneafterthefactyoucanrestarttheC2WTSfromtheWindowsservicesmanagement console(services.msc). TostarttheC2WTS 1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample wecreatedvmlab\svcC2WTS. 2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis scenariowewilldelegatecredentialstotheSQLServerservicerunningwiththe MSSQLSVC/MySqlCluster.vmlab.local:1433serviceprincipalname.

164
4. ConfiguretherequiredlocalserverpermissionsthattheC2WTSrequires.Youwill needtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour example,thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe followingpermissions: a) AddtheserviceaccounttothelocalAdministratorsGroups. b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe serviceaccountthefollowingpermissions: i. ii. iii. Actaspartoftheoperatingsystem Impersonateaclientafterauthentication Logonasaservice
165
5. OpenCentralAdministration. 6. InSecurity,intheConfigureManagedServiceAccountssection,registertheC2WTS serviceaccountasamanagedaccount.
8. Intheserverselectionboxintheupperrightcorner,selecttheserver(s)thatisor arerunningtheVisioGraphicsService.InthisexampleitisVMSP10APP01.
9. FindtheClaimstoWindowsTokenServiceandstartit. 10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof theC2WTStothenewmanagedacount.
166
Note: IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning youmustrestarttheC2WTSfromtheservicesconsole. Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceitmay alsobenecessarytoresettheIISapplicationpoolsthatcommunicatewiththeC2WTS.
Add Startup dependencies the WIF C2WTS service

ThereisaknownissuewiththeC2WTSwhereitmaynotautomaticallystartup successfullyonsystemreboot.Aworkaroundtotheissueistoconfigureaservice dependencyontheCryptographicServicesservice: 1. OpenaCommandPromptwindow. 2. Type:scconfig"c2wts"depend=CryptSvc
167
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice. 5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
168
Grant the Visio Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgranttheVisioGraphicsServiceaccount accesstotheportalwebapplicationscontentdatabasebyusingWindowsPowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcVisio")
Start the Visio Graphics Service instance on the Visio server

BeforecreatingaVisioServicesserviceapplication,starttheVisioservicesserverservice onthedesignatedFarmservers. 1. OpenCentralAdministration. 2. Underservices,selectManageservicesonserver.
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningexcelservices.InthisexampleitisVMSP10APP01.
4. StarttheVisioGraphicsService.
Create the Visio Graphics Service application and proxy

Next,configureanewExcelServicesserviceapplicationandapplicationproxytoallow WebapplicationstoconsumeExcelServices(ifonedoesnotalreadyexist):
169
1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNew,andthenselectVisioGraphicsService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheVisioserviceaccountisnotinthelist).
170
Verify Visio Graphic Service Constrained Delegation

Configure the Visio services cache settings
Bydefault,theVisioGraphicsservicewillcachethewebdrawingsitrendersforweb clientsforanumberofminutesbasedontheservicescachesettings.Totestdelegation wewillconfiguretheservicetonotcachedrawingstoeasilycheckdatarefreshinaVisio webdrawing.
171
Note: Disablingtherenderingcacheisnotrecommendedforproductionenvironments. RemembertoreenablethecacheonceyouhavecompletedtestingdelegationinVisio 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelecttheVisioGraphicsServiceapplicationcreatedinthepreviousstep.
4. SelectGlobalSettings.
5. IntheMinimumCacheAgesetting,setthecacheto0(nocache).
172
Note: Settingtheminimumcacheageto0isfortestingpurposesonlyandshouldnotbeused inaproductionenvironment.
Create document library to host a test Visio Web Drawing

Navigatetotheportalapplication(http://portal).Createanewdocumentlibrarytohost atestVisioworkbook.Thedefaultdocumentlibrary
Create a test Visio web drawing with SQL Server data-connected shapes
1. StartVisio2010. 2. CreateanewBasicDiagramintheGeneralsectionunderHome.
3. OntheDataRibbonTab,selectLinkDatatoShapes.
173
4. Inthedataselectordialogbox,selectMicrosoftSQLServerdatabase.
5. SpecifytheSQLServerclustercreatedinScenario2andselectWindows Authentication.
174
6. SelecttheTestdatabaseandtheSalesTable.
175
7. Specifyafriendlynamefortheconnectionandsavetheconnectiontothe documentlibrarycreatedinthepreviousstep.
176
8. IntheDataSelectordialog,selectthenewlycreatedconnectionandpressFinish.
177
Youshouldnowseetheexternaldatawindowatthebottomofthedrawingwindow withthesampledatathatwascreatedearlier.
9. Dragthefirstdatarowontothedrawingsurface.Thiswillcreateanewshapethatis linkedtothedatarow.Notethatthetestdrawingismeanttotestdelegationandis notmeanttodemonstratehowtocreateafullyfunctioning,productionreadyweb drawing.
178
Publish the Visio drawing to SharePoint Server and refresh the data connection
1. PublishthedrawingtothetestSharePointdocumentlibrary.OntheFiletabclick SaveandSend,SavetoSharePoint,Browseforalocation,andthenWebDrawing.
2. Browsetothetestdocumentlibrary,specifyanameforthetestdrawing,andthen clickSave.
179
Thedrawingopensinthebrowser. 3. Intherefreshdisablednotification,selectEnable(always).
180
4. Thedataconnectionshouldautomaticallyrefreshandnoerrorsshouldoccur. 5. OpenSQLServerManagementStudioandmodifythedatarowdisplayedintheweb drawing. 6. RefreshthedataconnectionbypressingtheRefreshbuttonatthetopofthe drawingwindow.Ifdelegationisconfiguredcorrectlyyoushouldseeyourdata refresh.
181
182
Identity delegation for PerformancePoint Services (SharePoint Server 2010)

Inthisscenario,youwilladdthePerformancePointServicesserviceapplicationtothe SharePointServerenvironmentandconfigureKerberosconstraineddelegationtoallow theservicetopulldatafromanexternalAnalysisServicescubeandhavetheoptionto pulldatafromSQLServer. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:

Tocompletethisscenarioyouwillneedtohavecompleted: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP(optional) Scenario3:Kerberos Authentication for SQL Server Analysis Services
183

ActiveDirectory configuration
CreatePerformancePointServicesserviceaccount CreateanSPNfortheserviceaccountrunningthe PerformancePointServiceontheApplicationServer VerifyAnalysisServicesSPNonSQLServerAnalysisServices serviceaccount,vmlab\svcSQLAS(performedinScenario3) and (Optional)verifytheSQLServerdatabaseengineserviceaccount, vmlab\svcSQL(performedinScenario2). ConfigureKerberosconstraineddelegationforClaimsto WindowsServicesserviceaccounttoAnalysisServices ConfigureKerberosconstraineddelegationforthe PerformancePoint ServicesserviceaccounttoAnalysisServices
SharePointServer configuration
StartClaimstoWindowsTokenServiceonPerformancePoint ServicesServers StartthePerformancePointServicesserviceinstanceonthe PerformancePointServicesserver CreatethePerformancePointServicesserviceapplicationand proxy ChecktheidentityonPerformancePointapplication GrantthePerformancePointServicesserviceaccount permissionsonthewebapplicationcontentdatabase ConfigurePerformancePointservicestrustedfilelocationand authenticationsettings
Verify PerformancePoint Serviceconstrained
Createdocumentlibrarytohostatestdashboard CreateadatasourcethatreferenceanexistingSQLServer
184

delegation
AnalysisServicescube CreateatrustedPerformancePointcontentlist CreatetestPerformancePointdashboard PublishdashboardtoSharePointServer

InthisscenariowewillconfigurethePerformancePointServicesserviceaccountfor KerberosconstraineddelegationtotheSQLServerservice.
185
Note: InthisscenariowewillconfiguretheClaimstoWindowsTokenServices(C2WTS)touse adedicatedserviceaccount.IfyouleavetheC2WTSconfiguredtouseLocalSystemyou willneedtoconfigureconstraineddelegationonthecomputeraccountforthe computerrunningtheC2WTSandExcelServices.
AuthenticationinthisscenariobeginswiththeclientauthenticatingwithKerberos authenticationatthewebfrontend.SharePointServer2010willconverttheWindows authenticationtokenintoaclaimstokenusingthelocalSecurityTokenService(STS). ThePerformancePointserviceapplicationwillaccepttheclaimstokenandconvertit intoaWindowstoken(Kerberos)usingthelocalClaimstoWindowsTokenService (C2WTS)thatisapartofWindowsIdentityFramework(WIF).ThePerformancePoint serviceapplicationwillthenusetheclientsKerberostickettoauthenticatewiththe backendDataSource.
186
Step-by-step Configuration instructions

Create PerformancePoint Services service account
AsabestpracticePerformancePointServicesshouldrununderitsowndomainidentity. ToconfigurethePerformancePointServiceApplication,anActiveDirectoryaccount mustbecreatedandregisteredasamanagedaccountinSharePointServer2010.For moreinformationseeManaged Accounts in SharePoint 2010.Inthisexamplethe followingaccountiscreatedandregisteredlaterinthisscenario:
PerformancePointServices
vmlab\svcPPS
*NOTE:Youcanoptionallyreuseasingledomainaccountformultipleservices.This configurationisnotcoveredinthefollowingsections.
Create an SPN for the Service Account that is running the PerformancePoint service on the Application Server
TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog. AlthoughPerformancePointServicesdoesnotrequireaSPNtofunction,wewill configureoneforthispurpose.NotethatiftheserviceaccountalreadyhasanSPN applied(inthecaseofsharingaccountsacrossservices)thisstepisnotrequired. Onthecommandline,runthefollowingcommand:
187

SETSPNSSP/PPSvmlab\svcPPS
Verify Analysis Services SPN on SQL Server Analysis Services service account, vmlab\svcSQLAS(performed in Scenario 3) AND (Optional) Verify the SQL Server database engine service account, vmlab\svcSQL(performed in Scenario 2)
VerifythattheSPNfortheSQLAnalysisServicesaccount(vmlab\svcSQLAS)existswith thefollowingSetSPNcommand:
SetSPNLvmlab\svcSQLAS
MSOLAPSvc.3/MySqlCluster
VerifytheSPNfortheSQLServerserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
SetSPNLvmlab\svcSQL
MSSQLSVC/MySqlCluster
188
Configure Kerberos constrained delegation from the PerformancePoint Services Service account to the SSAS Service and optionally for SQL Server service
ToallowPerformancePointservicestodelegatetheclient'sidentity,Kerberos constraineddelegationmustbeconfigured.Youmustalsoconfigureconstrained delegationwithprotocoltransitionfortheconversionofclaimstokentoWindowstoken viatheWIFC2WTS. EachserverrunningPerformancePointservicesmustbetrustedtodelegatecredentials toeachbackendservicewithwhichPerformancePointwillauthenticate.Inaddition, thePerformancePointservicesserviceaccountmustalsobeconfiguredtoallow delegationtothesamebackendservices.NoticealsothatHTTP/Portaland HTTP/Portal.vmlab.localareconfiguredtodelegateinordertoincludeaSharePointlist asanoptionaldatasourceforyourPerformancePointdashboard. Inourexamplethefollowingdelegationpathsaredefined:
PrincipalType PrincipalName
User User
Vmlab\svcC2WTS Vmlab\svcPPS
Toconfigureconstraineddelegation 1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand Computers. 2. NavigatetotheDelegationtab.
189
3. SelectTrustthiscomputerfordelegationtospecifiedservicesonly. 4. SelectUseanyauthenticationprotocol. 5. Clicktheaddbuttontoselecttheserviceprincipal. 6. SelectUserandComputers.
190
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto(SQLServer, SQLServerAnalysisServices,orboth). Note: TheserviceaccountselectedmusthaveanSPNappliedtoit.Inourexample,theSPNfor thisaccountwasconfiguredinapreviousscenario.SeetheKerberosAuthenticationfor SQLOLTPandKerberosAuthenticationforSQLAnalysisServicessectionsofthis document. 8. ClickOK. 9. SelecttheSPNsyouwouldliketodelegateto,andthenclickOK.
191
10. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan presenteddelegatedcredentialslist.
192
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.

Configure and Start the Claims to Windows Token Service on PerformancePoint Services Servers
TheClaimstoWindowsTokenService(C2WTS)isacomponentoftheWindowsIdentity Foundation(WIF)whichisresponsibleforconvertinguserclaimtokenstoWindows tokens.PerformancePointServicesusestheC2WTStoconverttheusersclaimstoken intoawindowstokenwhentheservicesneedstodelegatecredentialstoabackend systemwhichusesWindowsauthentication.WIFisdeployedwithSharePointServer 2010andtheC2WTScanbestartedfromCentralAdministration.
193
EachPerformancePointServicesApplicationservermustruntheC2WTSlocally.The C2WTSdoesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,the C2WTSserviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcalling clientidentity. AsarecommendedpracticeyoushouldruntheC2WTSusingadedicatedservice accountandnotasLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccount requiresspeciallocalpermissionsoneachserverthattheservicerunson.Besureto configurethesepermissionswhenyouchoosetoruntheC2WTSwithadomainaccount. ToensuretheC2WTSaccountpicksuptheneededprivileges,reboottheserverafteryou haveconfiguredtheC2WTS. *NOTE:IfyouchoosetoconfiguretheC2WTSaslocalsystemyoudonotneedto configureanyadditionallocalprivileges. TostarttheC2WTS 1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample wecreatedvmlab\svcC2WTS. 2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
3. ConfigureKerberosconstraineddelegationontheC2WTSservicesaccount.Inthis scenariowedelegatecredentialstotheSQLServerservicethatisrunningwiththe MSOLAPsvc.3/MySqlCluster.vmlab.localserviceprincipalname.
194
4. Next,configuretherequiredlocalserverpermissionstheC2WTSrequires.Youhave toconfigurethesepermissionsoneachservertheC2WTSrunson.Inourexample thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthefollowing permissions: a) AddtheserviceaccounttothelocalAdministratorsGroups.
195
b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe serviceaccountthefollowingpermissions: i. ii. iii. Actaspartoftheoperatingsystem Impersonateaclientafterauthentication Logonasaservice
5. OpenCentralAdministration. 6. IntheSecuritysection,underConfigureManagedServiceAccounts,registerthe C2WTSserviceaccountasamanagedaccount.
8. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningPerformancePointservices.InthisexampleitisVMSP10APP01. 9. FindtheClaimstoWindowsTokenServiceandstartit: 10. GotoManageServiceAccountsintheSecuritysection.Changetheidentityof theC2WTStothenewmanagedacount.

196
Note: IftheC2WTSwasalreadyrunningbeforeconfiguringthededicatedserviceaccount,orif youneedtochangesthepermissionsoftheserviceaccountaftertheC2WTSisrunning youmustrestarttheC2WTSfromtheservicesconsole. Inaddition,ifyouexperienceissueswiththeC2WTSafterrestartingtheserviceit mayalsoberequiredtoresettheIISapplicationpoolsthatcommunicatewiththe C2WTS.
Add startup dependencies to the WIF C2WTS service

ThereisaknownissuewiththeC2WTSwhereitmaynotautomaticallystartup successfullyonsystemreboot.Aworkaroundtotheissueistoconfigureaservice dependencyontheCryptographicServicesservice: 1. Openthecommandpromptwindow. 2. Type:scconfigc2wtsdepend=CryptSvc
197
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice. 5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
198
7. Reboottheserver.MakesurethattheC2WTShasstartedoncethecomputer reboots.
Start the PerformancePoint Services service instance on the PerformancePoint Services server
BeforecreatingaPerformancePointServicesserviceapplication,startthe PerformancePointservicesserveserviceonthedesignatedFarmservers.Tolearnmore aboutPerformancePointServicesconfiguration,seePerformancePoint Services administrationonMicrosoftTechNet. 1. OpenCentralAdministration. 2. Underservices,selectManageservicesonserver. 3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningPerformancePointservices.InthisexampleitisVMSP10APP01:
4. StartthePerformancePointServicesservice.
Create the PerformancePoint Services service application and proxy

NextconfigureanewPerformancePointServicesserviceapplicationandapplication proxytoallowwebapplicationstoconsumePerformancePointServices: 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
199
3. SelectNew,andthenclickPerformancePointServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount orcreateanewmanagedaccountifyoudidnotperformthissteppreviously.
200
Note: ConfiguringtheUnattendedServicesAccountisoptionalinthisscenarioandonlyusedif youwanttoalsotestNTLMauthentication. Youcancreateandregisteranewserviceaccountforanexistingapplicationpool dedicatedforPerformancePointServicesbeforethissteporwhenyoucreatethenew PerformancePointService.Toassociatetheserviceaccountwithanexistingapplication pooldedicatedtoPerformancePointorverifyanexistingaccount,dothefollowing.

201
1. NavigatetoSharePointCentralAdministration.FindConfiguremanagedaccounts intheSecuritysection. 2. Selectthedropdownboxandselecttheapplicationpool. 3. SelecttheActiveDirectoryaccount.
Grant the PerformancePoint Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgrantthePerformancePointServices accountaccesstothe"portal"webapplicationscontentdatabasebyusingWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcPPS")
202
Configure PerformancePoint Services trusted file location and authentication settings

OncethePerformancePointServicesapplicationiscreated,youmustconfigurethe propertiesonthenewserviceapplicationtospecifyatrustedhostlocationand authenticationsettings. 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. ClickthelinkforthenewServiceApplication,PerformancePointServicesandclick theManagebuttonintheribbon.
4. InthePerformancePointservicesmanagementscreen,clickTrustedDataSource Locations.
203
5. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource Location. 6. TypetheURLofthelocation,selecttheSiteCollection(andsubtree)option,and thenclickOK.
7. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource Location.
204
8. TypetheURLofthelocation,selecttheSite(andsubtree)option,andthenclickOK.
Verify PerformancePoint Service Constrained Delegation

Note:InlargerenvironmentswithmultipleActiveDirectoryservers,youmayneedto waitforActiveDirectoryreplicationtofinishbeforeyouverifyyourconfiguration.
205
Create test PerformancePoint dashboard with a SQL Server AS data connection

Next,openPerformancePointDashboardDesignerandcreateanAnalysisServicesdata connection. 1. OpenPerformancePointDashboardDesignerandrightclickdatasourcetocreatea connection.
2. SelectAnalysisServices.
206
3. Specifytheserver,database,andcubeandselectPeruserIdentity.
207
4. ClickTestDataSourcetotesttheconnection.
208
5. Createareportanddashboard.
6. Makesureyouhaveadataconnectionbydraggingmeasuresanddimensionsfrom thedetailspainintothereportdesigner.
209
7. Yourreportcanbeincludedinthedashboard.
SelectReportsandthendragMyReportontotheDashboardContentpage.
Publish the dashboard to SharePoint Server

ThelaststeptovalidatethePerformancePointServicesapplicationistopublishthe dashboardandtestrefreshingandviewingtheAnalysisServicesdata.Todothis: 1. Selectthebrightfilebuttonicon.
210
2. ClickDeployinthefileselection.
3. SelectaMasterPagetowhichyouwanttopublish. 4. Clicktherefreshbuttoninyourbrowser. Ifthedataconnectionrefreshes,youhavesuccessfullyconfiguredKerberos delegationforPerformancePointServices.
211
212
Identity delegation for Business Connectivity Services (SharePoint Server 2010)

InthisscenarioyouconfiguretheBusinessDataConnectivityserviceapplicationtouse KerberosconstraineddelegationtoauthenticatewithSQLServer.Onceitisconfigured, youcreateanewexternalcontenttypeandexternallisttotestauthenticationandread operationswithinaSharePointsite. Inthisscenario,theSharePointServerFarmandBCSdatasourcearebothinthesame domain.Therefore,weconfigureKerberosconstraineddelegationtoallowidentity delegationtothebackenddatasource.Ifyouarerequiredtoauthenticatewithdata sourcesinotherdomainswithinthesameforest,youhavetoconfigurebasic (unconstrained)Kerberosdelegation.RememberthatBCSdoesnotleveragetheC2WTS; thereforeyoucanusebasicdelegation. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:
Tocompletethisscenarioyouhavetohavecompletedthefollowing: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP
213
ActiveDirectoryconfiguration
CreateBCSApplicationServiceAccount ValidateServicePrincipalNames ConfigureDelegation
SharePointServerconfiguration
StarttheBCSServiceInstance CreatetheBCSServiceApplication
Verification
CreateaBCSExternalContentType ConfigureBCSSecurity CreateaBCSExternalList Opentheexternallistinthebrowser
214
Scenario Environment Details

Kerberosdelegation AppPoolIdentities SQL SQLDatabaseEngineIdentity Vmlab\svcSQL SPN:MSSQLSVC/MySqlCluster.vmlab.local:1433
vmSQL2k8r201 DefaultInstance Port:1433 vmSP10WFE01
vmSQL2k8r202 vmSP10WFE02
SQLCluster DNS(A): MySQLCluster.vmlab.local
215

Create BCS Application Service Account
AsabestpracticeBusinessConnectivityServicesshouldrununderitsowndomain identity.ToconfiguretheBCSApplicationanActiveDirectoryaccountmustbecreated. Inthisexamplethefollowingaccountswerecreated:
BusinessConnectivityService vmlab\svcBDC
Validate Service Principal Names

BCSexternalcontenttypesrunwithinthecontextoftheIISapplicationpoolusingthe ECTtypewhenBCSdataisusedinSharePointsites.ForBCStoconnectandauthenticate withexternaldatasourcesusingKerberosauthenticationtheIISapplicationpoolservice accountandtheserviceaccountfortheexternaldatasourcemusthaveserviceprincipal namesconfigured.Refertoscenarios1&2inthisdocumenttoconfigureandvalidate thenecessarySPNSonthewebapplicationsandSQLServerserviceaccounts.
Configure delegation
ToallowBCStodelegatetheclientsidentityKerberosdelegationmustbeconfigured. AlthoughconstraineddelegationistechnicallynotrequiredlikeExcelServices, unconstraineddelegationcanbeusedforBCS,itisabestpracticetolimitthescopeof delegationtheserviceisallowedtoperformthereforeconstraineddelegationwillbe configuredinthisexample. EachIISapplicationpoolserviceaccounthostingthesiterunningtheECTmustbe configuredtoallowdelegationtothebackendservices. Inourexamplethefollowingdelegationpathsareneeded:
216

User User
svcPortal10App svcTeams10App
MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433
Toconfigureconstraineddelegation 1. OpentheActiveDirectoryObjectspropertiesinActiveDirectoryUsersand Computers. 2. NavigatetotheDelegationtab.
217
3. SelectTrustthisuserfordelegationtospecifiedservicesonly. Note: IfyouneedBCStoauthenticatewithdatasourceswithinthesameforestbutoutsideof thedomainthatSharePointServerresidesinyouwillwanttoselectTrustthiscomputer fordelegationtoanyservicetoconfigurebasicdelegationinsteadofconstrained delegation.TheBCSexternalcontenttypewillexecuteinthewebapplicationsIIS workerprocessanddoesnotleveragetheC2WTS.RememberthatcrossforestKerberos delegationisnotpossible. 4. ClicktheAddbuttontoselecttheserviceprincipalallowedtodelegateto.
218
6. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis exampleitistheserviceaccountfortheSQLServerservice. Note: TheserviceaccountselectedmusthaveaSPNappliedtoit.InourexampletheSPNfor thisaccountwasconfiguredinapreviousscenario. 7. ClickOK. 8. SelecttheSPNsyouwouldliketodelegate,andthenclickOK.
219
9. SelecttheservicesfortheSQLServerclusterandclickOK. YoushouldnowseetheselectedSPNSintheservicestowhichthisaccountcan presenteddelegatedcredentialslist.
10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.
220

SetSPNLvmlab\svcSQL

Start the BCS service instance
BeforecreatingaBCSserviceapplication,starttheBCSserviceonthedesignatedfarm servers. 1. OpenCentralAdministration. 2. UnderServices,selectManageservicesonserver.
3. IntheServerSelectionboxintheupperrightcorner,selecttheserver(s)running ExcelServices.Inthisexample,itisVMSP10APP01.
4. StarttheBusinessDataConnectivityServiceservice.
221
Create the BCS service application

Next,configureanewBDCserviceapplicationandapplicationproxytoallowweb applicationstoconsumeBDCservices: 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNewthenBusinessDataConnectivityService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheBDCserviceaccountisnotinthelist).
222
Verification
Create a BCS external content type
ToaccessexternaldatathroughBDCaBDCeternalcontenttypemustbecreated.Inthis examplewewilluseSharePointDesigner2010tocreatetheexternalcontenttypeinthe Portalwebapplication(http://portal): 1. OpenSharePointDesigner2010. 2. Openthetestsitecollectionathttp://portal.
223
3. Onthelefthandnavigation,clickExternalContentTypes. 4. SelectExternalContentTypeintheNewsectionoftheribbonintheupperleft handcornerofthepage.
224
5. GivetheExternalContentTypeadisplayname.
225
6. ThenselectClickheretodiscoverexternaldatasourcesanddefineoperations. 7. ClickAddConnection.
226
8. SelectSQLServerfromtheDataSourceTypedropdownlistandaddthe informationtoconnecttothetestdatabase.BesuretoselectConnectwiththe UsersIdentitytotestdelegation.
227
9. Expandthenewconnection.Rightclickthetesttable(Sales)andselectCreateAll Operations.
10. Youshouldseeanerrorexplainingthereisntauniqueidentifierdefined.Selectthe identifiercolumnandselecttheMaptoIdentifiercheckbox.ClickFinishtoaccept thedefaultoptionsandcreatetheECToperations.
228
11. ClickSave(CTRL+S).ThiswillpublishtheECTtotheBDCserviceapplication metadatastore.
Configure BCS security

BeforeclientscanusetheBCSexternalcontenttypeintheportalwebapplicationBCS permissionsmustbeconfigured.BCSsupportsagranularpermissionmodelbutforthe purposesofthisdemowewillconfiguresecureattheMetadatastoreleveland propagatethesecuritychangestoallobjectsinthestore. 1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
229
3. ClickthelinkforthenewServiceApplication,BusinessDataServicesinthis example.
4. SelectSetMetadataStorePermissions.
230
5. Inourexample,weconfiguredEnterpriseAdminswithallpermissionsandAll AuthenticatedUserswithallpermissionsexcepttheSetPermissionspermission.
6. EnsurethePropagatepermissionscheckboxisselectedandclickOKtosaveyour changes.
Create a BCS External List

Totesttheexternalcontenttypewewillconfigureanexternallisttodisplaythe externaldataintheportalapplication: 1. OpenSharePointDesigner2010. 2. Openthetestsitecollectionathttp://portal.
231
3. SelectExternalContentTypesontheleftside.
232
233
4. Clickthecontenttypethatyoucreatedearlier. 5. Intheribbon,clickCreateLists&Form. 6. Ifyouarepromptedtosavetheexternalcontenttype,clickYes. 7. OntheCreateListandFormdialogbox,typealistnameintheListNametextbox, andthenclickOK.
Open the external list in the browser

1. OpenSharePointDesigner2010. 2. Openthetestsitecollectionathttp://portal.
234
3. Click"ListsandLibraries"inthelefthandnavigation. 4. SelecttheexternallistatthebottomoftheListandLibrarieslist. 5. ClickthePreviewinBrowserbutton.
235
InternetExplorerwillopenanddisplaytheselectedsiteandexternallist.
236
6. Validatetheexternaldataisdisplayedcorrectly.Tofurthervalidatetheconnection, changethesourcedatainSQLServerManagementStudioandrefreshthebrowser page.Youshouldseethedatachangesreflectedinthebrowser.
237
Kerberos configuration known issues (SharePoint Server 2010)

Kerberos authentication and non-default ports

ThereisaknownissuewheresomeKerberosclients(.NETFramework,InternetExplorer 7and8included)donotcorrectlyformserviceprincipalnameswhenattemptingto authenticatewithKerberosenabledwebapplicationsthatareconfiguredonnon defaultports(portsotherthan80and443).Therootoftheproblemistheclientdoes notproperlyformtheSPNintheTGSrequestbyspecifyingitwithouttheportnumber (asseenintheSnameoftheTGSrequest). Example: Ifthewebapplicationisrunningathttp://intranet.contoso.com:1234,theclientwill requestaticketforaservicewithaSPNequaltohttp/intranet.contoso.cominsteadof http/intranet.contoso.com:1234. Detailsregardingtheissuecanbefoundinthefollowingarticles:
Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port in Windows XP and in Windows Server 2003
(http://support.microsoft.com/kb/908209/enus)
Configure Kerberos authentication (Office SharePoint Server 2007)
(http://go.microsoft.com/fwlink/?LinkId=196987) Toworkaroundthisissue,registerSPNswithandwithoutportnumber.Example: http://intranet.contoso.com:12345 http/intranet http/intranet.contoso.com http/intranet:12345

238
http/intranet.contoso.com:12345
Werecommendthatyouregisterthenondefaultporttoensurethatiftheissueis resolvedinsomefutureservicepackorhotfix,theapplicationsusingtheworkaround willstillcontinuetofunction. Notethatthisworkaroundwillnotworkifthefollowingconditionsaretrue: Thereismorethanonewebapplicationrunningonanondefaultport Thewebapplicationseitherbindtothehostnameoftheserverorbindtothesame hostheader(ondifferentports) ThewebapplicationIISapplicationpoolsusedifferentserviceaccounts http://server.contoso.com:5000AppPoolId:contoso\svcA http://server.contoso.com:5001AppPoolId:contoso\svcB
Iftheseconditionsaretrue,followingtherecommendationinthisworkaroundwillyield duplicateSPNsregisteredtodifferentserviceaccountswhichwillbreakKerberos authentication. Ifyouhavemultiplewebsitessharingacommonhostnamerunningonmultipleports, andyouusedifferentIISapplicationpoolidentitiesforthewebapplications,thenyou cannotuseKerberosauthenticationonallwebsites.(OneapplicationcanuseKerberos, therestwillrequireanotherauthenticationprotocol.)TouseKerberosonall applicationsinthisscenario,youwouldneedtoeither: 1. Runallwebapplicationsunder1sharedserviceaccount 2. Runeachsitewithitsownhostheader
Kerberos authentication and DNS CNAMEs

ThereisaknownissuewithsomeKerberosclients(InternetExplorer7and8included) thatattempttoauthenticatewithKerberosenabledservicesthatareconfiguredto resolveusingDNSCNAMEsinsteadofARecords.Therootoftheproblemistheclient doesnotcorrectlyformtheSPNintheTGSrequestbycreatingitusingthehostname(A Record)insteadofthealiasname(CNAME). Example: ARecord:wfe01.contoso.com
239
CNAME:intranet.contoso.com(aliaseswfe01.contoso.com) Iftheclientattemptstoauthenticatewithhttp://intranet.contoso.com,theclientdoes notcorrectlyformtheSPNandrequestsaKerberosticketforhttp/wfe01.contoso.com insteadofhttp/intranet.contoso.com Detailsregardingtheissuecanbefoundinthefollowingarticles:

http://support.microsoft.com/kb/911149/en-us http://support.microsoft.com/kb/938305/en-us
Toworkaroundthisissue,configureKerberosenabledservicesusingDNSArecords insteadofCNAMEaliases.ThehotfixmentionedinKBarticlewillcorrectthisissuefor InternetExplorerbutwillnotcorrecttheissueforthe.NETframework(whichisusedby MicrosoftOfficeSharePointServerforwebservicecommunication).
Kerberos authentication and Kernel Mode Authentication

Note: KernelModeAuthenticationisnotsupportedinSharePoint2010Products.This informationisprovidedforinformationalpurposesonly. BeginninginIISversion7.0,thereisanewauthenticationfeaturecalledKernelMode Authentication.WhenanIISwebsiteisconfiguredtouseKernelModeauthentication, HTTP.syswillauthenticatetheclientsrequestsinsteadoftheapplicationpoolsworker process.BecauseHTTP.sysrunsinkernelmodethisyieldsbetterperformancebutalso introducesabitofcomplexitywhenconfiguringKerberos.ThisisduetoHTTP.sys runningunderthecomputersidentityandnotundertheidentityoftheworkerprocess. WhenHTTP.sysreceivesaKerberosticket,bydefaultitwillattempttodecrypttheticket usingtheserversencryptionkey(akasecret)andnotthekeyfortheidentitytheworker processisrunningunder. IfasinglewebserverisconfiguredtouseKernelModeauthentication,Kerberoswill workwithoutanyadditionalconfigurationoradditionalSPNsbecausetheserverwill automaticallyregisteraHOSTSPNwhenitisaddedtothedomain.Ifmultipleweb
240
serversareloadbalanced,thedefaultKernelModeAuthenticationconfigurationwill notwork,oratleastwillintermittentlyfail,becausetheclienthasnowayofensuring theservicetickettheyreceivedintheTGSrequestwillworkwiththeserver authenticatingtherequest. Toworkaroundthisissueyoucandothefollowing: TurnoffKernelModeAuthentication ConfigureHTTP.systousetheIISapplicationpoolsidentitywhendecryptingservice tickets.SeeInternet Information Services (IIS) 7.0 Kernel Mode Authentication Settings. YoumayalsoneedahotfixwhenconfiguringHTTP.systousetheapplicationpools credentials:FIX: You receive a Stop 0x0000007e error message on a blue screen
when the AppPoolCredentials attribute is set to true and you use a domain account as the application pool identity in IIS 7.0
Kerberos authentication and session-based authentication

YoumaynoticeincreasedauthenticationtrafficwhenusingKerberosauthentication withIIS7.0andgreater.ThismayberelatedtoWindowsauthenticationsettingsinIIS, inparticular:
Setting Description
AuthPersistNonNTLM
OptionalBooleanattribute. SpecifieswhetherIISautomaticallyreauthenticatesevery nonNTLM(forexample,Kerberos)request,eventhoseon thesameconnection.Falseenablesmultiple authenticationsforthesameconnections. ThedefaultisFalse. Note: AsettingofTruemeansthattheclientwillbe authenticatedonlyonceonthesameconnection.IISwill cacheatokenorticketontheserverforaTCPsessionthat
241

Setting Description
staysestablished.
authPersistSingleRequestOptionalBooleanattribute. SettingthisflagtoTruespecifiesthatauthentication persistsonlyforasinglerequestonaconnection.IIS resetstheauthenticationattheendofeachrequest,and forcesreauthenticationonthenextrequestofthe session. ThedefaultvalueisFalse. ForinstructionsonhowtoconfigureauthenticationpersistenceinIIS7.0,seeYou may

experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0andImplementing Access Control.
Kerberos authentication and duplicate/missing SPN issues

WhenconfiguringKerberosauthentication,itiseasytoaccidentallyconfigureduplicate serviceprincipalnames,especiallyifyouuseSetSPNAortheADSIEdit(adsiedit.msc) tooltocreateyourSPNs.ThegeneralrecommendationistouseSetSPNStocreate SPNsbecausetheSswitchwillcheckforaduplicateSPNbeforecreatingthespecified SPN. IfyoususpectyouhaveduplicateSPNsinyourenvironment,usetheSetSPNX commandtoqueryforallduplicateSPNsinyourenvironment(Windows2008orgreater only).IfanySPNsarereturnedyoushouldinvestigatewhytheSPNshavebeen registeredanddeleteanySPNsthatareduplicatesandarenotneeded.Ifyouhavetwo servicesrunningwithtwodifferentidentitiesandbothusethesameSPN(duplicateSPN issue)youneedtoreconfigureoneofthoseservicestoeitheruseadifferentSPNor shareacommonserviceidentity.
242
IfyoususpectaSPNhasnotbeenregistered,ornotregisteredinaformatrequired,you canusetheSetSPNQ<insertSPN>toqueryfortheexistenceofaparticularSPN.
Kerberos Max Token Size

Insomeenvironments,usersmaybemembersofmanyActiveDirectorygroups,which canincreasethesizeoftheirKerberostickets.Iftheticketsgrowtoolarge,Kerberos authenticationcanfail.Formoreinformationabouthowtoadjustthemaxtokensize, seeNew resolution for problems with Kerberos authentication when users belong to many groups(http://support.microsoft.com/kb/327825). Note: Whenadjustingmaximumtokensize,beawarethatifyouconfigurethemaximum tokensizebeyondthemaximumvaluefortheregistrysetting,youmayseeKerberos authenticationerrors.Werecommendnotexceeding65535decimal,FFFFhexadecimal, formaximumtokensize.
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083).
YoumayneedtoinstallahotfixforKerberosauthenticationonallcomputersthatare runningWindowsServer2008orWindowsVistainyourenvironment.Thisincludesall computersthatarerunningSharePointServer2010,SQLServer,orWindowsServer 2008thatSharePointServerattemptstoauthenticatewithbyusingKerberos

243
authentication.Followtheinstructionsinthesupportpagetoapplythehotfixifyou experiencethesymptomsdocumentedinthesupportcase.
244
How to reset the Claims to Windows Token Service account (SharePoint Server 2010)
How to reset the Claims to Windows Token Service account (SharePoint Server 2010)
Scenario:TheClaimstoWindowsTokenServiceaccountischangedunintentionallyor otherwiseneedstoberesetbacktodefault.
Solution
TheClaimstoWindowsTokenServicecannotberesettotheLocalSystemaccountby usingCentralAdministration.ThefollowingWindowsPowerShellcmdletscanbeusedto resettheClaimstoWindowsTokenServicebacktoLocalSystem. LaunchtheSharePointManagementShellfromthecomputerthatisrunningSharePoint Server. Runthefollowingcmdlettoviewalistofservices.
Get-SPServiceInstance
FindandcopytheIdoftheClaimsToWindowsTokenService.Rightclickinthe WindowsPowerShellwindowandchooseMark.Thiswillallowyoutoselectandcopy theIdwithyourmousecursor.AfterhighlightingtheId,pressENTERonyourkeyboard. TestyourIdbyrunningthefollowingcmdlet.

245

GetSPServiceInstanceidentity<PastetheC2WTSId>
RightclickinthePowerShellwindowandpastetheIdyoucopiedearlier.
Next,setavariablebyrunningthiscmdlet:
$claims=getspserviceinstanceidentity<PastetheC2WTSId>
RunthesecmdletstoresettheC2WTSbacktoLocalSystem:
$claims.Service.ProcessIdentity.CurrentIdentityType=0//The0inthepreceding lineisIdentityType.LocalSystem$claims.Service.ProcessIdentity.Update() $claims.Service.ProcessIdentity.Deploy()$claims.Service.ProcessIdentity// ThisoutputdemonstratesthatthecmdletwassuccessfulCurrentIdentityType: LocalSystemCurrentSecurityIdentifier:S1518ManagedAccount:ProcessAccount :S1518Username:NTAUTHORITY\SYSTEM
246

Configure Kerberos Authentication For SharePoint 2010 Products

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configure Kerberos Authentication For SharePoint 2010 Products

Hochgeladen von

Copyright:

Verfügbare Formate

Configure Kerberos Authentication for SharePoint 2010 Products