You are on page 1of 244

Configure Kerberos Autbentication for

SbarePoint Products
MlcrosofL CorporaLlon
ub||shed Iu|y 2010
Author 1om Wlsnowskl Contr|butors hlllppe!oseph Arlda Luca 8andlnelll kevln
uonovan e[ !avaherl uenny Lee Cephas Lln uave Mannlng Carl 8abeler rash
Shlrolkar norm Warren !osh Zlmmerman (lLspdocs[mlcrosofLcom)
Abstract
1hls documenL glves you lnformaLlon LhaL wlll help you undersLand Lhe concepLs of
ldenLlLy ln MlcrosofL ShareolnL 2010 roducLs how kerberos auLhenLlcaLlon plays a
very lmporLanL role ln auLhenLlcaLlon and delegaLlon scenarlos and Lhe slLuaLlons
where kerberos auLhenLlcaLlon should be used or may be requlred ln soluLlon deslgns
Scenarlos lnclude buslness lnLelllgence lmplemenLaLlons whlch secure access Lo exLernal
daLa sources such as SCL Server 1he documenL also shows how Lo conflgure kerberos
auLhenLlcaLlon endLoend wlLhln your envlronmenL lncludlng scenarlos LhaL use
varlous servlce appllcaLlons ln MlcrosofL ShareolnL Server AddlLlonal Lools and
resources are descrlbed Lo help you LesL and valldaLe kerberos conflguraLlon



2


1bls Jocomeot ls ptovlJeJ osls lofotmotloo ooJ vlews exptesseJ lo tbls Jocomeot
locloJloq ukl ooJ otbet lotetoet web slte tefeteoces moy cbooqe wltboot ootlce oo
beot tbe tlsk of osloq lt
5ome exomples JeplcteJ betelo ote ptovlJeJ fot lllosttotloo ooly ooJ ote flctltloos No
teol ossoclotloo ot coooectloo ls loteoJeJ ot sboolJ be lofetteJ
1bls Jocomeot Joes oot ptovlJe yoo wltb ooy leqol tlqbts to ooy lotellectool ptopetty lo
ooy Mlctosoft ptoJoct oo moy copy ooJ ose tbls Jocomeot fot yoot lotetool tefeteoce
potposes
2010 Mlctosoft cotpototloo All tlqbts tesetveJ
Mlctosoft Actlve ultectoty xcel lotetoet xplotet Ootlook letfotmoocelolot
5botelolot wloJows ooJ wloJows lowet5bell ote eltbet teqlsteteJ ttoJemotks ot
ttoJemotks of Mlctosoft cotpototloo lo tbe uolteJ 5totes ooJ/ot otbet cooottles
1be lofotmotloo cootoloeJ lo tbls Jocomeot tepteseots tbe cotteot vlew of Mlctosoft
cotpototloo oo tbe lssoes JlscosseJ os of tbe Jote of pobllcotloo 8ecoose Mlctosoft
most tespooJ to cbooqloq motket cooJltloos lt sboolJ oot be lotetpteteJ to be o
commltmeot oo tbe pott of Mlctosoft ooJ Mlctosoft coooot qootootee tbe occotocy of
ooy lofotmotloo pteseoteJ oftet tbe Jote of pobllcotloo





@ab|e of Contents
Configure Kerberos authentication for SharePoint 2010 Products 7
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products 8
Who should read these articles about Kerberos authentication? 9
Beginning to end 9
Upgrading from Office SharePoint Server 2007 9
Step-by-step walkthrough 10
Existing SharePoint 2010 Product environments 11
dentity scenarios in SharePoint 2010 Products 11
ncoming dentity 12
dentity within a SharePoint 2010 Products environment 13
Outbound identity 16
Delegation across domain and forest boundaries 18
Claims primer 19
Kerberos protocol primer 20
Benefits of the Kerberos protocol 20
Kerberos delegation, constrained delegation, and protocol transition 21
Kerberos authentication changes in Windows 2008 R2 and Windows 7 22
Kerberos configuration changes in SharePoint 2010 Products 23
Considerations when you are upgrading from Office SharePoint Server 2007 23
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010) 24
Environment and farm topology 24
Environment specification 26
Web Application specification 27
SSL configuration 29
Load balancing 29
SQL aliasing 29
Tips for working through the scenarios 30



Configuring Kerberos authentication: Core configuration (SharePoint Server
2010) 32
Configuration checklist 33
Step-by-step configuration instructions 34
Configure DNS 34
Configure Active Directory 36
Configure SharePoint Server 46
S configuration 34
Configure the firewall 37
Test browser authentication 38
Test Kerberos Authentication over SSL 72
Test SharePoint Server Search ndex and Query 74
Test front-end Web delegation 76
Kerberos authentication for SQL OLTP (SharePoint Server 2010) 80
Configuration checklist 81
Scenario environment details 82
Step-by-step configuration instructions 82
Configure DNS 82
Configure Active Directory 83
Verify SQL Server Kerberos configuration 84
Create a test SQL Server database and test table 83
Kerberos authentication for SQL Server Analysis Services (SharePoint Server
2010) 87
Configuration checklist 87
Step-by-step configuration instructions 88
Configure Active Directory 88
Verify SQL Server Kerberos configuration 89
dentity delegation for SQL Server Reporting Services (SharePoint Server 2010)
92
Scenario dependencies 92
Configuration checklist 93
Scenario environment details 94
Cross-domain Kerberos delegation 94



Step-by-step configuration instructions 93
Configure DNS 93
Active Directory directory service 93
SQL Server Reporting Services 103
Configure SharePoint Server 103
Verify configuration 108
SSL configuration for Reporting Services 120
dentity delegation for Excel Services (SharePoint Server 2010) 122
Scenario dependencies 122
Configuration checklist 122
Scenario environment details 124
Kerberos constrained delegation paths 124
SharePoint Server logical authentication 123
Step-by-step configuration instructions 123
Active Directory configuration 123
SharePoint Server configuration 132
Verify Excel Services constrained delegation 142
dentity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
149
Scenarios requiring Kerberos authentication 130
Scenario dependencies 131
Configuration instructions 132
dentity delegation for Visio Services (SharePoint Server 2010) 133
Scenario dependencies 133
Configuration checklist 133
Scenario environment details 133
Kerberos constrained delegation paths 133
SharePoint Server logical authentication 133
Step-by-step configuration instructions 136
Active Directory configuration 136
SharePoint Server configuration 162
Verify Visio Graphic Service Constrained Delegation 169



dentity delegation for PerformancePoint Services (SharePoint Server 2010) 181
Scenario dependencies 181
Configuration checklist 181
Scenario environment details 183
Kerberos constrained delegation paths 183
SharePoint Server logical authentication 184
Step-by-step Configuration instructions 183
Active Directory configuration 183
SharePoint Server configuration 191
Verify PerformancePoint Service Constrained Delegation 203
dentity delegation for Business Connectivity Services (SharePoint Server 2010)
211
Scenario dependencies 211
Configuration checklist 212
Scenario Environment Details 213
Step-by-step configuration instructions 214
Active Directory configuration 214
SharePoint Server configuration 219
Verification 221
Kerberos configuration known issues (SharePoint Server 2010) 236
Kerberos authentication and non-default ports 236
Kerberos authentication and DNS CNAMEs 237
Kerberos authentication and Kernel Mode Authentication 238
Kerberos authentication and session-based authentication 239
Kerberos authentication and duplicate/missing SPN issues 240
Kerberos Max Token Size 241
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista
241
How to reset the Claims to Windows Token Service account (SharePoint Server
2010) 243
Solution 243

Configure Kerberos authentication for SharePoint 2010 Products
7

Configure Kerberos authentication for
SharePoint 2010 Products
ub||shed Iu|y 1S 2010
1hls documenL glves you lnformaLlon LhaL wlll help you undersLand Lhe concepLs of
ldenLlLy ln MlcrosofL ShareolnL 2010 roducLs how kerberos auLhenLlcaLlon plays a
very lmporLanL role ln auLhenLlcaLlon and delegaLlon scenarlos and Lhe slLuaLlons
where kerberos auLhenLlcaLlon should be used or may be requlred ln soluLlon deslgns
Scenarlos lnclude buslness lnLelllgence lmplemenLaLlons whlch secure access Lo exLernal
daLa sources such as SCL Server
1he documenL also shows how Lo conflgure kerberos auLhenLlcaLlon endLoend wlLhln
your envlronmenL lncludlng scenarlos LhaL use varlous servlce appllcaLlons ln MlcrosofL
ShareolnL Server AddlLlonal Lools and resources are descrlbed Lo help you LesL and
valldaLe kerberos conflguraLlon 1he SLepbySLep ConflguraLlon secLlons of Lhls
documenL cover Lhe followlng scenarlos for ShareolnL Server 2010
O Scenarlo 1 Core ConflguraLlon
O Scenarlo 2 kerberos AuLhenLlcaLlon for SCL CL1
O Scenarlo 3 ldenLlLy uelegaLlon for SCL Analysls Servlces
O Scenarlo 4 ldenLlLy uelegaLlon for SCL 8eporLlng Servlces
O Scenarlo 3 ldenLlLy uelegaLlon for Lxcel Servlces
O Scenarlo 6 ldenLlLy uelegaLlon for owerlvoL for ShareolnL
O Scenarlo 7 ldenLlLy uelegaLlon for vlslo Servlces
O Scenarlo 8 ldenLlLy uelegaLlon for erformanceolnL Servlces
O Scenarlo 9 ldenLlLy uelegaLlon for 8uslness ConnecLlvlLy Servlces

1he same lnformaLlon abouL Conflgurlng kerberos auLhenLlcaLlon for ShareolnL 2010
roducLs ls avallable ls also avallable as a seL of arLlcles here ln Lhe 1echneL Llbrary lL
beglns here Overview of Kerberos authentication for Microsoft SharePoint 2010
Products
Configure Kerberos Authentication for SharePoint 2010 Products
8


Overview of Kerberos authentication for
Microsoft SharePoint 2010 Products
ub||shed December 2 2010
MlcrosofL ShareolnL 2010 roducLs lnLroduce slgnlflcanL lmprovemenLs ln how ldenLlLy
ls managed ln Lhe plaLform lL ls very lmporL Lo undersLand how Lhese changes affecL
soluLlon deslgn and plaLform conflguraLlon Lo enable scenarlos LhaL requlre user ldenLlLy
Lo be delegaLed Lo lnLegraLed sysLems 1he kerberos verslon 3 proLocol plays a key role
ln enabllng delegaLlon and someLlmes may be requlred ln Lhese scenarlos
1hls seL of arLlcles glves you lnformaLlon LhaL helps you do Lhe followlng
O DndersLand Lhe concepLs of ldenLlLy ln ShareolnL 2010 roducLs
O Learn how kerberos auLhenLlcaLlon plays a very lmporLanL role ln auLhenLlcaLlon
and delegaLlon scenarlos
O ldenLlfy Lhe slLuaLlons where kerberos auLhenLlcaLlon should be leveraged or may
be requlred ln soluLlon deslgns
O Conflgure kerberos auLhenLlcaLlon endLoend wlLhln your envlronmenL lncludlng
scenarlos LhaL use varlous servlce appllcaLlons ln ShareolnL Server
O 1esL and valldaLe LhaL kerberos auLhenLlcaLlon ls conflgured correcLly and worklng
as expecLed
O lnd addlLlonal Lools and resources Lo help you conflgure kerberos auLhenLlcaLlon ln
your envlronmenL
1hls seL of arLlcles ls dlvlded ln Lwo ma[or secLlons
O 1hls overvlew of kerberos auLhenLlcaLlon ln ShareolnL 2010 roducLs
1hls arLlcle conLalns concepLual lnformaLlon abouL how Lo manage ldenLlLy ln
ShareolnL 2010 roducLs Lhe kerberos proLocol and how kerberos auLhenLlcaLlon
plays a key role ln ShareolnL 2010 soluLlons
O Step-by-step configuration
1hls group of arLlcles dlscusses Lhe sLeps LhaL are requlred Lo conflgure kerberos
auLhenLlcaLlon and delegaLlon ln varlous ShareolnL soluLlon scenarlos
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products


Who shouId read these articIes about
Kerberos authentication?
ldenLlLy and delegaLlon ln ShareolnL 2010 roducLs ls a broad Loplc wlLh many faceLs
and depLhs of undersLandlng 1hls seL of arLlcles addresses Lhe Loplc from boLh
concepLual and Lechnlcal levels and ls wrlLLen Lo address Lhe needs of varlous
audlences
eginning to end
1ell me everyLhlng Lhere ls Lo know abouL ldenLlLy and kerberos auLhenLlcaLlon ln
ShareolnL 2010 roducLs
lf you are only sLarLlng ouL and learnlng abouL ShareolnL 2010 roducLs kerberos
auLhenLlcaLlon and clalms auLhenLlcaLlon you wlll wanL Lo Lhe read Lhe flrsL secLlon of
Lhls documenL lL covers Lhe baslc concepLs of ldenLlLy and delegaLlon and offers prlmers
abouL Clalms and kerberos auLhenLlcaLlon 8e sure Lo follow Lhe llnks Lo exLernal arLlcles
and addlLlonal lnformaLlon Lo bulld a solld foundaLlon of knowledge before conLlnulng
on Lo Lhe sLepbysLep conflguraLlon arLlcles
Upgrading from Office SharePoint Server 2007
1ell me whaL ls changed from 2007 and whaL l should prepare for ln upgradlng Lo 2010
lf you have an exlsLlng MlcrosofL Cfflce ShareolnL Server 2007 envlronmenL already
conflgured Lo use kerberos auLhenLlcaLlon and kerberos delegaLlon you should read Lhe
followlng arLlcles
O dentity scenarios in SharePoint 2010 Products
O Claims primer
O Kerberos authentication changes in Windows 2008 R2 and Windows 7
O Kerberos configuration changes in SharePoint 2010 Products
O Considerations when you are upgrading from Office SharePoint Server 2007
lf you have addlLlonal quesLlons abouL how Lo conflguraLlon delegaLlon for a parLlcular
feaLure or scenarlo read Lhe sLepbysLep conflguraLlon arLlcles especlally Lhe
conflguraLlon checkllsLs 1hls wlll help you ensure LhaL your envlronmenL ls conflgured
correcLly afLer upgrade
Configure Kerberos Authentication for SharePoint 2010 Products
10


Step-by-step waIkthrough
l wanL deLalled sLepbysLep lnsLrucLlons on how Lo conflgure kerberos delegaLlon ln
ShareolnL Server and appllcable ShareolnL Server servlce appllcaLlons
1he sLepbysLep conflguraLlon arLlcles cover several ShareolnL 2010 roducLs
scenarlos whlch can be conflgured Lo use kerberos delegaLlon Lach scenarlo ls covered
ln deLall lncludlng a conflguraLlon checkllsL and sLepbysLep lnsLrucLlons Lo help you
successfully conflgure kerberos auLhenLlcaLlon ln your envlronmenL 1he scenarlos
covered lnclude Lhe followlng
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP
O Scenarlo 3 Kerberos Authentication for SQL Analysis Services
O Scenarlo 4 dentity Delegation for SQL Reporting Services
O Scenarlo 3 dentity Delegation for Excel Services
O Scenarlo 6 dentity Delegation for PowerPivot for SharePoint 2010
O Scenarlo 7 dentity Delegation for Visio Services
O Scenarlo 8 dentity Delegation for Performance Point Services
O Scenarlo 9 dentity Delegation for Business Connectivity Services
8e sure Lo Lhoroughly revlew Lhe flrsL core conflguraLlon scenarlo because lL ls a
prerequlslLe for all Lhe scenarlos LhaL follow
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
11


-ote
1he scenarlos lnclude SeLSn commands LhaL you may choose Lo copy from Lhls
documenL and pasLe ln a Command rompL wlndow 1hese commands lnclude hyphen
characLers MlcrosofL Word has an AuLoormaL feaLure LhaL Lends Lo converL hyphens Lo
dash characLers lf you have Lhls feaLure Lurned on ln Word and Lhen do a copyand
pasLe operaLlon Lhe commands wlll noL work correcLly Change Lhe dashes Lo hyphens
Lo flx Lhls error 1o Lurn off Lhls AuLoormaL feaLure ln Word selecL Cpt|ons from Lhe
I||e menu cllck Lhe roof|ng Lab and Lhen open Lhe Auto Correct dlalog box
isting SharePoint 2010 Product environments
l have an exlsLlng ShareolnL 2010 roducL envlronmenL and l cannoL seem Lo geL
kerberos auLhenLlcaLlon worklng Pow do l valldaLe and debug my conflguraLlon?
1he Step-by-step configuration arLlcles conLaln several checkllsLs Lo help Lrlage your
envlronmenL ln varlous scenarlos ay speclal aLLenLlons Lo Scenarlo 1 Core
configuration whlch covers baslc Lools and Lechnlques Lo Lrlage kerberos conflguraLlon
dentity scenarios in SharePoint 2010
Products
When learnlng abouL ldenLlLy ln Lhe conLexL of auLhenLlcaLlon ln ShareolnL 2010
roducLs you can concepLually look aL how Lhe plaLform handles ldenLlLy ln Lhree key
scenarlos lncomlng auLhenLlcaLlon lnLer/lnLrafarm auLhenLlcaLlon and ouLgolng
auLhenLlcaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
12



ncoming dentity
1he lncomlng auLhenLlcaLlon scenarlo represenLs Lhe means ln whlch a cllenL presenLs
lLs ldenLlLy Lo Lhe plaLform or ln oLher words ootbeotlcotes wlLh Lhe web appllcaLlon or
web servlce ShareolnL Server wlll use Lhe cllenLs ldenLlLy Lo auLhorlze Lhe cllenL Lo
access ShareolnL Server secured resources such as web pages documenLs and so on
ShareolnL 2010 roducLs supporL Lwo modes ln whlch a cllenL can auLhenLlcaLe wlLh
Lhe plaLform Classlc mode and Clalms mode
CIassic mode
Classlc mode allows Lhe Lyplcal lnLerneL lnformaLlon Servlces (llS) auLhenLlcaLlon
meLhods LhaL you may already be famlllar wlLh from prevlous verslons of ShareolnL
Server When a ShareolnL Server 2010 Web AppllcaLlon ls conflgured Lo use classlc
mode you have Lhe opLlon of uslng Lhe followlng llS auLhenLlcaLlon meLhods
ntegrated W|ndows authent|cat|on
lnLegraLed Wlndows auLhenLlcaLlon enables Wlndows cllenLs Lo seamlessly auLhenLlcaLe
wlLh ShareolnL Server wlLhouL havlng Lo manually provlde credenLlals (user
name/password) Dsers accesslng ShareolnL Server from lnLerneL Lxplorer wlll
auLhenLlcaLe by uslng Lhe credenLlals LhaL Lhe lnLerneL Lxplorer process ls runnlng
under by defaulL Lhe credenLlals LhaL Lhe user used Lo log on Lo Lhe deskLop Servlces
or appllcaLlons LhaL access ShareolnL Server ln Wlndows lnLegraLed mode aLLempL Lo
auLhenLlcaLe by uslng Lhe credenLlals of Lhe runnlng Lhread whlch by defaulL ls Lhe
ldenLlLy of Lhe process
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
13

-@,
n1 LAn Manager (n1LM) ls Lhe defaulL proLocol Lype when lnLegraLed Wlndows
auLhenLlcaLlon ls selecLed 1hls proLocol Lakes advanLage of a LhreeparL challenge
response sequence Lo auLhenLlcaLe cllenLs or more lnformaLlon abouL n1LM see
Microsoft NTLM (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196643)
ros
O lL ls easy Lo conflgure and Lyplcally requlres no addlLlonal
lnfrasLrucLure/envlronmenL conflguraLlon Lo funcLlon
O lL works when Lhe cllenL ls noL parL of Lhe domaln or ls noL ln a domaln LrusLed by
Lhe domaln LhaL ShareolnL Server resldes ln
Cons
O lL requlres ShareolnL Server Lo conLacL Lhe domaln conLroller every Llme LhaL a
cllenL auLhenLlcaLlon response needs valldaLlon lncreaslng Lrafflc Lo Lhe domaln
conLrollers
O lL does noL allow delegaLlon of cllenL credenLlals Lo backend sysLems oLherwlse
known as Lhe doublehop rule lL ls a proprleLary proLocol
O lL ls a proprleLary proLocol
O lL does noL supporL server auLhenLlcaLlon
O lL ls consldered less secure Lhan kerberos auLhenLlcaLlon
erberos protoco|
1he kerberos proLocol ls a more secure proLocol LhaL supporLs LlckeLlng auLhenLlcaLlon
A kerberos auLhenLlcaLlon server granLs a LlckeL ln response Lo a cllenL compuLer
auLhenLlcaLlon requesL lf Lhe requesL conLalns valld user credenLlals and a valld Servlce
rlnclpal name (Sn) 1he cllenL compuLer Lhen uses Lhe LlckeL Lo access neLwork
resources 1o enable kerberos auLhenLlcaLlon Lhe cllenL and server compuLers musL
have a LrusLed connecLlon Lo Lhe domaln key ulsLrlbuLlon CenLer (kuC) 1he kuC
dlsLrlbuLes shared secreL keys Lo enable encrypLlon 1he cllenL and server compuLers
musL also be able Lo access AcLlve ulrecLory dlrecLory servlces or AcLlve ulrecLory Lhe
foresL rooL domaln ls Lhe cenLer of kerberos auLhenLlcaLlon referrals or more
lnformaLlon abouL Lhe kerberos proLocol see How the Kerberos Version 5
Authentication Protocol Works (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196644) and
Microsoft Kerberos (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196643)
Configure Kerberos Authentication for SharePoint 2010 Products
1


ros
O MosL secure lnLegraLed Wlndows auLhenLlcaLlon proLocol
O Allows delegaLlon of cllenL credenLlals
O SupporLs muLual auLhenLlcaLlon of cllenLs and servers
O roduces less Lrafflc Lo domaln conLrollers
O Cpen proLocol supporLed by many plaLforms and vendors
Cons
O 8equlres addlLlonal conflguraLlon of lnfrasLrucLure and envlronmenL Lo funcLlon
correcLly
O 8equlres cllenLs have connecLlvlLy Lo Lhe kuC (AcLlve ulrecLory domaln conLroller ln
Wlndows envlronmenLs) over 1C/Du porL 88 (kerberos) and 1C/Du porL 464
(kerberos Change assword Wlndows)
Cther methods
ln addlLlon Lo n1LM and kerberos auLhenLlcaLlon ShareolnL Server supporLs oLher
klnds of llS auLhenLlcaLlon such as baslc dlgesL and cerLlflcaLebased auLhenLlcaLlon
whlch are noL covered ln Lhls documenL or more lnformaLlon abouL how Lhese
proLocols funcLlon see Authentication Methods Supported in S 0 (S 0)
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196646)
CIaims-based authentication
SupporL for clalms auLhenLlcaLlon ls a new feaLure ln ShareolnL 2010 roducLs and ls
bullL on Wlndows ldenLlLy oundaLlon (Wl) ln a clalms model ShareolnL Server
accepLs one or more clolms abouL an auLhenLlcaLlng cllenL Lo ldenLlfy and auLhorlze Lhe
cllenL 1he clalms come ln Lhe form of SAML Lokens and are facLs abouL Lhe cllenL sLaLed
by a LrusLed auLhorlLy or example a clalm could sLaLe 8ob ls a member of Lhe
LnLerprlse Admlns group for Lhe domaln ConLosocom lf Lhls clalm came from a
provlder LrusLed by ShareolnL Server Lhe plaLform could use Lhls lnformaLlon Lo
auLhenLlcaLe 8ob and Lo auLhorlze hlm Lo access ShareolnL Server resources or more
lnformaLlon abouL clalms auLhenLlcaLlon see A Guide to Claims-based dentity and
Access Control (hLLp//gomlcrosofLcom/fwllnk/?Llnklu187911)
1he klnd of clalms LhaL ShareolnL 2010 roducLs supporL for lncomlng auLhenLlcaLlon
are WlndowsClalms formsbased auLhenLlcaLlonClalms and SAMLClalms
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
15

W|ndowsC|a|ms
ln Lhe Wlndowsclalms mode slgn ln ShareolnL Server auLhenLlcaLes Lhe cllenL uslng
sLandard lnLegraLed Wlndows auLhenLlcaLlon (n1LM/kerberos) and Lhen LranslaLes Lhe
resulLlng Wlndows ldenLlLy lnLo a Clalms ldenLlLy
Iormsbased authent|cat|on C|a|ms
ln ormsbased auLhenLlcaLlon clalms mode ShareolnL Server redlrecLs Lhe cllenL Lo a
logon page LhaL hosLs Lhe sLandard ASnL1 logon conLrols 1he page auLhenLlcaLes Lhe
cllenL by uslng ASnL1 membershlp and role provlders slmllar Lo how formsbased
auLhenLlcaLlon funcLloned ln Cfflce ShareolnL Server 2007 AfLer Lhe ldenLlLy ob[ecL
LhaL represenLs Lhe user ls creaLed ShareolnL Server Lhen LranslaLes Lhls ldenLlLy lnLo a
clalms ldenLlLy ob[ecL
SA,C|a|ms
ln SAMLClalms mode ShareolnL Server accepLs SAML Lokens from a LrusLed exLernal
SecurlLy 1oken rovlder (S1S) When Lhe user aLLempLs Lo log on see commenL ls
dlrecLed Lo an exLernal clalms provlder (for example Wlndows Llve lu clalms provlder)
whlch auLhenLlcaLes Lhe user and produces a SAML Loken ShareolnL Server accepLs
and processes Lhls Loken augmenLlng Lhe clalms and creaLlng a clalms ldenLlLy ob[ecL
for Lhe user
or more lnformaLlon abouL clalmsbased auLhenLlcaLlon ln ShareolnL 2010 roducLs
see SharePoint Claims-Based dentity
ote about incoming cIaims authentication and the CIaims to
Windows Token Service (C2WTS)
Some servlce appllcaLlons requlre LhaL you use Lhe Wlndows ldenLlLy oundaLlon (Wl)
Clalms Lo Wlndows 1oken Servlce (C2W1S) Lo LranslaLe clalms wlLhln Lhe farm Lo
Wlndows credenLlals for ouLbound auLhenLlcaLlon lL ls lmporLanL Lo undersLand LhaL
C2W1S only funcLlons lf Lhe lncomlng auLhenLlcaLlon meLhod ls elLher classlc mode or
Wlndows clalms lf clalms ls conflgured Lhe C2W1S requlres only Wlndows clalms Lhe
web appllcaLlon cannoL use mulLlple forms of clalms on Lhe web appllcaLlon oLherwlse
Lhe C2W1S wlll noL funcLlon
dentity within a SharePoint 2010 Products environment
ShareolnL 2010 roducLs envlronmenLs use clalms auLhenLlcaLlon for lnLra and lnLer
farm communlcaLlons wlLh mosL ShareolnL servlce appllcaLlons and ShareolnL
Configure Kerberos Authentication for SharePoint 2010 Products
1


lnLegraLed producLs regardless of Lhe lncomlng auLhenLlcaLlon mechanlsm used 1hls
means LhaL even where classlc auLhenLlcaLlon ls used Lo auLhenLlcaLe wlLh a parLlcular
web appllcaLlon ShareolnL roducLs converL Lhe lncomlng ldenLlLy lnLo a clalms
ldenLlLy Lo auLhenLlcaLe wlLh ShareolnL Servlce AppllcaLlons and producLs LhaL are
clalmsaware 8y sLandardlzlng on Lhe clalms model for lnLra/lnLer farm
communlcaLlons Lhe plaLform can absLracL lLself from Lhe lncomlng proLocols LhaL are
used

-ote
Some producLs lnLegraLed wlLh ShareolnL Server such as SCL Server 8eporLlng
Servlces are noL clalmsaware and do noL Lake advanLage of Lhe lnLrafarm clalms
auLhenLlcaLlon archlLecLure ShareolnL Server may also rely on classlc kerberos
delegaLlon and clalms ln oLher scenarlos for example when Lhe 8SS vlewer web parL ls
conflgured Lo consume an auLhenLlcaLed feed 8efer Lo each producL or servlce
appllcaLlons documenLaLlon Lo deLermlne wheLher lL can supporL clalmsbased
auLhenLlcaLlon and ldenLlLy delegaLlon
Outbound identity
CuLbound ldenLlLy ln ShareolnL 2010 roducLs represenLs Lhe scenarlos where servlces
wlLhln Lhe farm have Lo auLhenLlcaLe wlLh exLernal llneofbuslness sysLems and
servlces uependlng on Lhe scenarlo auLhenLlcaLlon can be performed ln one of Lwo
baslc concepLual models
Trusted subsystem
ln Lhe LrusLed subsysLem Lhe fronLend servlce auLhenLlcaLes and auLhorlzes Lhe cllenL
and Lhen auLhenLlcaLes wlLh addlLlonal backend servlces wlLhouL passlng Lhe cllenL
ldenLlLy Lo Lhe backend sysLem 1he backend sysLem ttosts Lhe fronLend servlce Lo do
auLhenLlcaLlon and auLhorlzaLlon on lLs behalf 1he mosL common way Lo lmplemenL
Lhls model ls Lo use shared servlce accounL Lo auLhenLlcaLe wlLh Lhe exLernal sysLem
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
17


ln ShareolnL Server Lhls model can be lmplemenLed ln varlous ways
O Dslng Lhe llS appllcaLlon pool ldenLlLy usually achleved by runnlng code ln Lhe
web appllcaLlon LhaL elevaLes permlsslons whlle maklng a call Lo an exLernal sysLem
CLher meLhods such as uslng 8everL1oSelf can also use Lhe appllcaLlon pools
ldenLlLy Lo auLhenLlcaLe wlLh exLernal sysLems
O Dslng a servlce accounL Lyplcally achleved by sLorlng appllcaLlon credenLlals ln Lhe
Secure SLore Lhen uslng Lhose credenLlals Lo auLhenLlcaLe wlLh an exLernal sysLem
CLher meLhods lnclude sLorlng Lhe servlce accounL credenLlals ln oLher ways such as
embedded connecLlon sLrlngs
O Anonymous AuLhenLlcaLlon Lhls ls where Lhe exLernal sysLem requlres no
auLhenLlcaLlon 1herefore Lhe fronLend ShareolnL Server servlce does noL have Lo
pass any ldenLlLy Lo Lhe backend sysLem
eIegation
ln Lhe uelegaLlon model Lhe fronLend servlce flrsL auLhenLlcaLes Lhe cllenL and Lhen
uses Lhe cllenLs ldenLlLy Lo auLhenLlcaLe wlLh anoLher backend sysLem LhaL performs lLs
own auLhenLlcaLlon and auLhorlzaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
18



ln ShareolnL 2010 roducLs Lhls model can be lmplemenLed ln varlous ways
O kerberos delegaLlon lf Lhe cllenL auLhenLlcaLes wlLh Lhe fronLend servlce by uslng
kerberos auLhenLlcaLlon kerberos delegaLlon can be used Lo pass Lhe cllenLs
ldenLlLy Lo Lhe backend sysLem
O Clalms clalms auLhenLlcaLlon allows Lhe cllenLs clalms Lo be passed beLween
servlces as long as Lhere ls LrusL beLween Lhe Lwo servlces and boLh are clalms
aware

-ote
CurrenLly mosL of Lhe servlce appllcaLlons LhaL are lncluded wlLh ShareolnL Server do
noL allow for ouLbound clalms auLhenLlcaLlon buL ouLbound clalms ls a plaLform
capablllLy LhaL wlll be Laken advanLage of ln Lhe fuLure urLher many of Lhe mosL
common llneofbuslness sysLems Loday do noL supporL lncomlng clalms auLhenLlcaLlon
whlch means LhaL uslng ouLbound clalms auLhenLlcaLlon may noL be posslble or wlll
requlre addlLlonal developmenL Lo work correcLly
eIegation across domain and forest boundaries
1he scenarlos ln Lhls seL of arLlcles abouL kerberos auLhenLlcaLlon requlre LhaL Lhe
ShareolnL Server servlce and exLernal daLa sources reslde ln Lhe same Wlndows
domaln whlch ls requlred for kerberos consLralned delegaLlon 1he kerberos proLocol
supporLs Lwo klnds of delegaLlon baslc (unconsLralned) and consLralned 8aslc kerberos
delegaLlon can cross domaln boundarles ln a slngle foresL buL cannoL cross a foresL
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
1

boundary regardless of LrusL relaLlonshlp kerberos consLralned delegaLlon cannoL cross
domaln or foresL boundarles ln any scenarlo
Some ShareolnL Server servlces can be conflgured Lo use baslc kerberos delegaLlon
buL oLher servlces requlre LhaL you use consLralned delegaLlon Any servlce LhaL relles
on Lhe Clalms Lo Wlndows Loken servlce (C2W1S) musL use kerberos consLralned
delegaLlon Lo allow Lhe C2W1S Lo use kerberos proLocol LranslLlon Lo LranslaLe clalms
lnLo Wlndows credenLlals
1he followlng servlce appllcaLlons and producLs requlre Lhe C2W1S and kerberos
consLralned delegaLlon
O Lxcel Servlces
O erformanceolnL Servlces
O lnfoaLh orms Servlces
O vlslo Servlces
1he followlng servlce appllcaLlons and producLs are noL affecLed by Lhese requlremenLs
and Lherefore can use baslc delegaLlon lf lL ls requlred
O 8uslness uaLa ConnecLlvlLy servlce and MlcrosofL 8uslness ConnecLlvlLy Servlces
O Access Servlces
O MlcrosofL SCL Server 8eporLlng Servlces (SS8S)
O MlcrosofL ro[ecL Server 2010
1he followlng servlce appllcaLlon does noL allow delegaLlon of cllenL credenLlals and
Lherefore ls noL affecLed by Lhese requlremenLs
O MlcrosofL SCL Server owerlvoL for MlcrosofL ShareolnL
CIaims primer
or an lnLroducLlon Lo Clalms concepLs and Clalms base auLhenLlcaLlon see An
ntroduction to Claims (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196648) and SharePoint
Claims-Based dentity (hLLp//gomlcrosofLcom/fwllnk/?Llnklu196647)
Configure Kerberos Authentication for SharePoint 2010 Products
20


Kerberos protocoI primer
or a concepLual overvlew of Lhe kerberos proLocol see Microsoft Kerberos (Windows)
(hLLp//gomlcrosofLcom/fwllnk/?Llnklu196643) Kerberos Explained
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196649) and Ask the Directory Services Team:
Kerberos for the Busy Admin (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196630)
enefits of the Kerberos protocoI
8efore examlnlng Lhe deLalls of how one conflgures ShareolnL Server (or any web
appllcaLlon) Lo use Lhe kerberos proLocol leLs Lalk abouL Lhe kerberos proLocol
generally and why you mlghL wanL Lo use lL
1yplcally Lhere are Lhree maln reasons Lo use Lhe kerberos proLocol
1 De|egat|on of c||ent credent|a|s 1he kerberos proLocol allows a cllenLs ldenLlLy
Lo be lmpersonaLed by a servlce Lo allow Lhe lmpersonaLlng servlce Lo pass LhaL
ldenLlLy Lo oLher neLwork servlces on Lhe cllenLs behalf n1LM does noL allow Lhls
delegaLlon (1hls llmlLaLlon n1LM ls called Lhe doublehop rule) Clalms
auLhenLlcaLlon llke kerberos auLhenLlcaLlon can be used Lo delegaLe cllenL
credenLlals buL requlres Lhe backend appllcaLlon Lo be clalmsaware
2 Secur|ty eaLures such as ALS encrypLlon muLual auLhenLlcaLlon supporL for
daLa lnLegrlLy and daLa prlvacy [usL Lo name a few make Lhe kerberos proLocol
more secure Lhan lLs n1LM counLerparL
3 otent|a||y better performance kerberos auLhenLlcaLlon requlres less Lrafflc Lo
Lhe domaln conLrollers compared wlLh n1LM (dependlng on AC verlflcaLlon see
Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos
PAC Validation) lf AC verlflcaLlon ls dlsabled or noL needed Lhe servlce LhaL
auLhenLlcaLes Lhe cllenL does noL have Lo make an 8C call Lo Lhe uC (see You
experience a delay in the user-authentication process when you run a high-volume
server program on a domain member in Windows 2000 or Windows Server 2003)
kerberos auLhenLlcaLlon also requlres less Lrafflc beLween cllenL and server
compared wlLh n1LM CllenLs can auLhenLlcaLe wlLh web servers ln Lwo
requesL/responses vs Lhe Lyplcal Lhreeleg handshake wlLh n1LM Powever Lhls
lmprovemenL ls Lyplcally noL noLlced on low laLency neLworks on a perLransacLlon
basls buL can Lyplcally be noLlced ln overall sysLem LhroughpuL 8emember LhaL
many envlronmenLal facLors can affecL auLhenLlcaLlon performance Lherefore
kerberos auLhenLlcaLlon and n1LM should be performanceLesLed ln your own
envlronmenL before you deLermlne wheLher one meLhod performs beLLer Lhan Lhe
oLher
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
21

1hls ls an lncompleLe llsL of Lhe advanLages of uslng Lhe kerberos proLocol 1here are
oLher reasons llke muLual auLhenLlcaLlon cross plaLform lnLeroperablllLy and LranslLlve
cross domaln LrusL Lo name a few Powever ln mosL cases one Lyplcally flnds
delegaLlon and securlLy Lo be Lhe prlmary drlvers ln adopLlon of Lhe kerberos proLocol
Kerberos deIegation, constrained deIegation,
and protocoI transition
1he kerberos verslon 3 proLocol on Lhe Wlndows plaLform supporLs Lwo klnds of
ldenLlLy delegaLlon baslc (unconsLralned) delegaLlon and consLralned delegaLlon

@ype Advantages D|sadvantages
8aslc
delegaLlon
O Can cross domaln boundarles ln a
slngle foresL
O 8equlres less conflguraLlon Lhan
consLralned delegaLlon

O uoes noL supporL proLocol
LranslLlon
O Secure lf Lhe fronLend servlce
ls compromlsed cllenL ldenLlLy
can be delegaLed Lo any
servlce ln Lhe foresL LhaL
accepLs kerberos
auLhenLlcaLlon

ConsLralned
delegaLlon
O Can LranslLlon nonkerberos
lncomlng auLhenLlcaLlon proLocol
Lo kerberos (example n1LM Lo
kerberos Clalms Lo kerberos)
O More secure ldenLlLles can only
be delegaLed Lo speclfled servlce

O CannoL cross domaln
boundarles
O 8equlres addlLlonal seLup
conflguraLlon


kerberos enabled servlces can delegaLe ldenLlLy mulLlple Llmes across mulLlple servlces
and mulLlple hops As an ldenLlLy Lravels from servlce Lo servlce Lhe delegaLlon meLhod
can change from 8aslc Lo ConsLralned buL noL ln reverse 1hls ls an lmporLanL deslgn
deLall Lo undersLand lf a backend servlce requlres 8aslc delegaLlon (for example Lo
Configure Kerberos Authentication for SharePoint 2010 Products
22


delegaLe across a domaln boundary) all servlces ln fronL of Lhe backend servlce musL
use baslc delegaLlon lf any fronLend servlce uses consLralned delegaLlon Lhe backend
servlce cannoL change Lhe consLralned Loken lnLo an unconsLralned Loken Lo cross a
domaln boundary
roLocol LranslLlon allows a kerberos enabled auLhenLlcaLlng servlce (fronLend servlce)
Lo converL a nonkerberos ldenLlLy lnLo a kerberos ldenLlLy LhaL can be delegaLed Lo
oLher kerberos enabled servlces (backend servlce) roLocol LranslLlon requlres
kerberos consLralned delegaLlon and Lherefore proLocolLranslLloned ldenLlLles cannoL
cross domaln boundarles uependlng on Lhe user rlghLs of Lhe fronLend servlce Lhe
kerberos LlckeL reLurned by proLocol LranslLlon can be an ldenLlflcaLlon Loken or an
lmpersonaLlon Loken or more lnformaLlon abouL consLralned delegaLlon and proLocol
LranslLlon see Lhe followlng arLlcles
O Kerberos Protocol Transition and Constrained Delegation
(hLLp//LechneLmlcrosofLcom/enus/llbrary/cc739387(WS10)aspx)
O Protocol Transition with Constrained Delegation Technical Supplement
(hLLp//msdnmlcrosofLcom/enus/llbrary/ff630469aspx)
O Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop
Scenarios (hLLp//supporLmlcrosofLcom/kb/2003838)
As a general besL pracLlce lf kerberos delegaLlon ls requlred one should use
consLralned delegaLlon lf lL ls posslble lf delegaLlon across domaln boundarles ls
requlred Lhen all servlces ln Lhe delegaLlon paLh musL use baslc delegaLlon
Kerberos authentication changes in Windows
2008 R2 and Windows 7
Wlndows Server 2008 82 and Wlndows 7 lnLroduce new feaLures Lo kerberos
auLhenLlcaLlon or an overvlew of Lhe changes see Changes in Kerberos Authentication
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196633) and Kerberos Enhancements
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196636) ln addlLlon you should make yourself
famlllar wlLh llS 70 kernel Mode auLhenLlcaLlon (nternet nformation Services (S) 70
Kernel Mode Authentication Settings (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196637))
even Lhough lL ls noL supporLed ln ShareolnL Server farms
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products
23

Kerberos configuration changes in
SharePoint 2010 Products
MosL of Lhe baslc concepLs of conflgurlng kerberos auLhenLlcaLlon ln ShareolnL 2010
roducLs have noL changed ?ou sLlll have Lo conflgure servlce prlnclpal names and you
sLlll have Lo conflgure delegaLlon seLLlngs on compuLer and servlce accounLs Powever
Lhere are several changes LhaL you should be aware of
O ConsLralned uelegaLlon requlred for servlces whlch use Lhe Clalms Lo Wlndows
1oken Servlce ConsLralned delegaLlon ls requlred Lo allow proLocol LranslLlon Lo
converL clalms Lo Wlndows Lokens
O Servlce AppllcaLlons ln Cfflce ShareolnL Server 2007 Lhe SS servlces requlred
speclal Sns and server reglsLry changes Lo enable delegaLlon ln ShareolnL 2010
roducLs servlce appllcaLlons use clalms auLhenLlcaLlon and Lhe Clalms Lo Wlndows
1oken servlce so Lhese changes are no longer needed
O Wlndows ldenLlLy oundaLlon (Wl) Lhe Wl Clalms Lo Wlndows 1oken Servlce
(C2W1S) ls a new servlce leveraged by ShareolnL 2010 roducLs Lo converL clalms
Lo Wlndows Lokens for delegaLlon scenarlos
Considerations when you are upgrading from
Office SharePoint Server 2007
lf you are upgradlng an Cfflce ShareolnL Server 2007 farm Lo ShareolnL Server 2010
Lhere are several Lhlngs you should conslder as you compleLe Lhe upgrade
O lf web appllcaLlons are changlng D8Ls make sure LhaL you updaLe Lhe Servlce
rlnclple names Lo reflecL Lhe unS names
O ueleLe Lhe SS servlce prlnclpal names because Lhey are no longer needed ln
ShareolnL Server 2010
O SLarL Lhe Clalms Lo Wlndows 1oken Servlce on Lhe servers LhaL are runnlng servlce
appllcaLlons LhaL requlre delegaLlon (for example Lxcel Servlces vlslo Craphlcs
Servlce)
O Conflgure kerberos consLralned delegaLlon wlLh use any auLhenLlcaLlon proLocol
Lo allow kerberos consLralned delegaLlon wlLh Lhe C2W1S
O Lnsure kernel mode auLhenLlcaLlon ls dlsabled ln llS

Configure Kerberos Authentication for SharePoint 2010 Products
2



Configuring Kerberos authentication:
Step-by-step configuration (SharePoint
Server 2010)
ub||shed December 2 2010
ln Lhe scenarlo arLlcles LhaL follow we bulld ouL a ShareolnL Server 2010 envlronmenL
Lo demonsLraLe how Lo conflgure delegaLlon ln a number of common scenarlos you
mlghL encounLer ln Lhe enLerprlse 1he walkLhroughs assume you are bulldlng ouL a
scaledouL ShareolnL farm slmllar Lo whaL ls descrlbed ln Lhe followlng secLlon
-ote
Some of Lhe conflguraLlon sLeps may change or may noL work ln cerLaln farm
Lopologles or lnsLance a slngle server lnsLall does noL supporL Lhe Wlndows ldenLlLy
oundaLlon C2W1S servlces so clalms Lo wlndows Loken delegaLlon scenarlos are noL
posslble wlLh Lhls farm conflguraLlon

nvironment and farm topoIogy
1he followlng dlagram lllusLraLes Lhe farm Lopology used when conflgurlng Lhe scenarlos
ln Lhe secLlons below 1he farm Lopology ls load balanced and scaled ouL beLween
mulLlple Llers Lo demonsLraLe how ldenLlLy delegaLlon would work ln mulLlserver mulLl
hop scenarlos
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
25


-ote
1he farm conflguraLlon ln Lhe demonsLraLlons ls noL meanL Lo be a reference
archlLecLure or an example of how Lo deslgn a Lopology for producLlon envlronmenLs
or example Lhe demo Lopology runs all ShareolnL Server 2010 servlce appllcaLlons on
a slngle server whlch creaLes a slngle polnL of fallure for Lhese servlces or more
lnformaLlon on how Lo deslgn and bulld a producLlon ShareolnL Server envlronmenL
see SharePoint Server 2010 Physical and Logical Architecture and Topologies for
SharePoint Server 2010

Configure Kerberos Authentication for SharePoint 2010 Products
2


-ote
1he scenarlo walkLhroughs assume LhaL all compuLers LhaL are runnlng ShareolnL
Server and Lhe daLa sources used ln Lhe scenarlo below reslde ln a slngle domaln An
explanaLlon and walkLhrough of mulLldomaln/mulLlforesL conflguraLlon ls noL covered
ln Lhls documenL
nvironment specification
All compuLers ln Lhe demonsLraLlon envlronmenL are vlrLuallzed runnlng on Wlndows
Server 2008 82 Pyperv 1he compuLers are [olned Lo a slngle Wlndows domaln
vmlablocal runnlng ln Wlndows Server 2008 oresL and uomaln funcLlon levels
O CllenL CompuLer
O Wlndows 7 rofesslonal 64 blL
O ShareolnL Server fronLend Webs
O Wlndows Server 2008 82 LnLerprlse 64 blL
O Servlces
O Web AppllcaLlon Servlce
O Load balanced wlLh Wlndows nL8
O ShareolnL Server AppllcaLlon Server
O Wlndows Server 2008 82 LnLerprlse 64 blL
O MlcrosofL ShareolnL Server 2010 (81M)
O Servlces
O Wl Clalms Lo Wlndows 1oken Servlce
O Managed MeLadaLa Servlce
O ShareolnL lndex
O ShareolnL Cuery
O Lxcel Servlces
O vlslo Craphlcs Servlce
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
27

O 8uslness ConnecLlvlLy Servlces
O erformance olnL Servlces
O SCL Servlces
O Wlndows Sever 2008 82 LnLerprlse 64 blL
O MlcrosofL SCL Server 2008 82 LnLerprlse 64 blL
O AcLlve/asslve ConflguraLlon
O SCL Server Servlces
O SCL uaLa Lnglne
O SCL Server Analysls Servlces
O SCL AgenL
O SCL 8rowser
O SCL 8eporLlng Server
O Wlndows Server 2008 82 LnLerprlse 64 blL (81M)
O MlcrosofL SCL 2008 82 LnLerprlse 64 blL (81M)
O MlcrosofL ShareolnL Server 2010 (81M)
O Wlndows nL8 Load balanced
O 8eporLlng Servlces ShareolnL lnLegraLlon mode
O 8eporLlng Servlces scaledouL mode
Web AppIication specification
1he scenarlos ln Lhe walkLhrough reference a seL of ShareolnL Server 2010 web
appllcaLlons you wlll conflgure ln Scenarlo 1 1he followlng web appllcaLlons are load
balanced uslng Wlndows nL8 across Lhe Lwo ShareolnL Server web fronL ends ln Lhe
demonsLraLlon envlronmenL
O http]]sp10CA 1he CenLral AdmlnlsLraLlon web appllcaLlon for Lhe farm Scenarlo 1
wlll noL walk Lhrough Lhe conflguraLlon of Lhls web appllcaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
28


O http]]porta| and https]]porta| Web appllcaLlon wlLh demonsLraLlon publlshlng
porLal lL ls used Lo demonsLraLe how Lo conflgure delegaLlon for web appllcaLlons
runnlng on sLandard porLs (P11 80 P11S 443)
O http]]teamsSSSS Web appllcaLlon wlLh demonsLraLlon Leam slLe lL ls used Lo
demonsLraLe how Lo conflgure delegaLlon for web appllcaLlons runnlng on non
sLandard porLs ln Lhls example porL 3333

Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
2

SSL configuration
Some of Lhe walkLhrough scenarlos wlll use SSL Lo demonsLraLe how Lo conflgure
delegaLlon wlLh P11S lL ls assumed LhaL Lhe cerLlflcaLes belng used come from a
LrusLed rooL cerLlflcaLe auLhorlLy elLher lnLernal or publlc or you have conflgured all
compuLers Lo LrusL Lhe cerLlflcaLes belng used 1he documenL wlll noL cover how Lo
properly conflgure cerLlflcaLe LrusL nor wlll lL provlde guldance abouL debugglng lssues
relaLed Lo SSL cerLlflcaLe lnsLallaLlon lL ls hlghly recommended Lo revlew Lhese Loplcs
and LesL your SSL conflguraLlon before conflgurlng kerberos consLralned delegaLlon wlLh
SSL proLecLed servlces or more lnformaLlon see
O Active Directory Certificate Services Overview
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196660)
O Active Directory Certificate Services Step-by-Step Guide
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196661)
O Configuring Server Certificates in S 7
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196662)
O How to Set Up SSL on S 7: Configuring Security : nstalling and Configuring S 7 :
The Official Microsoft S Site (hLLp//gomlcrosofLcom/fwllnk/?Llnklu193447)
O Add a Binding to a Site (S 7) (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196663)
O Configure a Host Header for a Web Site (S 7)
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196664) (Pow Lo use SSL wlLh hosL
headers)
O Create a Self-Signed Server Certificate in S 7
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196663)
Load baIancing
Load balanclng on Lhe ShareolnL Server fronLend Webs and SCL Server 8eporLlng
Servlces servers was lmplemenLed by uslng Wlndows Server 2008 neLwork Load
8alanclng (nL8) Pow Lo conflgure nL8 and nL8 besL pracLlces are noL covered ln Lhls
documenL or more lnformaLlon on nL8 refer Lo Overview of Network Load Balancing
SQL aIiasing
1he farm was bullL uslng a SCL cllenL allas Lo connecL Lo Lhe SCL clusLer 1hls ls Lyplcally
a besL pracLlce and was done Lo demonsLraLe how kerberos auLhenLlcaLlon ls conflgured
Configure Kerberos Authentication for SharePoint 2010 Products
30


when SCL allaslng ls used Scenarlo 2 assumes Lhe envlronmenL ls conflgured ln Lhls
manner buL lL ls noL requlred Lo use SCL allases Lo compleLe any of Lhe scenarlos below
or more lnformaLlon on how Lo conflgure SCL allases see How to: Create a Server Alias
for Use by a Client (SQL Server Configuration Manager)
Tips for working through the scenarios
1he scenarlos below walk Lhrough varlous acLlvlLles needed Lo conflgure kerberos
delegaLlon across dlfferenL funcLlons of Lhe ShareolnL Server plaLform As you go
Lhrough each secLlon
All Lhe scenarlos assume you have your web appllcaLlons conflgured for lncomlng classlc
auLhenLlcaLlon (kerberos) Some scenarlos below requlre classlc auLhenLlcaLlon and wlll
noL funcLlon as documenLed wlLh lncomlng clalms auLhenLlcaLlon
O CeL Lhe ShareolnL Server servlces worklng flrsL wlLhouL delegaLlon Lo ensure Lhe
servlce appllcaLlons are conflgured correcLly before movlng on Lo more challenglng
conflguraLlons wlLh delegaLlon
O 1ry Lo pay speclal aLLenLlon Lo each sLep and avold sklpplng any sLeps
O Work Lhrough scenarlo 1 and spend Llme uslng Lhe debugglng Lools menLloned ln
Lhe scenarlo as Lhey can be used ln oLher scenarlos Lo Lrlage conflguraLlon lssues
O 8emember Lo work Lhrough scenarlo 2 ?ou'll need a compuLer runnlng SCL Server
LhaL ls conflgured Lo accepL kerberos auLhenLlcaLlon and wlll requlre Lhe LesL
daLabase LhaL you seLup ln Lhls scenarlo for some of Lhe laLer scenarlos
O Always doublecheck Sn conflguraLlon ln each scenarlo by uslng SetS- k and
SetS- See Lhe appendlx for more lnformaLlon
O Always be sure Lo check Lhe server evenL logs and DLS logs when aLLempLlng Lo
debug a conflguraLlon lssue 1here are Lyplcally good polnLers ln Lhese logs whlch
can qulckly polnL ouL Lhe lssues you are encounLerlng
O 1urn up dlagnosLlc logglng for ShareolnL oundaLlonClalms AuLhenLlcaLlon and
any servlce appllcaLlons LhaL you are aLLempLlng Lo Lrlage lf lssues occur
O 8emember LhaL each scenarlo may be affecLed by servlce appllcaLlon cachlng lf you
make conflguraLlon changes buL do noL see changes ln plaLform behavlor Lry
resLarLlng Lhe servlce's appllcaLlon pool or wlndows servlce lf Lhls has no effecL
someLlmes a sysLem rebooL wlll help
O 8emember LhaL kerberos LlckeLs are cached once requesLed lf you are uslng a Lool
llke neLMon Lo vlew 1C1 and 1CS requesLs you may need Lo empLy Lhe LlckeL cache
Configuring Kerberos authentication: Step-by-step configuration (SharePoint
Server 2010)
31

lf you don'L see Lhe requesL Lrafflc you expecL Scenarlo 1 Configuring Kerberos
authentication: Core configuration (SharePoint Server 2010) explalns how Lo do Lhls
wlLh Lhe kLlS1 and kerb1ray uLlllLles
O 8emember Lo run neLMon wlLh AdmlnlsLraLlve prlvlleges Lo capLure kerberos
Lrafflc
O or advanced debugglng scenarlos you may wanL Lo Lurn on Wl Lraclng for Lhe
Clalms Lo Wlndows 1oken Servlce and WC Lraclng for Lhe ShareolnL Servlce
AppllcaLlons (WC servlces) See
O WF Tracing
O How to: Enable Tracing
O Configuring Tracing

Configure Kerberos Authentication for SharePoint 2010 Products
32



Configuring Kerberos authentication:
Core configuration (SharePoint Server
2010)
ub||shed December 2 2010
ln Lhe flrsL scenarlo you wlll conflgure Lwo ShareolnL Server 2010 web appllcaLlons Lo
use Lhe kerberos proLocol for auLhenLlcaLlng lncomlng cllenL requesLs or
demonsLraLlon purposes one web appllcaLlon wlll be conflgured Lo use sLandard porLs
(80/443) and Lhe oLher wlll use a nondefaulL porL (3333) 1hls scenarlo wlll be Lhe basls
of all Lhe followlng scenarlos whlch assume Lhe acLlvlLles below have been compleLed
mportant
lL ls a requlremenL Lo conflgure your web appllcaLlons wlLh classlc Wlndows
auLhenLlcaLlon uslng kerberos auLhenLlcaLlon Lo ensure LhaL Lhe scenarlos work as
expecLed WlndowsClalms auLhenLlcaLlon can be used ln some scenarlos buL may noL
produce Lhe resulLs deLalled ln Lhe scenarlos below
-ote
lf you are lnsLalllng on Wlndows Server 2008 you may need Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)

ln Lhls scenarlo you do Lhe followlng Lhlngs
O Conflgure Lwo web appllcaLlons wlLh defaulL zones LhaL use Lhe kerberos proLocol
for auLhenLlcaLlon
O CreaLe Lwo LesL slLe collecLlons one ln each web appllcaLlon
O verlfy Lhe llS conflguraLlon of Lhe web appllcaLlon
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
33

O verlfy LhaL cllenLs can auLhenLlcaLe wlLh Lhe web appllcaLlon and ensure LhaL Lhe
kerberos proLocol ls used for auLhenLlcaLlon
O Conflgure Lhe 8SS vlewer web parL Lo dlsplay 8SS feeds ln a local and remoLe web
appllcaLlon
O Crawl each web appllcaLlon and LesL searchlng conLenL ln each LesL slLe collecLlon
Configuration checkIist

Area of Conf|gurat|on Descr|pt|on
unS 8eglsLer a unS A 8ecord for Lhe web appllcaLlons neLworked
loaded balanced (nL8) vlrLual l (vl)
AcLlve ulrecLory CreaLe a servlce accounLs for Lhe web appllcaLlons' llS
appllcaLlon pool
8eglsLer Servlce rlnclpal names (Sn) for Lhe web
appllcaLlons on Lhe servlce accounL creaLed for Lhe web
appllcaLlon's llS appllcaLlon pool
Conflgure kerberos consLralned delegaLlon for servlce
accounLs
ShareolnL Web App CreaLe ShareolnL Server managed accounLs
CreaLe Lhe ShareolnL Search Servlce AppllcaLlon
CreaLe Lhe ShareolnL web appllcaLlons
llS valldaLe LhaL kerberos auLhenLlcaLlon ls Lnabled
verlfy kernelmode auLhenLlcaLlon ls dlsabled
lnsLall cerLlflcaLes for SSL
Wlndows 7 CllenL Lnsure web appllcaLlon D8Ls are ln Lhe lnLraneL zone or a
zone conflgured Lo auLomaLlcally auLhenLlcaLe wlLh
lnLegraLed Wlndows auLhenLlcaLlon
lrewall Cpen flrewall porLs Lo allow P11 Lrafflc ln on defaulL and
Configure Kerberos Authentication for SharePoint 2010 Products
3


Area of Conf|gurat|on Descr|pt|on
ConflguraLlon nondefaulL porLs
Lnsure cllenLs can connecL Lo kerberos orLs on Lhe AcLlve
ulrecLory
1esL 8rowser
AuLhenLlcaLlon
verlfy auLhenLlcaLlon works correcLly ln Lhe browser
verlfy Logon lnformaLlon on Lhe web server's securlLy evenL
log
Dse Lhlrd parLy Lools Lo conflrm kerberos auLhenLlcaLlon ls
conflgured correcLly
1esL ShareolnL
Server Search lndex
and Cuery
verlfy browser access from Lhe lndex server(s)
Dpload sample conLenL and perform a crawl
1esL search
1esL WL uelegaLlon Conflgure 8SS eed sources on each slLe collecLlon
Add 8SS vlew web parLs Lo Lhe home page of each slLe
collecLlon

Step-by-step configuration instructions
Configure S
Conflgure unS for Lhe web appllcaLlons ln your envlronmenL ln Lhls example we have 2
web appllcaLlons hLLp//porLal and hLLp//Leams3333 whlch boLh resolve Lo Lhe same
nL8 vl (19216824140/24)
or general lnformaLlon abouL how Lo conflgure unS see Managing DNS Records
SharePoint Server Web apps
hLLp//porLal Conflgure a new unS A 8ecord for Lhe porLal web appllcaLlon ln Lhls
example we have a hosL porLal conflgured Lo resolve Lo Lhe load balanced vl
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
35


hLLp//Leams3333 Conflgure a new unS A 8ecord for Lhe for Lhe Leams web
appllcaLlon

Configure Kerberos Authentication for SharePoint 2010 Products
3



-ote
lL ls lmporLanL Lo ensure Lhe unS enLrles are A 8ecords and noL CnAML allases for
kerberos auLhenLlcaLlon Lo work successfully ln envlronmenLs wlLh more Lhan one web
appllcaLlon runnlng wlLh hosL headers and separaLe dedlcaLed servlce accounLs See
Kerberos configuration known issues (SharePoint Server 2010) for an explanaLlon of Lhe
known lssue wlLh uslng CnAML wlLh kerberos enabled web appllcaLlons

Configure Active irectory
nexL you wlll conflgure Lhe AcLlve ulrecLory accounLs for Lhe web appllcaLlons ln your
envlronmenL As a besL pracLlce you should conflgure each web appllcaLlon Lo run ln lLs
own llS appllcaLlon pool wlLh lLs own securlLy conLexL (appllcaLlon pool ldenLlLy)
SharePoint Service AppIication Service Accounts
ln our example we have Lwo ShareolnL Server web appllcaLlons runnlng ln Lwo
separaLe llS appllcaLlon pools runnlng wlLh Lhelr own appllcaLlon pool ldenLlLles

Web App||cat|on (defau|t zone) S App oo| dent|ty
hLLp//porLal vmlabsvcorLal10App
hLLp//Leams3333 vmlab svc1eams10App

Service PrincipaI ames (SPs)
or each servlce accounL conflgure a seL of servlce prlnclpal names LhaL map Lo Lhe unS
hosL names asslgned Lo each web appllcaLlon
Dse SeLSn a command llne Lool ln Wlndows Server 2008 Lo conflgure a new servlce
prlnclpal name or a full explanaLlon of how Lo use SeLSn see Setspn 1o learn abouL
SeLSn lmprovemenLs ln Wlndows Server 2008 see Care, Share and Grow! : New
features in SETSPNEXE on Windows Server 2008
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
37

All ShareolnL Server web appllcaLlons regardless of porL number use Lhe followlng
Sn formaL
O P11/unS PCS1 name
O P11/unS Cun
Lxample
O P11/porLal
O P11/porLalvmlablocal
or Web appllcaLlons runnlng on nondefaulL porLs (porLs oLher Lhan 80/443) reglsLer
addlLlonal Sns wlLh porL number
O P11/unS PosL nameporL
O P11/unS CunporL
Lxample
O P11/Leams3333
O P11/Leamsvmlablocal3333

-ote
See Lhe appendlx for an explanaLlon of why lL ls recommended Lo conflgure Sns wlLh
and wlLhouL porL number for P11 servlces runnlng on nondefaulL porLs (80 443)
1echnlcally Lhe correcL way Lo refer Lo a P11 servlce LhaL runs on a nondefaulL porL ls
Lo lnclude Lhe porL number ln Lhe Sn buL because of known lssues descrlbed ln Lhe
appendlx we need Lo conflgure Sns wlLhouL porL as well noLe LhaL Lhe Sns wlLhouL
porL for Lhe teams web appllcaLlon does noL mean servlces wlll be accessed uslng Lhe
defaulL porLs (80 443) ln our example

ln our example we conflgured Lhe followlng servlce prlnclpal names for Lhe Lwo
accounLs we creaLed ln Lhe prevlous sLep

Configure Kerberos Authentication for SharePoint 2010 Products
38


D-S nost S App oo| dent|ty Serv|ce r|nc|pa| -ames
orLalvmlablocal vmlabsvcorLal10App P11/porLal
P11/porLalvmlablocal
1eamsvmlablocal vmlab svc1eams10App P11/1eams
P11/1eamsvmlablocal
P11/1eams3333
P11/1eamsvmlablocal3333

1o creaLe Lhe servlce prlnclpal names Lhe followlng commands were execuLed
SetSu -S u11,orta1 vm1ab\svcporta1^pp
SetSu -S u11,orta1.vm1ab.1oca1 vm1ab\svcporta1^pp
SetSu -S u11,1eams vm1ab\svc1eams^pp
SetSu -S u11,1eams.vm1ab.1oca1 vm1ab\ svc1eams^pp
SetSu -S u11,1eams:SSSS vm1ab\ svc1eams^pp
SetSu -S u11,1eams.vm1ab.1oca1:SSSS vm1ab\ svc1eams^pp

mportant
uo noL conflgure servlce prlnclpal names wlLh P11S even lf Lhe web appllcaLlon uses
SSL

ln our example we used a new command llne swlLch S lnLroduced ln Wlndows Server
2008 LhaL checks for Lhe exlsLence of Lhe Sn before creaLlng Lhe Sn on Lhe accounL lf
Lhe Sn already exlsLs Lhe new Sn ls noL creaLed and you see an error message
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
3


lf dupllcaLe Sns are found you have Lo resolve Lhe lssue by elLher uslng a dlfferenL unS
name for Lhe web appllcaLlon Lhereby changlng Lhe Sn or by removlng Lhe exlsLlng
Sn from Lhe accounL lL was dlscovered on

mportant
8efore deleLlng an exlsLlng Sn be sure lL ls no longer needed oLherwlse you may break
kerberos auLhenLlcaLlon for anoLher appllcaLlon ln your envlronmenL
Service PrincipaI ames and SSL
lL ls common Lo confuse kerberos Servlce rlnclpal names wlLh D8Ls for hLLp web
appllcaLlons because Lhe Sn and D8l formaLs are very slmllar ln synLax buL lL's
lmporLanL Lo undersLand LhaL Lhey are Lwo very separaLe and unlque Lhlngs kerberos
servlce prlnclpal names are used Lo ldenLlfy a servlce and when LhaL servlce ls an hLLp
appllcaLlon Lhe servlce scheme ls P11 regardless lf Lhe servlce ls access wlLh SSL or
noL 1hls means LhaL even lf you access Lhe web appllcaLlon uslng hLLps//someapp
you do noL and should noL conflgure a servlce prlnclpal name wlLh P11S for example
P11S/someapp
Configure Kerberos constrained deIegation for computers and
service accounts
uependlng on Lhe scenarlo some funcLlonallLy ln ShareolnL Server 2010 may requlre
consLralned delegaLlon Lo funcLlon properly or example lf Lhe 8SS vlewer web parL ls
conflgured Lo dlsplay a 8SS feed from an auLhenLlcaLed source lL wlll requlre delegaLlon
Lo consume Lhe source feed ln oLher slLuaLlons lL may be requlred Lo conflgure
consLralned delegaLlon Lo allow servlce appllcaLlons (such as Lxcel Servlces) Lo delegaLe
Lhe cllenL's ldenLlLy Lo backend sysLems
ln Lhls scenarlo we wlll conflgure kerberos consLralned delegaLlon Lo allow Lhe 8SS vlew
web parL Lo read a secured local 8SS feed and secured remoLe 8SS feed from a remoLe
Configure Kerberos Authentication for SharePoint 2010 Products
0


web appllcaLlon ln laLer scenarlos we wlll conflgure kerberos consLralned delegaLlon
for oLher ShareolnL Server 2010 servlce appllcaLlons
1he followlng dlagram concepLually descrlbes whaL wlll be conflgured ln Lhls scenarlo

We have Lwo web appllcaLlons each wlLh Lhelr own slLe collecLlon wlLh a slLe page
hoslng Lwo 8SS vlewer web parLs 1he web appllcaLlons each have a slngle defaulL zone
conflgured Lo use kerberos auLhenLlcaLlon so all feeds comlng from Lhese web slLes wlll
requlre auLhenLlcaLlon ln each slLe one 8SS vlewer wlll be conflgured Lo read a local 8SS
feed from a llsL and Lhe oLher wlll be conflgured Lo read an auLhenLlcaLlon feed ln Lhe
remoLe slLe
1o accompllsh Lhls kerberos consLralned delegaLlon wlll be conflgured Lo allow
delegaLlon beLween Lhe llS appllcaLlon pool servlce accounLs 1he followlng dlagram
concepLually descrlbes Lhe consLralned delegaLlon paLhs needed
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
1


8emember LhaL we ldenLlfy Lhe web appllcaLlon by servlce name uslng Lhe Servlce
rlnclpal name (Sn) asslgned Lo Lhe ldenLlLy of Lhe llS appllcaLlon pool 1he servlce
accounLs processlng requesLs musL be allowed Lo delegaLe Lhe cllenL ldenLlLy Lo Lhe
deslgnaLed servlces All LogeLher we have Lhe followlng consLralned delegaLlon paLhs Lo
conflgure

r|nc|pa| @ype r|nc|pa| -ame De|egates @o Serv|ce
Dser svcorLal10App P11/orLal
P11/orLalvmlablocal
P11/1eams
P11/1eamsvmlablocal
P11/1eams3333
P11/1eamsvmlablocal3333
Configure Kerberos Authentication for SharePoint 2010 Products
2


r|nc|pa| @ype r|nc|pa| -ame De|egates @o Serv|ce
Dser svc1eams10App P11/orLal
P11/orLalvmlablocal
P11/1eams
P11/1eamsvmlablocal
P11/1eams3333
P11/1eamsvmlablocal3333

-ote
lL may seem redundanL Lo conflgure delegaLlon from a servlce Lo lLself such as Lhe
porLal servlce accounL delegaLlng Lo Lhe porLal servlce appllcaLlon buL Lhls ls requlred ln
scenarlos where you have mulLlple servers runnlng Lhe servlce 1hls ls Lo address Lhe
scenarlo where one server may need Lo delegaLe Lo anoLher server runnlng Lhe same
servlce for lnsLance a WL processlng a requesL wlLh a 8SS vlewer whlch uses Lhe local
web appllcaLlon as Lhe daLa source uependlng on farm Lopology and conflguraLlon
Lhere ls a posslblllLy LhaL Lhe 8SS requesL may be servlced by a dlfferenL server whlch
would requlre delegaLlon Lo work correcLly

1o conflgure delegaLlon you can use Lhe AcLlve ulrecLory Dsers and CompuLer snapln
8lghLcllck each servlce accounL and open Lhe properLles dlalog ln Lhe dlalog you wlll
see a Lab for delegaLlon (noLe LhaL Lhls Lab only appears lf Lhe ob[ecL has an Sn
asslgned Lo lL compuLers have an Sn by defaulL) Cn Lhe delegaLlon Lab selecL @rust
th|s user for de|egat|on to spec|f|ed serv|ces on|y Lhen selecL Use any authent|cat|on
protoco|
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
3


Cllck Lhe Add buLLon Lo add Lhe servlces Lhe user (servlce accounL) wlll be allowed Lo
delegaLe Lo 1o selecL a Sn you wlll look up Lhe ob[ecL Lhe Sn ls applled Lo ln our
lnsLance we are Lrylng Lo delegaLe Lo a P11 servlce whlch means we search for Lhe
servlce accounL of Lhe llS appllcaLlon pool LhaL Lhe Sn was asslgned Lo ln Lhe prevlous
sLep
Configure Kerberos Authentication for SharePoint 2010 Products



Cn Lhe Se|ect Users or Computers dlalog box cllck Users and Computers search for
Lhe llS appllcaLlon pool servlce accounLs (ln our example vm|absvcorta|10App and
vm|absvc@eams10App" and Lhen cllck C

?ou wlll Lhen be prompLed Lo selecL Lhe servlces asslgned Lo Lhe ob[ecLs by servlce
prlnclpal name
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
5


Cn Lhe Add Serv|ces dlalog box cllck Se|ect A|| Lhen cllck C noLe LhaL when you reLurn
Lo Lhe delegaLlon dlalog you do noL acLually see all Lhe Sns selecLed 1o see all Sns
check Lhe panded check box ln Lhe lower lefL hand corner
Configure Kerberos Authentication for SharePoint 2010 Products




erform Lhese sLeps for each servlce accounL ln your envlronmenL LhaL requlres
delegaLlon ln our example Lhls ls Lhe servlce accounLs llsL
Configure SharePoint Server
Cnce AcLlve ulrecLory and unS are conflgured lL's Llme Lo creaLe Lhe web appllcaLlon ln
your ShareolnL Server 2010 arm 1hls paper assumes LhaL Lhe lnsLallaLlon of
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
7

ShareolnL Server ls compleLe aL Lhls polnL and Lhe farm Lopology and supporLlng
lnfrasLrucLure for lnsLance load balanclng ls conflgured or more lnformaLlon abouL
how Lo lnsLall and conflgure your ShareolnL farm see Deployment for SharePoint
Server 2010
Configure managed service accounts
8efore creaLlng your web appllcaLlons conflgure Lhe servlces accounLs creaLed ln Lhe
prevlous sLeps as managed servlce accounLs ln ShareolnL Server uolng so ahead of
Llme wlll allow you Lo sklp Lhls sLep when creaLlng Lhe web appllcaLlons Lhemselves
@o conf|gure a managed account
1 ln ShareolnL CenLral AdmlnlsLraLlon cllck Secur|ty

2 Dnder enera| Secur|ty cllck Conf|gure managed accounts

3 Cllck eg|ster ,anaged Account and creaLe a managed accounL for each servlce
accounL ln Lhls example we creaLed flve managed servlce accounLs
Account urpose
vMLA8svcS10Search ShareolnL Search Servlce AccounL
vMLA8svcSearchAdmln ShareolnL Search AdmlnlsLraLlon Servlce AccounL
Configure Kerberos Authentication for SharePoint 2010 Products
8


Account urpose
vMLA8svcSearchCuery ShareolnL Search Cuery Servlce AccounL
vMLA8svcorLal10App orLal Web App llS AppllcaLlon ool AccounL
vMLA8svc1eams10App 1eams Web App llS AppllcaLlon ool AccounL

-ote
Managed accounLs ln ShareolnL Server 2010 are noL Lhe same as managed
servlce accounLs ln Wlndows Server 2008 82 AcLlve ulrecLory
Create the SharePoint Server Search Service AppIication
ln Lhls example we wlll conflgure Lhe ShareolnL Server Search Servlce AppllcaLlon Lo
ensure Lhe newly creaLe web appllcaLlon can be crawled and searched upon
successfully CreaLe a new ShareolnL Server Search Web AppllcaLlon and place Lhe
Search Cuery and AdmlnlsLraLlon Servlces on Lhe appllcaLlon server ln our example
vmS10App01 or a deLalled explanaLlon on how Lo conflgure Lhe Search Servlce
AppllcaLlon see Step-by-Step: Provisioning the Search Service Application

-ote
1he placemenL of all Search Servlces on a slngle appllcaLlon server ls for demonsLraLlon
purposes only A compleLe dlscusslon abouL ShareolnL Server 2010 Search 1opology
opLlons and besL pracLlces ls ouL of scope for Lhls documenL

Create the Web AppIication
8rowse Lo CenLral AdmlnlsLraLlon and navlgaLe Lo ,anage Web App||cat|ons ln Lhe
App||cat|on ,anagement secLlon ln Lhe Loolbar selecL -ew and creaLe your web
appllcaLlon Lnsure LhaL Lhe followlng ls conflgured
O SelecL C|ass|c ,ode Authent|cat|on
O Conflgure Lhe porL and hosL header for each web appllcaLlon
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)


O SelecL -egot|ate as Lhe AuLhenLlcaLlon rovlder
O Dnder appllcaLlon pool selecL Create new app||cat|on poo| and selecL Lhe managed
accounL creaLed ln Lhe prevlous sLep
ln Lhls example Lwo web appllcaLlons were creaLed wlLh Lhe followlng seLLlngs

Sett|ng http]]orta| Web App||cat|on http]]@eams Web App||cat|on
Authent|cat|on Classlc Mode Classlc Mode
S Web S|te name ShareolnL orLal 80
orL 80
PosL Peader orLal
name ShareolnL 1eams 3333
orL 80
PosL Peader 1eams
Secur|ty
Conf|gurat|on
AuLh rovlder negoLlaLe
Allow Anonymous no
Dse Secure SockeL Layer no
AuLh rovlder negoLlaLe
Allow Anonymous no
Dse Secure SockeL Layer no
ub||c U hLLp//orLal80 hLLp//1eams3333
App||cat|on oo| name ShareolnL orLal80
SecurlLy AccounL
vmlabsvcorLal10App
name ShareolnL 1eams3333
SecurlLy AccounL
vmlabsvc1eams10App

When creaLlng Lhe new web appllcaLlon you are also creaLe a new zone Lhe defaulL
zone conflgured Lo use Lhe Wlndows auLhenLlcaLlon provlder ?ou can see Lhe provlder
and lL's seLLlngs for Lhe zone ln web appllcaLlon managemenL by flrsL selecLlng Lhe web
appllcaLlon Lhen cllcklng Authent|cat|on rov|ders ln Lhe Loolbar 1he auLhenLlcaLlon
provlders dlalog box llsLs all Lhe zones for Lhe selecLed web appllcaLlon along wlLh Lhe
auLhenLlcaLlon provlder for each zone 8y selecLlng Lhe zone you wlll see Lhe
auLhenLlcaLlon opLlons for LhaL zone
Configure Kerberos Authentication for SharePoint 2010 Products
50



1he auLhenLlcaLlon provlders dlalog wlll llsL all Lhe zones for Lhe selecLed web
appllcaLlon along wlLh Lhe auLhenLlcaLlon provlder for each zone

8y selecLlng Lhe zone you wlll see Lhe auLhenLlcaLlon opLlons for LhaL zone
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
51




lf you mlsconflgured Lhe Wlndows seLLlngs and selecLed n1LM when Lhe web
appllcaLlon was creaLed you can use Lhe edlL auLhenLlcaLlon dlalog for Lhe zone Lo
swlLch Lhe zone from n1LM Lo negoLlaLe lf c|ass|c mode was noL selecLed as Lhe
auLhenLlcaLlon mode you musL elLher creaLe a new zone by exLendlng Lhe web
appllcaLlon Lo a new llS web slLe or deleLe and recreaLe Lhe web appllcaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
52


Create site coIIections
1o LesL wheLher auLhenLlcaLlon ls worklng correcLly you wlll need Lo creaLe aL leasL one
slLe collecLlon ln each web appllcaLlon 1he creaLlon and conflguraLlon of Lhe slLe
collecLlon wlll noL affecL kerberos funcLlonallLy so follow exlsLlng guldance on how Lo
creaLe a slLe collecLlon ln Create a site collection (SharePoint Foundation 2010)
or Lhls example Lwo slLe collecLlons were conflgured

Web App||cat|on S|te Co||ect|on ath S|te Co||ect|on @emp|ate
hLLp//porLal / ubllshlng orLal
hLLp//Leams3333 / 1eam SlLe

Create aIternate access mappings
1he porLal web appllcaLlon wlll be conflgured Lo use P11S as well as P11 Lo
demonsLraLe how delegaLlon works wlLh SSL proLecLed servlces 1o conflgure SSL Lhe
porLal web appllcaLlon wlll need a second ShareolnL Server alLernaLe access mapplng
(AAM) for Lhe P11S endpolnL
@o conf|gure a|ternate access mapp|ngs
1 ln CenLral AdmlnlsLraLlon cllck App||cat|on ,anagement
2 Dnder Web App||cat|ons cllck conf|gure a|ternate access mapp|ngs

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
53

3 ln Lhe Se|ect A|ternate Access ,app|ng Co||ect|on dropdown selecL Lhe Change
A|ternate Access ,app|ng Co||ect|on

4 SelecL Lhe porLal web appllcaLlon

3 Cllck d|t ub||c Ur|s ln Lhe Lop Loolbar

6 ln a free zone add Lhe hLLps D8L for Lhe web appllcaLlon 1hls D8L wlll be Lhe name
on Lhe SSL cerLlflcaLe you wlll creaLe ln Lhe nexL sLeps

7 Cllck Save
?ou should now see Lhe P11S D8L ln Lhe zone llsL for Lhe web appllcaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
5



S configuration
nstaII SSL certificates
?ou wlll need Lo conflgure an SSL cerLlflcaLe on each ShareolnL Server hosLlng Lhe web
appllcaLlon servlce for each web appllcaLlon LhaL uses SSL Agaln Lhe Loplc of how Lo
conflgure an SSL cerLlflcaLe and cerLlflcaLe LrusL ls ouL of scope for Lhls documenL See
Lhe SSL ConflguraLlon secLlon ln Lhls documenL for references Lo maLerlal abouL
conflgurlng SSL cerLlflcaLes ln llS
Verify that Kerberos authentication is enabIed
@o ver|fy that erberos authent|cat|on |s enab|ed on the web s|te
1 Cpen llS manager
2 SelecL Lhe llS web slLe Lo verlfy
3 ln eaLures vlew under llS double cllck Authent|cat|on
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
55


4 SelecL W|ndows Authent|cat|on whlch should be enabled

3 Cn Lhe rlghL hand slde under Act|ons selecL rov|ders verlfy -egot|ate ls aL Lhe Lop
of Lhe llsL
Configure Kerberos Authentication for SharePoint 2010 Products
5



Verify that KerneI mode authentication is disabIed
erne| mode authent|cat|on |s not supported |n Shareo|nt Server 2010 8y defaulL all
ShareolnL Server Web AppllcaLlons should have kernel Mode AuLhenLlcaLlon dlsabled
by defaulL on Lhelr correspondlng llS web slLes Lven ln slLuaLlons where Lhe web
appllcaLlon was conflgured on an exlsLlng llS web slLe ShareolnL Server dlsables kernel
mode auLhenLlcaLlon as lL provlslons a new web appllcaLlon on Lhe exlsLlng llS slLe
@o ver|fy that kerne| mode authent|cat|on |s d|sab|ed
1 Cpen llS manager
2 SelecL Lhe llS web slLe Lo verlfy
3 ln eaLures vlew under llS double cllck Authent|cat|on
4 SelecL W|ndows Authent|cat|on whlch should be enabled
3 Cllck Advanced Sett|ngs
6 verlfy boLh LA and kernel Mode AuLhenLlcaLlon are dlsabled
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
57


Configure the firewaII
8efore LesLlng auLhenLlcaLlon ensure cllenLs can access Lhe ShareolnL Server web
appllcaLlons on Lhe conflgured P11 porLs ln addlLlon ensure cllenLs can auLhenLlcaLe
wlLh AcLlve ulrecLory and requesL kerberos LlckeLs from Lhe kuC over Lhe sLandard
kerberos porLs
Open firewaII ports to aIIow HTTP traffic in on defauIt and non-defauIt
ports
1yplcally you have Lo conflgure Lhe flrewall on each fronLend Web Lo allow lncomlng
requesLs over porLs 1C 80 and 1C 443 Cpen Wlndows lrewall wlLh Advanced
SecurlLy and browse Lo Lhe followlng lnbound 8ules

O World Wlde Web Servlces (P11 1rafflcln)
O World Wlde Web Servlces (P11S 1rafflcln)
Configure Kerberos Authentication for SharePoint 2010 Products
58


Make sure Lhe approprlaLe porLs are open ln your envlronmenL ln our example we
access ShareolnL Server over P11 (porL 80) so Lhls rule was enabled
ln addlLlon we have Lo open Lhe nondefaulL porL used ln our example (1C 3333) lf
you have web slLes runnlng on nondefaulL porLs you also have Lo conflgure cusLom
rules Lo allow P11 Lrafflc on Lhose porLs

nsure that cIients can connect to Kerberos ports on the Active
irectory roIe
1o use kerberos auLhenLlcaLlon cllenLs wlll have Lo requesL LlckeL granLlng LlckeLs (1C1)
and servlce LlckeLs (S1) from Lhe key ulsLrlbuLlon CenLer (kuC) over Du or 1C porL 88
8y defaulL when you lnsLall Lhe AcLlve ulrecLory 8ole ln Wlndows Server 2008 and laLer
Lhe role wlll conflgure Lhe followlng lncomlng rules Lo allow Lhls communlcaLlon by
defaulL

O kerberos key ulsLrlbuLlon CenLer C8 (1Cln)
O kerberos key ulsLrlbuLlon CenLer C8 (Duln)
O kerberos key ulsLrlbuLlon CenLer (1Cln)
O kerberos key ulsLrlbuLlon CenLer (Duln)
ln your envlronmenL ensure Lhese rules are enabled and LhaL cllenLs can connecL Lo Lhe
kuC (domaln conLroller) over porL 88
Test browser authentication
AfLer conflgurlng AcLlve ulrecLory unS and ShareolnL Server you can now LesL wheLher
kerberos auLhenLlcaLlon ls conflgured correcLly by browslng Lo your web appllcaLlons
When LesLlng ln Lhe browser ensure Lhe followlng condlLlons are meL
1 1he LesL user ls logged lnLo a Wlndows x vlsLa or Wlndows 7 compuLer [olned Lo
Lhe domaln LhaL ShareolnL Server ls lnsLalled ln or ls logged lnLo a domaln LrusLed
by Lhe ShareolnL Server domaln
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
5

2 1he LesL user ls uslng lnLerneL Lxplorer 70 or laLer (lnLerneL Lxplorer 60 ls no longer
supporLed ln ShareolnL Server 2010 see Plan browser support (SharePoint Server
2010))
3 lnLegraLed Wlndows auLhenLlcaLlon ls enabled ln Lhe browser Dnder nternet
Cpt|ons ln Lhe Advanced Lab make sure nab|e ntegrated W|ndows
Authent|cat|on* ls enabled ln Lhe SecurlLy secLlon

4 Local lnLraneL ls conflgured Lo auLomaLlcally logon cllenLs Dnder lnLerneL explorer
opLlon ln Lhe Secur|ty Lab selecL oca| ntranet and cllck Lhe Custom |eve| buLLon
Scroll down and make sure LhaL Automat|c |ogon on|y |n ntranet zone ls selecLed
Configure Kerberos Authentication for SharePoint 2010 Products
0



Scroll down and make sure AuLomaLlc logon only ln lnLraneL zone" ls selecLed
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
1


-ote
lL ls posslble Lo conflgure auLomaLlc logon on oLher zones buL Lhe Loplc of lL securlLy
zones besL pracLlces lL ouLslde Lhe scope of Lhls paper or Lhls demonsLraLlon Lhe
lnLraneL zone wlll be used for all LesLs
3 Lnsure LhaL Automat|ca||y detect |ntranet network ls selecLed ln nternet opt|ons
Secur|tyntranet 2oneS|tes
Configure Kerberos Authentication for SharePoint 2010 Products
2



6 lf you are uslng fully quallfled domaln names Lo access Lhe ShareolnL Server web
appllcaLlons ensure LhaL Lhe Cuns are lncluded ln Lhe lnLraneL zone elLher
expllclLly or by wlldcard lncluslon (for example *vmlablocal")
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
3


1he easlesL way Lo deLermlne lf kerberos auLhenLlcaLlon ls belng used ls by logglng lnLo
a LesL worksLaLlon and navlgaLlng Lo Lhe web slLe ln quesLlon lf Lhe user lsn'L prompLed
for credenLlals and Lhe slLe ls rendered correcLly you can assume lnLegraLed Wlndows
auLhenLlcaLlon ls worklng 1he nexL sLep ls Lo deLermlne lf Lhe negoLlaLe proLocol was
used Lo negoLlaLe kerberos auLhenLlcaLlon as Lhe auLhenLlcaLlon provlder for Lhe
requesL 1hls can be done ln Lhe followlng ways
ront-end Web security Iogs
lf kerberos auLhenLlcaLlon ls worklng correcLly you wlll see Logon evenLs ln Lhe securlLy
evenL logs on Lhe fronLend webs wlLh evenL lu 4624
Configure Kerberos Authentication for SharePoint 2010 Products




ln Lhe general lnformaLlon for Lhese evenLs you should see Lhe securlLy lu belng logged
onLo Lhe compuLer and Lhe Logon rocess used whlch should be erberos

KList
kLlsL ls a command llne uLlllLy lncluded ln Lhe defaulL lnsLallaLlon of Wlndows Server
2008 and Wlndows Server 2008 82 whlch can be used Lo llsL and purge kerberos LlckeLs
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
5

on a glven compuLer 1o run kLlS1 open a command prompL ln Wlndows Server 2008
and Lype ||st

lf you wanL Lo purge Lhe LlckeL cache run kllsL wlLh Lhe opLlonal purge parameLer ||st
purge
KerbTray
kerb1ray ls a free uLlllLy lncluded wlLh Lhe Wlndows Server 2000 8esource klL 1ool LhaL
can be lnsLalled on your cllenL compuLer Lo vlew Lhe kerberos LlckeL cache uownload
and lnsLall from Windows 2000 Resource Kit Tool: Kerbtrayexe Cnce you have lL
lnsLalled perform Lhe followlng acLlons
1 navlgaLe Lo Lhe web slLes LhaL use kerberos AuLhenLlcaLlon
2 8un kerb1rayexe
3 vlew Lhe kerberos 1lckeL cache by rlghL cllcklng on Lhe kerb Lray lcon ln Lhe sysLem
Lray and selecLlng |st @|ckets
Configure Kerberos Authentication for SharePoint 2010 Products




4 valldaLe Lhe servlce LlckeLs for Lhe web appllcaLlons you auLhenLlcaLed are ln Lhe llsL
of cached LlckeLs ln our example we navlgaLed Lo Lhe followlng web slLes whlch
have Lhe followlng Sns reglsLered


Web S|te U S-
hLLp//porLal P11/orLalvmlablocal
hLLp//Leams3333 P11/1eamsvmlablocal
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
7


Configure Kerberos Authentication for SharePoint 2010 Products
8



iddIer
lddler ls a free P11 Lrafflc analyzer LhaL can be downloaded from Lhe followlng
locaLlon http://wwwfiddlertoolcom/ ln flddler you wlll see Lhe cllenL and server
negoLlaLe kerberos auLhenLlcaLlon and you wlll be able Lo see Lhe cllenL send Lhe
kerberos Servlce 1lckeLs Lo Lhe server ln Lhe P11 headers of each requesL 1o valldaLe
LhaL kerberos auLhenLlcaLlon ls worklng correcLly uslng flddler perform Lhe followlng
acLlons
1 uownload and lnsLall lddler (wwwfiddlertoolcom) on Lhe cllenL compuLer
2 Log ouL of Lhe deskLop and log back ln Lo flush any cached connecLlons Lo Lhe web
server and force Lhe browser Lo negoLlaLe kerberos auLhenLlcaLlon and perform Lhe
auLhenLlcaLlon handshake
3 SLarL lddler
4 Cpen lnLerneL Lxplorer and browse Lo Lhe web appllcaLlon (hLLp//porLal ln our
example)
?ou should see Lhe requesLs and responses Lo Lhe ShareolnL Server fronLend web ln
lddler

1he flrsL P11 401 ls Lhe browser aLLempL Lo do Lhe CL1 requesL wlLhouL auLhenLlcaLlon
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)



ln response Lhe server sends back an P11 401 unauLhorlzed and ln Lhls response
lndlcaLes whaL auLhenLlcaLlon meLhods lL supporLs

ln Lhe nexL requesL Lhe cllenL resends Lhe prevlous requesL buL Lhls Llme sends Lhe
servlce LlckeL for Lhe web appllcaLlon ln Lhe headers of Lhe requesL
Configure Kerberos Authentication for SharePoint 2010 Products
70



lf you selecL Lhe AuLh" vlew wlLhln Lhe lddler lnspecLor wlndow you wlll also see Lhe
kerberos LlckeL ln Lhe requesL and Lhe kerberos response
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
71


lf auLhenLlcaLed successfully Lhe server wlll send back Lhe requesLed resource
etMon 3.4
neLMon 34 ls a free neLwork packeL analyzer from MlcrosofL LhaL can be downloaded
from Lhe MlcrosofL uownload CenLer Microsoft Network Monitor 3
ln neLMon you see all 1C requesL and responses Lo Lhe kuC and Lhe ShareolnL Server
web servers glvlng you a compleLe vlew of Lrafflc LhaL makes up a compleLe
auLhenLlcaLlon requesL 1o valldaLe LhaL kerberos auLhenLlcaLlon ls worklng by uslng
neLmon perform Lhe followlng acLlons
Configure Kerberos Authentication for SharePoint 2010 Products
72


1 uownload and lnsLall neLMon 34 (Microsoft Network Monitor 3)
2 Log ouL of Lhe cllenL Lhen log back ln Lo flush Lhe kerberos LlckeL cache CpLlonally
you can use kerb1ray Lo purge Lhe LlckeL cache by rlghL cllcklng on kerb1ray and
selecLlng urge @|ckets
3 SLarL neLMon ln admlnlsLraLor mode 8lghLcllck Lhe neLMon shorLcuL and selecL
un as Adm|n|strator
4 SLarL a new capLure on Lhe lnLerfaces LhaL connecL Lo Lhe acLlve dlrecLory conLroller
ln your envlronmenL and Lhe web fronL ends
3 Cpen lnLerneL explorer and browse Lo Lhe web appllcaLlon
6 AfLer Lhe web slLe renders sLop Lhe capLure and add a dlsplay fllLer Lo show Lhe
frames for kerberos auLhenLlcaLlon and P11 Lrafflc

7 ln Lhe frames wlndow you should see boLh P11 and kerberosv3 Lrafflc

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
73


a 1he flrsL Lwo frames are Lhe orlglnal requesL/response where Lhe cllenL
and server negoLlaLe Lhe use of kerberos for auLhenLlcaLlon
b 1he followlng kerberosv3 frames are Lhe cllenL requesLs for 1lckeL
CranLlng 1lckeL for Lhe vMLALLocal 8ealm and Lhe kerberos servlce
LlckeLs for Lhe Sn P11/porLalvMLA8local
c lnally Lhe lasL P11 frames are Lhe cllenL uslng Lhe servlce LlckeLs Lo
auLhenLlcaLe wlLh Lhe web server and Lhe server successfully
auLhenLlcaLlng Lhe cllenL and reLurnlng Lhe response
Test Kerberos Authentication over SSL
1o clearly demonsLraLe Lhe Sns requesLed when a cllenL accesses an SSL proLecLed
resource you can use a Lool llke neLmon Lo capLure Lhe Lrafflc beLween cllenL and
server and examlne Lhe kerberos servlce LlckeL requesLs
1 LlLher logouL and Lhen relogln ln Lo Lhe cllenL compuLer or clear all cached
kerberos LlckeLs by uslng kerb1ray
2 SLarL a new neLMon capLure on Lhe cllenL compuLer 8e sure Lo sLarL neLMon wlLh
admlnlsLraLor permlsslons
3 8rowse Lo Lhe web appllcaLlon by uslng SSL (ln Lhls example hLLps//porLal)
4 SLop Lhe neLMon capLure and examlne Lhe kerberosv3 Lrafflc or lnsLrucLlons on
how Lo fllLer Lhe capLure dlsplay see Lhe lnsLrucLlons ln Lhe NetMon 3 secLlon of
Lhls arLlcle
3 Look for Lhe 1CS requesL Lhe cllenL sends ln Lhe requesL you wlll see Lhe Sn
requesLed ln Lhe Sname parameLer
Configure Kerberos Authentication for SharePoint 2010 Products
7



noLe LhaL Lhe Sname ls P11/porLalvmlablocal and noL P11S/porLalvmlablocal
Test SharePoint Server Search nde and Query
Verify browser access from the inde server(s)
8efore runnlng a crawl ensure LhaL Lhe lndex server can access Lhe web appllcaLlons
and auLhenLlcaLe successfully Log lnLo Lhe lndex server and open Lhe LesL slLe
collecLlons ln Lhe browser lf Lhe slLes render successfully and no auLhenLlcaLlon dlalogs
appear proceed Lo Lhe nexL sLep lf any lssues occur whlle accesslng Lhe slLes ln Lhe
browsers go back over Lhe prevlous sLeps Lo ensure all conflguraLlon acLlons were
performed correcLly
UpIoad sampIe content and perform a crawI
ln each slLe collecLlon upload a seed documenL (one LhaL ls easlly ldenLlflable ln
search) Lo a documenL llbrary ln Lhe slLe collecLlon or lnsLance creaLe a LexL documenL
conLalnlng Lhe words alpha beLa delLa and save lL Lo a documenL llbrary ln each slLe
collecLlon
nexL browse Lo ShareolnL CenLral AdmlnlsLraLlon and sLarL a full crawl on Lhe Local
ShareolnL SlLes conLenL source (whlch should conLaln Lhe Lwo LesL slLe collecLlons by
defaulL)
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
75

Test search
lf lndexlng compleLed successfully you should see searchable lLems ln your lndex and no
errors ln Lhe crawl log

Configure Kerberos Authentication for SharePoint 2010 Products
7


noLe lf you have conflgured Lhe Dser roflle AppllcaLlon (DA) and are performlng a
crawl on Lhe proflle sLore be sure Lo conflgure Lhe approprlaLe permlsslons on Lhe DA
Lo allow Lhe conLenL access accounL Lo access proflle daLa lf you have noL conflgured
Lhe DA permlsslons you wlll recelve errors ln Lhe crawls logs lndlcaLlng Lhe crawler
could noL access Lhe proflle servlce because lL recelved an P11 401 when Lrylng Lo
access Lhe servlce 1he 401 reLurned ls noL due Lo kerberos buL lnsLead ls due Lo Lhe
conLenL access accounL noL havlng permlsslons Lo read proflle daLa
-ote
lf you have conflgured Lhe Dser roflle AppllcaLlon (DA) and are performlng a crawl on
Lhe proflle sLore be sure Lo conflgure Lhe approprlaLe permlsslons on Lhe DA Lo allow
Lhe conLenL access accounL Lo access proflle daLa lf you have noL conflgured Lhe DA
permlsslons you wlll recelve errors ln Lhe crawls logs lndlcaLlng Lhe crawler could noL
access Lhe proflle servlce because lL recelved an P11 401 when Lrylng Lo access Lhe
servlce 1he 401 reLurned ls noL due Lo kerberos buL lnsLead ls due Lo Lhe conLenL
access accounL noL havlng permlsslons Lo read proflle daLa

nexL browse Lo each slLe collecLlon and perform a search for Lhe seed documenL Lach
slLe collecLlon's search query should reLurn Lhe seed documenL uploaded

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
77

Test front-end Web deIegation
As a lasL sLep ln Lhls scenarlo you use Lhe 8SS vlewer web parL on each slLe collecLlon Lo
ensure LhaL delegaLlon ls worklng boLh locally and remoLely
Configure RSS feed sources on each site coIIection
or Lhe porLal appllcaLlon you have Lo enable 8SS feeds on Lhe SlLe CollecLlon 1o Lurn
on 8SS feeds follow Lhe lnsLrucLlons ln Manage RSS Feeds on Cfflcecom
Cnce 8SS feeds are enabled creaLe a new cusLom llsL and add a llsL lLem for LesLlng
purposes navlgaLe Lo Lhe LlsL Loolbar menu and cllck SS Ieed Lo vlew Lhe 8SS feed
Copy Lhe feed D8L Lo use lL ln Lhe followlng sLeps

Configure Kerberos Authentication for SharePoint 2010 Products
78



erform Lhls sLep for each slLe collecLlon
Add RSS view web parts to the home page of each site coIIection
Cn Lhe porLal appllcaLlon you'll need Lo enable Lhe ShareolnL LnLerprlse eaLures slLe
collecLlon feaLure Lo use Lhe 8SS vlewer web parL Cnce enabled add Lwo 8SS vlewer
web parLs Lo Lhe home page or Lhe flrsL web parL conflgure Lhe feed D8L Lo polnL aL
Lhe local 8SS feed you creaLed ln Lhe prevlous sLep or Lhe second web parL conflgure
Lhe feed D8L Lo polnL aL Lhe remoLe feed D8L When compleLed you should see boLh
web parLs successfully renderlng conLenL from Lhe local and remoLe 8SS feeds
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)
7


Configure Kerberos Authentication for SharePoint 2010 Products
80



Kerberos authentication for SQL OLTP
(SharePoint Server 2010)
ub||shed December 2 2010
ln Lhls scenarlo we walk Lhrough Lhe process of conflgurlng kerberos auLhenLlcaLlon for
Lhe SCL Server clusLer ln our sample envlronmenL Cnce LhaL process ls compleLe we
valldaLe LhaL ShareolnL Server servlces are auLhenLlcaLed wlLh Lhe clusLer by uslng Lhe
kerberos proLocol
ln Lhls scenarlo you do Lhe followlng Lhlngs
O Conflgure an exlsLlng SCL Server 2008 82 clusLer Lo use kerberos auLhenLlcaLlon
O verlfy LhaL Lhe cllenL can auLhenLlcaLe wlLh Lhe clusLer by uslng kerberos
auLhenLlcaLlon
O CreaLe a LesL daLabase and sample daLa Lo be used ln laLer scenarlos
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
81


-ote
lL ls noL requlred Lo use kerberos auLhenLlcaLlon for SCL Server for core ShareolnL
Server daLa servlces (for example connecLlons Lo plaLform daLabases) 1he sample
envlronmenL has a sole SCL Server clusLer LhaL hosLs addlLlonal sample daLabases used
ln laLer scenarlos or delegaLlon Lo work correcLly ln Lhese scenarlos Lhe SCL Server
clusLer musL accepL kerberos auLhenLlcaLed connecLlon

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may need Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Configuration checkIist

Area of conf|gurat|on Descr|pt|on
Conflgure unS CreaLe unS (A) hosL records for Lhe SCL Server clusLer l
Conflgure AcLlve
ulrecLory
CreaLe Servlce rlnclpal names (Sns) for Lhe SCL Server
servlce
verlfy SCL Server
kerberos conflguraLlon
Dse SCL Server ManagemenL SLudlo Lo query SCL connecLlon
meLadaLa Lo ensure Lhe kerberos auLhenLlcaLlon proLocol ls
used

Configure Kerberos Authentication for SharePoint 2010 Products
82


Scenario environment detaiIs

1hls scenarlo demonsLraLes a ShareolnL Server farm conflgured Lo use a SCL allas for a
connecLlon Lo a SCL Server clusLer LhaL ls conflgured Lo use kerberos auLhenLlcaLlon

Step-by-step configuration instructions
Configure S
Conflgure unS for Lhe SCL Server clusLer ln your envlronmenL ln Lhls example we have
one SCL Server clusLer MySqlClusLervmlablocal runnlng on porL 1433 aL clusLer l
1921688133/4 1he clusLer ls AcLlve/asslve wlLh Lhe SCL Server daLabase englne
runnlng on Lhe defaulL lnsLance of Lhe flrsL node
or general lnformaLlon abouL how Lo conflgure unS see Managing DNS Records
ln Lhls example we conflgured a unS (A) record for Lhe SCL Server clusLer
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
83



-ote
1echnlcally because SCL Server Sns lnclude an lnsLance name (lf you are uslng Lhe
secondnamed lnsLance on Lhe same compuLer) you can reglsLer Lhe unS hosL for Lhe
clusLer as a CnAML allas and avold Lhe CnAML lssue descrlbed ln Appendlx A Kerberos
configuration known issues (SharePoint Server 2010) Powever lf you choose Lo use
CnAMLs you have Lo reglsLer an Sn uslng Lhe unS (A) record hosL name Lhe CnAML
allases

Configure Active irectory
or SCL Server Lo auLhenLlcaLe cllenLs uslng kerberos auLhenLlcaLlon you have Lo
reglsLer a servlce prlnclpal name (Sn) on Lhe servlce accounL LhaL ls runnlng SCL Server
Servlce prlnclpal names for Lhe SCL Server daLabase englne use Lhe followlng formaL for
conflguraLlons LhaL are uslng Lhe defaulL lnsLance and noL a SCL Server named lnsLance
Configure Kerberos Authentication for SharePoint 2010 Products
8


MSSCLSvc/CunporL
or more lnformaLlon abouL reglsLerlng Sns for SCL Server 2008 see Registering a
Service Principal Name
ln our example we conflgured Lhe SCL Server Sn on Lhe SCL Server daLabase englne
servlce accounL (vmlabsvcSCL) wlLh Lhe followlng SeLSn command
SetSu -S MSSqlSvC,MySqlC1uster.vm1ab.1oca1:422 vm1ab\svcSql
SQL Server named instances
lf you use SCL Server named lnsLances lnsLead of Lhe defaulL lnsLance you have Lo
reglsLer Sns speclflc Lo Lhe SCL Server lnsLance and for Lhe SCL Server browser servlce
See Lhe followlng arLlcles for more lnformaLlon abouL conflgurlng kerberos
auLhenLlcaLlon for names lnsLances
O Registering a Service Principal Name
O An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
SQL aIiases
As a besL pracLlce when bulldlng your farm you should conslder uslng SCL allases for
connecLlons Lo your SCL Server compuLer lf you choose Lo use SCL allases Lhe kerberos
Sn formaL for Lhose connecLlons does noL change ?ou conLlnue Lo use Lhe reglsLered
unS hosL name (A record) ln Lhe Sn for SCL Server or example lf you reglsLer an allas
SA8MSCL for MySCLClusLervmlablocal Lhe Sn when you are connecLlng Lo
SarmSCL remalns MSSCLSvC/MySCLClusLervmlablocal1433
Verify SQL Server Kerberos configuration
When unS and Servlce rlnclpal names are conflgured you can rebooL Lhe compuLers
LhaL are runnlng ShareolnL Server and verlfy LhaL ShareolnL Server servlces now
auLhenLlcaLe wlLh SCL Server by uslng kerberos auLhenLlcaLlon
@o ver|fy the c|uster conf|gurat|on
1 eboot the computers that are runn|ng Shareo|nt Server 1hls acLlon resLarLs all
servlces and forces Lhem Lo reconnecL and reauLhenLlcaLe by uslng kerberos
auLhenLlcaLlon
Kerberos authentication for SQL OLTP (SharePoint Server 2010)
85

2 Cpen SCL Server ManagemenL SLudlo and run Lhe followlng query
Select
s.session_id,
s.login_name,
s.host_name,
c.auth_scheme
from
sys.dm_exec_connections c
inner join
sys.dm_exec_sessions s
on c.session_id = s.session_id
1he query reLurns meLadaLa abouL each sesslon and connecLlon 1he sesslon daLa
helps ldenLlfy Lhe connecLlon source and Lhe sesslon lnformaLlon reveals Lhe
auLhenLlcaLlon scheme for Lhe connecLlon
3 verlfy LhaL Lhe ShareolnL Server servlces are auLhenLlcaLlng by uslng kerberos
auLhenLlcaLlon

4 lf kerberos auLhenLlcaLlon ls conflgured correcLly you see erberos ln Lhe
auth_scheme column of Lhe query resulLs
Create a test SQL Server database and test tabIe
1o LesL delegaLlon across Lhe varlous ShareolnL Server servlce appllcaLlons covered ln
Lhe scenarlos ln Lhls documenL you have Lo conflgure a LesL daLa source for Lhose
servlces Lo access ln Lhe flnal sLep of Lhls scenarlo you conflgure a LesL daLabase called
1esL and a LesL Lable called Sales Lo be used laLer
Configure Kerberos Authentication for SharePoint 2010 Products
8


1 ln SCL Server ManagemenL SLudlo creaLe a new daLabase called 1esL keep Lhe
defaulL seLLlngs when creaLlng Lhls daLabase
2 ln Lhe 1esL daLabase creaLe a new Lable wlLh Lhe followlng schema

Co|umn -ame Data @ype A||ow -u||s
8eglon nvarchar(10) no
?ear nvarchar(4) no
AmounL money no
8owld lnL no
3 Save Lhe Lable wlLh Lhe name Sales
4 ln ManagemenL SLudlo populaLe Lhe Lable wlLh LesL daLa 1he daLa lLself does noL
maLLer and does noL affecL Lhe funcLlon of laLer scenarlos A few rows of daLa wlll
sufflce ln Lhe example envlronmenL we populaLed Lhe Lable wlLh Lhe followlng daLa
Kerberos authentication for SQL Server AnaIysis Services (SharePoint Server
2010)
87


Kerberos authentication for SQL Server
AnaIysis Services (SharePoint Server
2010)
ub||shed December 2 2010
ln Lhls scenarlo you do Lhe followlng Lhlngs
O Conflgure Analysls Servlce lnsLances ln Lhe SCL Server 2008 82 clusLer Lo use
kerberos auLhenLlcaLlon
O verlfy LhaL Lhe cllenL can auLhenLlcaLe wlLh Lhe clusLer by uslng kerberos
auLhenLlcaLlon
Lnabllng kerberos auLhenLlcaLlon for SCL Server Analysls Servlces ls slmllar Lo SCL
Server
-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Configuration checkIist

Area of conf|gurat|on Descr|pt|on
Conflgure AcLlve ulrecLory CreaLe Servlce rlnclpal names (Sns) for Lhe
Analysls Servlces lnsLance
verlfy SCL kerberos ConnecL Lo Lhe Analysls Servlces lnsLance ln Lxcel
Configure Kerberos Authentication for SharePoint 2010 Products
88


Area of conf|gurat|on Descr|pt|on
ConflguraLlon 2010

Step-by-step configuration instructions
Configure Active irectory
or SCL Server Analysls Servlces Lo auLhenLlcaLe cllenLs by uslng kerberos
auLhenLlcaLlon you have Lo reglsLer a servlce prlnclpal name (Sn) on Lhe servlce
accounL LhaL ls runnlng SCL Server 1he Sn for a defaulL Analysls Servlces lnsLance uses
Lhe followlng formaL
MSCLASvc3/Cun
lf you are uslng a named lnsLance of Analysls Servlces noLe LhaL you cannoL speclfy a
porL afLer Lhe colon lf you do lL ls lnLerpreLed as parL of Lhe hosLname or domaln name
lnsLead you musL use Lhe acLual lnsLance name for all funcLlonallLy Lo work correcLly
MSCLASvc3/CunlnsLancename
or more lnformaLlon abouL reglsLerlng Sns for SCL Server 2008 see
http://supportmicrosoftcom/kb/170
1hls scenarlo assumes a defaulL Analysls Servlces lnsLance We wlll conflgure Lhe
Analysls Servlces Sn on Lhe Analysls Servlces servlce accounL (vmlabsvcSCLAS) wlLh
Lhe followlng SeLSn command
SetSu -S MS0l^Svc.2,MySqlC1uster.vm1ab.1oca1 vm1ab\svcSql^S
SQL Server named instances
lf you use SCL Server named lnsLances lnsLead of Lhe defaulL lnsLance you have Lo
reglsLer Sns speclflc Lo Lhe SCL Server lnsLance and for Lhe SCL Server browser servlce
See Lhe followlng arLlcles for more lnformaLlon abouL conflgurlng kerberos
auLhenLlcaLlon for named lnsLances
O Registering a Service Principal Name
Kerberos authentication for SQL Server AnaIysis Services (SharePoint Server
2010)
8

O An SPN for the SQL Server Browser service is required when you establish a
connection to a named instance of SQL Server 2005 Analysis Services or of SQL
Server 2005
Verify SQL Server Kerberos configuration
Cnce Lhe Sn ls conflgured verlfy Lhe kerberos connecLlon Lo Lhe clusLer by uslng Lxcel
2010
1 Cpen Lxcel 2010 on Lhe cllenL compuLer by uslng a domaln accounL LhaL has access
Lo aL leasL one daLabase ln Lhe Analysls Servlces lnsLance and open a daLa
connecLlon Lo your Analysls Servlces lnsLance by selecLlng Lhe Data Lab cllcklng
Irom Cther Sources and Lhen cllcklng Irom Ana|ys|s Serv|ces

2 ln Lhe uaLa ConnecLlon Wlzard Lype ,ySC|uster ln Lhe Server name box Lhen
cllck -et lf kerberos auLhenLlcaLlon ls worklng Lhen you can see all Lhe daLabases
LhaL you already have Lhe permlsslon Lo see
Configure Kerberos Authentication for SharePoint 2010 Products
0



-ote
1o use Lhe AdvenLureWorks 2008 82 sample daLabases download from Microsoft SQL
Server Community Projects & Samples and follow Lhe lnsLallaLlon lnsLrucLlons
3 Cpen Lhe evenL vlewer on Lhe daLabase server (vmsql2k8r201) ?ou should now be
able Lo see an audlL success ln Lhe securlLy log slmllar Lo Lhe one you see ln Lhe
verlflcaLlon sLeps for Scenarlo 2 Kerberos authentication for SQL OLTP (SharePoint
Server 2010)
Kerberos authentication for SQL Server AnaIysis Services (SharePoint Server
2010)
1


Configure Kerberos Authentication for SharePoint 2010 Products
2



dentity deIegation for SQL Server
Reporting Services (SharePoint Server
2010)
ub||shed December 2 2010
ln Lhls scenarlo you conflgure a palr of loadbalanced SCL Server 8eporLlng Servlces
(SS8S) servers ln a scaledouL conflguraLlon runnlng ln ShareolnL lnLegraLed mode 1he
servers are conflgured Lo accepL kerberos auLhenLlcaLlon and Lhey delegaLe
auLhenLlcaLlon Lo a backend SCL Server clusLer
ln Lhls scenarlo Lhe ShareolnL Server farm and 8eporLlng Servlces daLa source are boLh
ln Lhe same domaln Lherefore ln Lhls scenarlo we conflgure kerberos consLralned
delegaLlon Lo allow ldenLlLy delegaLlon Lo Lhe backend daLa source lf you are requlred
Lo auLhenLlcaLe wlLh daLa sources ln oLher domalns wlLhln Lhe same foresL you have Lo
conflgure baslc (unconsLralned) kerberos delegaLlon 8emember LhaL 8eporLlng Servlces
does noL leverage Lhe C2W1S and Lherefore can use baslc delegaLlon

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)

Scenario dependencies
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP
O (CpLlonal) Scenarlo 3 Kerberos Authentication for SQL Analysis Services
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
3

Configuration checkIist

Area of conf|gurat|on Descr|pt|on
AcLlve ulrecLory CreaLe SS8S servlce accounL
Conflgure kerberos consLralned delegaLlon
SCL Server 8eporLlng
Servlces
lnsLall and conflgure SS8S ln loadbalanced scale ouL mode
Modlfy WebConflg
Modlfy 8eporLlngServerconflg
Conflgure ShareolnL
Server
Conflgure 8eporLlng Servlces lnLegraLlon
Add a reporL server Lo Lhe lnLegraLlon
SeL server defaulLs
verlfy conflguraLlon CreaLe a documenL llbrary for reporLs
Conflgure slLe collecLlon seLLlng for 8eporLlng Servlces
CreaLe and publlsh a LesL reporL ln SCL Server 8uslness
lnLelllgence SLudlo
vlew Lhe LesL reporL ln lnLerneL Lxplorer

Configure Kerberos Authentication for SharePoint 2010 Products



Scenario environment detaiIs
App ool ldenLlLles
kerbe

ln Lhls scenarlo Lhe lnLerneL lnformaLlon Servlces (llS) appllcaLlon pool servlce accounLs
are conflgured Lo delegaLe Lo Lhe SCL Server 8eporLlng Servlces (SS8S) servlce 1he SS8S
servlce accounL ls conflgured Lo delegaLe credenLlals Lo Lhe SCL Server servlce noLe
LhaL SCL Server 8eporLlng Servlces ln ShareolnL lnLegraLed mode does noL leverage
lnLrafarm Clalms auLhenLlcaLlon and requlres kerberos auLhenLlcaLlon for delegaLed
auLhenLlcaLlon or more lnformaLlon see Claims Authentication and Reporting
Services

Cross-domain Kerberos deIegation
ln Lhls example Lhe daLa source LhaL SS8S connecLs Lo resldes ln Lhe same domaln as
Lhe SS8S servers ln some slLuaLlons you may wanL Lo access daLa sources ouLslde of Lhe
domaln LhaL SS8S resldes ln 1o auLhenLlcaLe wlLh delegaLlon cross domaln you have Lo
conflgure baslc (unconsLralned) delegaLlon on Lhe SS8S servlce accounL 8emember LhaL
Lhls ls posslble because Lhe SS8S servlce does noL rely on Lhe Clalms Lo Wlndows 1oken
Servlce (C2W1S) Lherefore does noL requlre proLocol LranslLlon Lhrough kerberos
consLralned delegaLlon Also noLe LhaL crossforesL delegaLlon ls noL posslble even wlLh
baslc delegaLlon
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
5

Step-by-step configuration instructions
Configure S
Conflgure unS for Lhe SS8S nL8 server group ln your envlronmenL ln Lhls example we
have Lwo SS8S servers vMSS8S01 and vMSS8S02 whlch are loadbalanced and resolve
Lo Lhe same nL8 vl (19216824180/24) 1he vl wlll be mapped Lo Lhe hosL
arm8eporLs and wlll have Lhe D8L hLLp//arm8eporLs
or general lnformaLlon abouL how Lo conflgure unS see Managing DNS Records
Conflgure a new unS A 8ecord for Lhe SS8S hosL ln Lhls example we have a hosL
arm8eporLs conflgured Lo resolve Lo Lhe load balanced vl

Active irectory directory service
Create SSRS service account
As a besL pracLlce SCL Server 8eporLlng Servlces should run under lLs own domaln
ldenLlLy ln Lhls example Lhe followlng accounLs were creaLed

Serv|ce Serv|ce dent|ty
SCL Server 8eporLlng Servlces vmlabsvcSCL8S
Configure Kerberos Authentication for SharePoint 2010 Products




Configure Service PrincipaI ames
or SS8S Lo connecL and auLhenLlcaLe wlLh exLernal daLa sources uslng kerberos
auLhenLlcaLlon Lhe 8eporL Server Web Servlce and 8eporL Manager servlce accounLs
and Lhe servlce accounL for Lhe exLernal daLa source musL have servlce prlnclpal names
conflgured 8efer Lo scenarlos 1 and 2 (Core configuration and Kerberos authentication
for SQL OLTP) ln Lhls serles of arLlcles Lo conflgure and valldaLe Lhe necessary SnS on
Lhe ShareolnL Server web appllcaLlons and SCL Server servlce accounLs or Lhe SS8S
servers Lhe followlng Sns were deflned

D-S nost S App oo| dent|ty Serv|ce r|nc|pa| -ames
arm8eporLsvmlablocal vmlabsvcSCL8S P11/arm8eporLs
P11/ arm8eporLsvmlablocal

ln Lhls example Lhe followlng commands were execuLed
SetSu -S u11,Iarm8eports vm1ab\svcSql8S
SetSu -S u11,Iarm8eports.vm1ab.1oca1 vm1ab\svcSql8S
Configure deIegation
kerberos delegaLlon musL be conflgured for SS8S Lo delegaLe Lhe cllenLs ldenLlLy Lo
backend daLa source ln Lhls example SS8S querles daLa from a SCL Server
LransacLlonal daLabase by uslng Lhe cllenLs ldenLlLy Lherefore kerberos delegaLlon ls
requlred kerberos consLralned delegaLlon (kCu) ls noL a requlremenL ln Lhls scenarlo
(because proLocol LranslLlon ls noL needed) buL kCu ls conflgured as a besL pracLlce
1he SS8S servlce accounL LhaL ls runnlng Lhe SS8S servlces musL be LrusLed Lo delegaLe
credenLlals Lo each backend servlce ln our example Lhe followlng delegaLlon paLhs are
needed

r|nc|pa| type r|nc|pa| name De|egates to serv|ce
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
7

r|nc|pa| type r|nc|pa| name De|egates to serv|ce
Dser vmlabsvcorLal10App P11/arm8eporLs
P11/arm8eporLsvmlablocal
Dser vmlabsvcSCL8S MSSCLSvC/MySqlClusLervmlablocal1433

CpLlonally lf you wlsh Lo reporL agalnsL Analysls Servlces daLa sources conflgure Lhe
followlng delegaLlon paLhs

r|nc|pa| type r|nc|pa| name De|egates to serv|ce
Dser vmlabsvcSCL8S MSCLASvc3/MySqlClusLervmlablocal

@o conf|gure constra|ned de|egat|on
1 Cpen Lhe AcLlve ulrecLory Cb[ecLs properLles ln AcLlve ulrecLory Dsers and
CompuLers
2 navlgaLe Lo Lhe De|egat|on Lab
Configure Kerberos Authentication for SharePoint 2010 Products
8



3 SelecL @rust th|s user for de|egat|on to spec|f|ed serv|ces on|y
-ote
or Lhe SS8S servlce accounL lf you need Lo auLhenLlcaLe wlLh daLa sources wlLhln Lhe
same foresL buL ouLslde of Lhe domaln LhaL Lhe SS8S server resldes ln conflgure baslc
delegaLlon lnsLead of consLralned delegaLlon ?ou can do Lhls by selecLlng @rust th|s
computer for de|egat|on to any serv|ce 8emember LhaL crossforesL kerberos
delegaLlon ls noL posslble
4 CpLlonally selecL Use any authent|cat|on protoco| 1hls enables proLocol LranslLlon
3 Cllck Lhe Add buLLon Lo selecL Lhe servlce prlnclpal LhaL can be delegaLe Lo
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)



6 SelecL User and Computers

7 SelecL Lhe servlce accounL LhaL ls runnlng Lhe servlce you wanL Lo delegaLe Lo ln Lhls
example lL ls Lhe servlce accounL for Lhe SCL Server 8eporLlng Servlce
Configure Kerberos Authentication for SharePoint 2010 Products
100


-ote
1he servlce accounL selecLed musL have an Sn applled Lo lL ln our example Lhe Sn for
Lhls accounL (P11/arm8eporLsvmlablocal) was conflgured earller ln Lhe scenarlo
8 Cllck C ?ou are Lhen asked Lo selecL Lhe Sns you wanL Lo delegaLe Lo on Lhe
followlng page

9 SelecL Lhe servlce or Se|ect A|| and cllck C
?ou should now see Lhe selecLed Sns ln Lhe serv|ces to wh|ch th|s account can
present de|egated credent|a|s llsL
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
101


10 8epeaL Lhese sLeps for each delegaLlon paLh ldenLlfled earller ln Lhls secLlon ?ou
have Lo conflgure delegaLlon from Lhe SCL Server 8eporLlng Servlces servlce accounL
Lo one or more backend daLa sources (SCL CL1 or SCL AS ln our scenarlos)
Configure Kerberos Authentication for SharePoint 2010 Products
102


-ote
or Lhe SS8S servlce accounL lf you need Lo auLhenLlcaLe wlLh daLa sources wlLhln Lhe
same foresL buL ouLslde of Lhe domaln Lhe SS8S server resldes ln conflgure baslc
delegaLlon lnsLead of consLralned delegaLlon 1o do so selecL @rust th|s computer for
de|egat|on to any serv|ce 8emember LhaL crossforesL kerberos delegaLlon ls noL
posslble
Verify MSSQLSVC SP for the service account running the service
on SQL Server (performed in Scenario 2)
verlfy LhaL Lhe Sn for Lhe Analysls Servlces servlce accounL (vmlabsvcSCL) exlsLs by
uslng Lhe followlng SeLSn command
SetSu -l vm1ab\svcSql
?ou should see Lhe followlng
MSSqlSvC,MySq1C1uster
MSSqlSvC,MySq1C1uster.vm1ab.1oca1:422
Verify MSOLAPSvc.3 SP for the Service Account running the SSAS
service on the SQL Server AnaIysis Services server (performed in
Scenario 3)
verlfy LhaL Lhe Sn for Lhe SCL Server servlce accounL (vmlabsvcSCLAS) exlsLs by uslng
Lhe followlng SeLSn command
SetSu -l vm1ab\svcSql^S
?ou should see Lhe followlng
MS0l^Svc.2,MySq1C1uster
MS0l^Svc.2,MySq1C1uster.vm1ab.1oca1
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
103

SQL Server Reporting Services
nstaII SharePoint Server 2010
SCL Server 8eporLlng Servlces requlres ShareolnL Server 2010 Lo be lnsLalled on each
SS8S server Lo run SS8S ln ShareolnL lnLegraLed mode lnsLall ShareolnL Server 2010
on each reporLlng server and [oln each server Lo Lhe ShareolnL Server farm
nstaII and configure SSRS in Ioad-baIanced, scaIed out mode
ueLalled sLep by sLep lnsLrucLlons on how Lo conflgure SCL Server 8eporLlng Servlces ln
a loadbalanced scaledouL conflguraLlon ls beyond Lhe scope of Lhls documenL or
deLalled lnsLrucLlons on how Lo lnsLall SS8S see Deployment Topologies for Reporting
Services in SharePoint ntegrated Mode Cnce SS8S ls lnsLalled be sure Lo compleLe Lhe
addlLlonal SS8S conflguraLlon sLeps ouLllned below Lo compleLe Lhe lnsLall
Modify Web.config on the SSRS Servers
1he followlng changes have Lo be made Lo Lhe webconflg flles on each SS8S server 1he
webconflg flle can be found ln Lhe rogram lles dlrecLory where SS8S ls lnsLalled
Add the mach|neey e|ement
SS8S servers ln a loadbalanced conflguraLlon need Lhe same machlne key seL across all
servers 1he machlne key elemenL should be added as a chlld of Lhe system.web>
elemenL ln webconflg 8elow ls an example machlne key

<machinekey
validationkey="54A58038C8376588403i47C858i86C0A55i8034A65A63i4676008
8C3877i7C65635 3807A778048358538A435467545054553"
decryptionkey="" validation="SHA" decryption="A5S" />

Configure Kerberos Authentication for SharePoint 2010 Products
10


mportant
uC nC1 DSL 1PL SAMLL MACPlnL kL? ln CD8 Lnvl8CnMLn1 CeneraLe your own
key values for your envlronmenL

Modify ReportingServer.config
1he followlng changes have Lo be made Lo Lhe 8eporLlngServerconflg flles on each SS8S
server 1he 8eporLlngServerconflg flle can be found ln Lhe program flles dlrecLory
where SS8S ls lnsLalled
nab|e erberos authent|cat|on
1o enable kerberos auLhenLlcaLlon seL Lhe auLhenLlcaLlon Lype Lo
8SWlndowsnegoLlaLe Change Lhe ^uthentcaton1ypes,>
elemenL and add 8SWndowsuegotate,>

<Authentication1ypes> <kSWindowsNegotiate/> </Authentication1ypes>

,od|fy the U root
Add Lhe D8L for Lhe reporL server Lo Lhe r18oot> Lag found ln Lhe servce> Lag of
8eporLlngServerConflg

<0rlkoot>http://iarmkeports/reportserver</0rlkoot>

Configure ackConnectionHostames in the registry
1o allow SCL Server 8eporLlng Servlces Lo auLhenLlcaLe wlLh each oLher on a slngle
compuLer n1LM loopback deLecLlon needs Lo be addressed lnsLead of dlsabllng
loopback deLecLlon a beLLer pracLlce ls Lo conflgure Lhe 8ackConnecLlonPosLnames
value ln Lhe reglsLry of each SS8S server or more lnformaLlon abouL
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
105

8ackConnecLlonPosLnames see You receive an error message when you use SQL
Server 2008 Reporting Services
ln our example we conflgure Lhe followlng values for 8ackConnecLlonPosLnames
O arm8eporLs
O arm8eporLsvmlablocal
Cnce Lhe 8ackConnecLlonPosLnames values are seL rebooL Lhe SS8S server
Configure SharePoint Server
ln CenLral AdmlnlsLraLlon you flnd Lhe farm conflguraLlon opLlons for SS8S noLe LhaL ln
ShareolnL Server 2010 you do noL need Lo lnsLall a separaLe SS8S componenL
lnsLallaLlon for SS8S admlnlsLraLlon and Web arLs 1o access Lhe SS8S farm opLlons
navlgaLe Lo CenLral AdmlnlsLraLlon and Lhen see eport|ng Serv|ces ln Lhe enera|
App||cat|on Sett|ngs secLlon

Configure Kerberos Authentication for SharePoint 2010 Products
10


Grant the Reporting Services service account permissions on the
web appIication content database
A requlred sLep ln conflgurlng SCL Server 8eporLlng Servlces ln ShareolnL lnLegraLed
mode ls allowlng Lhe 8eporLlng Servlces servlce accounL access Lo Lhe conLenL daLabases
for web appllcaLlons hosLlng reporLs ln Lhls example we granL Lhe 8eporLlng Servlces
accounL access Lo Lhe porLal web appllcaLlons conLenL daLabase Lhrough Wlndows
owerShell
8un Lhe followlng command from Lhe ShareolnL 2010 ManagemenL Shell
w = 6et-SWeb^pp1caton -1dentty http:,,porta1
w.6rant^ccess1orocess1dentty{"vm1ab\svcSql8S")
Configure Reporting Services ntegration
ln Lhe eport|ng Serv|ce ntegrat|on dlalog box speclfy Lhe loadbalanced D8L of Lhe
reporL server Also selecL Lhe Act|vate feature |n a|| e|t|ng co||ect|ons opLlon Lo
auLomaLlcally acLlvaLe Lhe 8eporLlng Servlces feaLure ln your slLe collecLlons

dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
107

Add each report server to the integration
ln Lhe Add a report server to the |ntegrat|on dlalog box speclfy each of Lhe nodes of
Lhe 8eporLlng Servlces nL8 group ?ou have Lo open Lhls dlalog box for each server LhaL
you are addlng Lo Lhe lnLegraLlon Lhere ls no way Lo add mulLlple servers ln a slngle
operaLlon

Set server defauIts
AL Lhls polnL SS8S lnLegraLlon should be conflgured 1o valldaLe Lhe conflguraLlon open
Lhe Server uefaulLs page no changes are requlred for Lhe example ln Lhls documenL
Configure Kerberos Authentication for SharePoint 2010 Products
108



Verify configuration
Create a document Iibrary for reports
CreaLe a documenL llbrary Lo hosL SS8S reporLs ln your ShareolnL slLe ln Lhls example
we assume Lhe exlsLence of a documenL llbrary called reporLs aL hLLp//porLal/reporLs
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
10


VaIidate site coIIection settings for Reporting Services
ln Lhe browser navlgaLe Lo Lhe SlLe SeLLlngs of Lhe slLe LhaL ls hosLlng Lhe documenL
llbrary for SS8S reporLs ln SlLe SeLLlngs you should see a new caLegory called eport|ng
Serv|ces

lf you do noL see Lhe 8eporLlng Servlces feaLure ln Lhe slLe collecLlons feaLures llsL you
may need Lo acLlvaLe lL from CenLral AdmlnlsLraLlon or more lnformaLlon see How to:
Activate the Report Server Feature in SharePoint Central Administration
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196878)
Cllck Lhe 8eporLlng Servlces slLe seLLlngs llnk Lo ensure Lhe seLLlngs are accesslble
Configure Kerberos Authentication for SharePoint 2010 Products
110



-ote
no changes Lo 8eporLlng Servlces SlLe SeLLlngs are requlred for Lhls demonsLraLlon

Create and pubIish a test report in SQL Server usiness nteIIigence
eveIopment Studio
AfLer you conflgure SS8S and Lhe lnLegraLlon wlLh ShareolnL Server you creaLe a LesL
reporL Lo ensure ldenLlLy delegaLlon ls worklng correcLly
1 Cpen SCL Server 8uslness lnLelllgence uevelopmenL SLudlo Cllck I||e polnL Lo -ew
and Lhen cllck ro[ect

2 SelecL eport Server ro[ect W|zard and enLer a pro[ecL name
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
111


3 nexL conflgure a new daLa source Choose Lhe Lype ,|crosoft S Server and cllck
Lhe d|t buLLon
Configure Kerberos Authentication for SharePoint 2010 Products
112



4 ln Connect|on ropert|es enLer Lhe lnformaLlon Lo connecL Lo Lhe demo SCL Server
clusLer creaLed ln scenarlo 2
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
113


3 Cpen query deslgner rlghLcllck Lhe query wlndow and selecL Add tab|e
Configure Kerberos Authentication for SharePoint 2010 Products
11



6 Choose Lhe Sa|es Lable (creaLed ln scenarlo 2) and selecL A|| Co|umns
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
115


7 SelecL a Labular reporL Lype
Configure Kerberos Authentication for SharePoint 2010 Products
11



8 ln our example we group by reglon you can sklp Lhls sLep lf you wanL Lo
9 Cnce Lhe pro[ecL ls creaLed open Lhe pro[ecL properLles on Lhe ro[ect menu
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
117


10 Conflgure Lhe followlng pro[ecL properLles
a) 1argeLuaLaseLolder SeL lL Lo Lhe LesL reporL folder creaLed earller
b) 1argeLuaLaseLolder SeL lL Lo Lhe LesL reporL folder creaLed earller
c) 1argeL8eporLolder SeL lL Lo Lhe LesL reporL folder creaLed earller
d) 1argeL8eporLarLolder SeL lL Lo Lhe LesL reporL folder creaLed earller
e) 1argeLServerD8L SeL Lo Lhe web appllcaLlon D8L LhaL ls hosLlng Lhe reporL
Configure Kerberos Authentication for SharePoint 2010 Products
118



11 ueploy Lhe reporL Lo Lhe ShareolnL llbrary Cn Lhe bulld menu selecL Dep|oy
pro[ect name"

12 lf lL ls successful you wlll see Lhe deploymenL succeeded message ln Lhe Cutput
wlndow
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
11


View the test report in nternet pIorer
Cpen Lhe reporL documenL llbrary creaLed ln prevlous sLeps of Lhls scenarlo ln Lhe
browser ?ou should see Lhe reporL flle you [usL publlshed lf you do noL see Lhe reporL
you may need Lo acLlvaLe Lhe 8eporLlng Servlces feaLures ln your slLe collecLlon or
more lnformaLlon see How to: Activate the Report Server Feature in SharePoint Central
Administration (hLLp//gomlcrosofLcom/fwllnk/?Llnklu196878)

Cllck Lhe reporL and lL wlll render ln Lhe browser
Configure Kerberos Authentication for SharePoint 2010 Products
120



1o furLher verlfy delegaLlon and Lhe daLa connecLlon changed Lhe source daLa ln SCL
Server ManagemenL SLudlo and refresh Lhe SS8S reporL daLa connecLlon ln Lhe browser
?ou should see Lhe daLa changes reflecLed ln Lhe reporL
SSL configuration for Reporting Services
ln some envlronmenLs lL may be requlred Lo proLecL communlcaLlons beLween fronL
end Web and SS8S servers wlLh SSL A deLalled walkLhrough of how Lo conflgure SSL for
8eporLlng Servlces ls ouL of scope for Lhls paper buL aL a hlgh level Lhese are Lhe sLeps
you have Lo Lake
1 Conflgure each reporLlng server for SSL See Configuring a Report Server for Secure
Sockets Layer (SSL) Connections (hLLp//gomlcrosofLcom/fwllnk/?Llnkld196881)
2 DpdaLe 8eporLlngServerconflg Change Lhe r18oot> Lo Lhe new hLLps// D8L
3 8esLarL Lhe SCL Server 8eporLlng Servlces servlce
4 ln CenLral AdmlnlsLraLlon change Lhe 8eporLlng Servlces lnLegraLlon seLLlngs and
change Lhe 8eporL Server Web Servlce D8L Lo Lhe new hLLps// D8L
3 8esLarL llS on each lnsLance of ShareolnL Server LhaL ls runnlng Lhe web appllcaLlon
servlce
dentity deIegation for SQL Server Reporting Services (SharePoint Server 2010)
121

?ou do noL need Lo change any of Lhe Sns creaLed when conflgurlng 8eporLlng Servlces
wlLh P11 ln Lhe prevlous sLeps 1he Sn for an P11 servlce over SSL remalns
P11/servlce ?ou can see Lhls by uslng neLMon Lo vlew Lhe fronLend web server
LhaL ls communlcaLlng wlLh Lhe 8eporLlng Servlces Server

noLlce Lhe LlckeL granLlng servlce requesL hlghllghLed and Lhe Sname requesLed 1he
reporLlng server servlce was accessed uslng hLLps// and Lhe Sname ln Lhe LlckeL requesL
remalned P11/ as expecLed 1o ensure Lhe WL was acLually uslng SSL Lo communlcaLe
wlLh Lhe reporLlng server addlLlonal Lrafflc was capLured and analyzed

noLlce LhaL all requesLs from Lhe WL Lo Lhe reporLlng server are proLecLed over SSL
1hls conflrms SSL was used for communlcaLlons beLween Lhe web fronL ends and Lhe
reporLlng server
Configure Kerberos Authentication for SharePoint 2010 Products
122



dentity deIegation for ceI Services
(SharePoint Server 2010)
ub||shed December 2 2010
ln Lhls scenarlo you add Lhe Lxcel Servlces servlce appllcaLlon Lo Lhe ShareolnL Server
envlronmenL and conflgure kerberos consLralned delegaLlon Lo allow Lhe servlce Lo
refresh daLa ln a worksheeL from an exLernal SCL Server daLa source

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Scenario dependencies
1o compleLe Lhls scenarlo you need Lo have compleLed Lhe followlng arLlcles
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP
Configuration checkIist

Area of Conf|gurat|on Descr|pt|on
AcLlve ulrecLory
ConflguraLlon
CreaLe Lxcel Servlces servlce accounL
Conflgure Sn on Lxcel Servlces servlce accounL
dentity deIegation for ceI Services (SharePoint Server 2010)
123

Area of Conf|gurat|on Descr|pt|on
Conflgure kerberos consLralned delegaLlon for servers runnlng
Lxcel Servlces
Conflgure kerberos consLralned delegaLlon for Lhe Lxcel Servlces
servlce accounL
ShareolnL Server
conflguraLlon
SLarL Clalms Lo Wlndows 1oken Servlce on Lxcel Servlces Servers
SLarL Lhe Lxcel Servlces servlce lnsLance on Lhe Lxcel Servlces
server
CreaLe Lhe Lxcel Servlces servlce appllcaLlon and proxy
Conflgure Lxcel servlces LrusLed flle locaLlon and auLhenLlcaLlon
seLLlngs
verlfy Lxcel Servlce
ConsLralned
uelegaLlon
CreaLe documenL llbrary Lo hosL LesL workbook
CreaLe LesL SCL daLabase and LesL Lable
CreaLe LesL Lxcel workbook wlLh SCL daLa connecLlon
ubllsh workbook Lo ShareolnL Server and refresh daLa
connecLlon

Configure Kerberos Authentication for SharePoint 2010 Products
12


Scenario environment detaiIs
Kerberos constrained deIegation paths

ln Lhls scenarlo we wlll conflgure Lhe ShareolnL Server Lxcel Servlces servlce accounL
for kerberos consLralned delegaLlon Lo Lhe SCL Server servlce

dentity deIegation for ceI Services (SharePoint Server 2010)
125


-ote
ln Lhls scenarlo we wlll conflgure Lhe Clalms Lo Wlndows 1oken Servlces (C2W1S) Lo use
a dedlcaLed servlce accounL lf you leave Lhe C2W1S conflgured Lo use oca| System you
wlll need Lo conflgured consLralned delegaLlon on Lhe compuLer accounL for Lhe
compuLer runnlng Lhe C2W1S and Lxcel Servlces

SharePoint Server IogicaI authentication

AuLhenLlcaLlon ln Lhls scenarlo beglns wlLh Lhe cllenL auLhenLlcaLlng wlLh kerberos
auLhenLlcaLlon aL Lhe web fronL end ShareolnL Server 2010 wlll converL Lhe Wlndows
auLhenLlcaLlon Loken lnLo a clalms Loken uslng Lhe local SecurlLy 1oken Servlce (S1S)
1he excel servlce appllcaLlon wlll accepL Lhe clalms Loken and converL lL lnLo a wlndows
Loken (kerberos) uslng Lhe local Clalms Lo Wlndows 1oken Servlce (C2W1S) LhaL ls a parL
of Wlndows ldenLlLy ramework (Wl) 1he excel servlce appllcaLlon wlll Lhen use Lhe
cllenL's kerberos LlckeL Lo auLhenLlcaLe wlLh Lhe backend uaLaSource

Step-by-step configuration instructions
Active irectory configuration
Create ceI Services service account
As a besL pracLlce Lxcel Servlces should run under lLs own domaln ldenLlLy 1o conflgure
Lhe Lxcel Servlce AppllcaLlon an AcLlve ulrecLory accounLs musL be creaLed ln Lhls
example Lhe followlng accounLs were creaLed

Configure Kerberos Authentication for SharePoint 2010 Products
12


Shareo|nt Server Serv|ce S App oo| dent|ty
Lxcel Servlces vmlabsvcLxcel

Configure SP on the ceI Services service account
kerberos consLralned delegaLlon musL be conflgured lf Lxcel Servlces ls golng Lo
delegaLe Lhe cllenL's ldenLlLy Lo a back end daLa source ln Lhls example Lxcel servlces
wlll query daLa from a SCL LransacLlonal daLabase Lherefore kerberos delegaLlon ls
requlred
1he AcLlve ulrecLory Dsers and CompuLers MMC snapln ls Lyplcally used Lo conflgure
kerberos delegaLlon 1o conflgure Lhe delegaLlon seLLlngs wlLhln Lhe snapln Lhe AcLlve
ulrecLory ob[ecL belng conflgured musL have a servlce prlnclpal name applled oLherwlse
Lhe de|egat|on Lab for Lhe ob[ecL wlll noL be vlslble ln Lhe ob[ecL's properLles dlalog
AlLhough Lxcel Servlces does noL requlre a Sn Lo funcLlon we wlll conflgure one for
Lhls purpose
Cn Lhe command llne run Lhe followlng command
SL1Su -S S,Lxce1Servces

-ote
1he Sn ls noL a valld Sn lL ls applled Lo Lhe speclfled servlce accounL Lo reveal Lhe
delegaLlon opLlons ln Lhe Au users and compuLers addln 1here are oLher supporLed
ways of speclfylng Lhe delegaLlon seLLlngs (speclflcally Lhe msuSAllowed1ouelegaLe1o
Au aLLrlbuLe) buL Lhls Loplc wlll noL be covered ln Lhls documenL

Configure Kerberos constrained deIegation for ceI Services
1o allow excel servlces Lo delegaLe Lhe cllenLs ldenLlLy kerberos consLralned delegaLlon
musL be conflgured lL ls requlred Lo conflgure consLralned delegaLlon wlLh proLocol
LranslLlon for Lhe converslon of clalms Loken Lo wlndows Loken vla Lhe Wl C2W1S
dentity deIegation for ceI Services (SharePoint Server 2010)
127

Lach server runnlng excel servlces musL be LrusLed Lo delegaLe credenLlals Lo each back
end servlce excel wlll auLhenLlcaLe wlLh ln addlLlonal Lhe excel servlces servlce accounL
musL also be conflgured Lo allow delegaLlon Lo Lhe same backend servlces
ln our example Lhe followlng delegaLlon paLhs are deflned

r|nc|pa| @ype r|nc|pa| -ame De|egates @o Serv|ce
Dser svcLxcel MSSCLSvC/MySqlClusLervmlablocal1433
*Dser svcC2W1S MSSCLSvC/MySqlClusLervmlablocal1433
**CompuLer vMS10A01 MSSCLSvC/MySqlClusLervmlablocal1433
* Conflgured laLer ln Lhls scenarlo
** Cnly requlred lf Lhe C2W1S ls runnlng as local sysLem

@o conf|gure constra|ned de|egat|on
1 Cpen Lhe AcLlve ulrecLory Cb[ecL's properLles ln AcLlve ulrecLory Dsers and
CompuLers
2 navlgaLe Lo Lhe De|egat|on Lab
Configure Kerberos Authentication for SharePoint 2010 Products
128



3 SelecL @rust th|s user for de|egat|on to spec|f|ed serv|ces on|y
4 SelecL Use any authent|cat|on protoco| 1hls enables proLocol LranslLlon and ls
requlred for Lhe servlce accounL Lo use Lhe C2W1S
3 Cllck Lhe add buLLon Lo selecL Lhe servlce prlnclpal allowed Lo delegaLe Lo
dentity deIegation for ceI Services (SharePoint Server 2010)
12


6 SelecL User and Computers

7 SelecL Lhe servlce accounL runnlng Lhe servlce you wlsh Lo delegaLe Lo ln Lhls
example lL ls Lhe servlce accounL for Lhe SCL servlce
Configure Kerberos Authentication for SharePoint 2010 Products
130


-ote
1he servlce accounL selecLed musL have a Sn applled Lo lL ln our example Lhe Sn for
Lhls accounL was conflgured ln a prevlous scenarlo
8 Cllck C ?ou wlll Lhen be asked Lo selecL Lhe Sns you would llke Lo delegaLe Lo ln
Lhe followlng wlndow

9 SelecL Lhe servlces for Lhe SCL clusLer and cllck Ck
10 ?ou should now see Lhe selecLed SnS ln Lhe serv|ces to wh|ch th|s account can
presented de|egated credent|a|s llsL
dentity deIegation for ceI Services (SharePoint Server 2010)
131


11 8epeaL Lhese sLeps for each delegaLlon paLh deflned ln Lhe beglnnlng of Lhls secLlon
Verify MSSQLSVC SP for the Service Account running the service
on the SQL Server (performed in Scenario 2)
verlfy Lhe Sn for Analysls Servlces servlce accounL (vmlabsvcSCL) exlsLs wlLh Lhe
followlng SeLSn command
SetSu -l vm1ab\svcSql
?ou should see Lhe followlng
MSSqlSvC,MySq1C1uster
MSSqlSvC,MySq1C1uster.vm1ab.1oca1:422
Configure Kerberos Authentication for SharePoint 2010 Products
132


SharePoint Server configuration
Configure and Start the CIaims to Windows Token Service on ceI
Services Servers
1he Clalms Lo Wlndows 1oken Servlce (C2W1S) ls a componenL of Lhe Wlndows ldenLlLy
oundaLlon (Wl) whlch ls responslble for converLlng user clalm Lokens Lo wlndows
Lokens Lxcel servlces uses Lhe C2W1S Lo converL Lhe user's clalms Loken lnLo a wlndows
Loken when Lhe servlces needs Lo delegaLe credenLlals Lo a backend sysLem whlch uses
lnLegraLed Wlndows auLhenLlcaLlon Wl ls deployed wlLh ShareolnL Server 2010 and
Lhe C2W1S can be sLarLed from CenLral AdmlnlsLraLlon
Lach Lxcel Servlces AppllcaLlon server musL run Lhe C2W1S locally 1he C2W1S does noL
open any porLs and cannoL be accessed by a remoLe caller urLher Lhe C2W1S servlce
conflguraLlon flle musL be conflgured Lo speclflcally LrusL Lhe local calllng cllenL ldenLlLy
As a besL pracLlce you should run Lhe C2W1S uslng a dedlcaLed servlce accounL and noL
as Local SysLem (Lhe defaulL conflguraLlon) 1he C2W1S servlce accounL requlres speclal
local permlsslons on each server Lhe servlce runs on so be sure Lo conflgure Lhese
permlsslons each Llme Lhe servlce ls sLarLed on a server CpLlmally you should conflgure
Lhe servlce accounL's permlsslons on Lhe local server before sLarLlng Lhe C2W1S buL lf
done afLer Lhe facL you can resLarL Lhe C2W1S from Lhe Wlndows servlces managemenL
console (servlcesmsc)
@o start the C2W@S
1 CreaLe a servlce accounL ln AcLlve ulrecLory Lo run Lhe servlce under ln Lhls example
we creaLed vmlabsvcC2W1S
2 Add an arblLrary Servlce rlnclpal name (Sn) Lo Lhe servlce accounL Lo expose Lhe
delegaLlon opLlons for Lhls accounL ln AcLlve ulrecLory Dsers and CompuLers 1he
Sn can be any formaL because we do noL auLhenLlcaLe Lo Lhe C2W1S uslng
kerberos auLhenLlcaLlon lL ls recommended Lo noL use an P11 Sn Lo avold
poLenLlally creaLlng dupllcaLe Sns ln your envlronmenL ln our example we
reglsLered S/C2W1S Lo Lhe vmlabsvcC2W1S uslng Lhe followlng command
SetSN -S S/CW1S vmlab\svcCW1S
3 Conflgure kerberos consLralned delegaLlon on Lhe C2W1S servlces accounL ln Lhls
scenarlo we wlll delegaLe credenLlals Lo Lhe SCL servlce runnlng wlLh Lhe
MSSCLSvC/MySqlClusLervmlablocal1433 servlce prlnclpal name
dentity deIegation for ceI Services (SharePoint Server 2010)
133


4 nexL conflgure Lhe requlred local server permlsslons LhaL Lhe C2W1S requlres ?ou
wlll need Lo conflgure Lhese permlsslons on each server Lhe C2W1S runs on ln our
example Lhls ls vMS10A01 Log onLo Lhe server and glve Lhe C2W1S Lhe
followlng permlsslons
a) Add Lhe servlce accounL Lo Lhe local AdmlnlsLraLors Croups
b) ln local securlLy pollcy (secpolmsc) under user rlghLs asslgnmenL glve Lhe
servlce accounL Lhe followlng permlsslons
l AcL as parL of Lhe operaLlng sysLem
ll lmpersonaLe a cllenL afLer auLhenLlcaLlon
lll Log on as a servlce
Configure Kerberos Authentication for SharePoint 2010 Products
13


3 Cpen CenLral AdmlnlsLraLlon
6 Dnder SecurlLyConflgure Managed Servlce AccounLs 8eglsLer Lhe C2W1S servlce
accounL as a managed accounL

7 Dnder servlces selecL ,anage serv|ces on server

8 ln Lhe server selecLlon box ln Lhe upper rlghL hand corner selecL Lhe server(s)
runnlng excel servlces ln Lhls example lL ls vMS10A01

9 lnd Lhe Clalms Lo Wlndows 1oken Servlce and sLarL lL


10 Co Lo SecurlLyManage Servlce AccounLs Change Lhe ldenLlLy of Lhe C2W1S Lo
Lhe new managed acounL
dentity deIegation for ceI Services (SharePoint Server 2010)
135


-ote
lf Lhe C2W1S was already runnlng before conflgurlng Lhe dedlcaLed servlce accounL or lf
you need Lo changes Lhe permlsslons of Lhe servlce accounL afLer Lhe C2W1S ls runnlng
you musL resLarL Lhe C2W1S from Lhe servlces console
ln addlLlon lf you experlence lssues wlLh Lhe C2W1S afLer resLarLlng Lhe servlce lL may
also be requlred Lo reseL Lhe llS appllcaLlon pools LhaL communlcaLe wlLh Lhe C2W1S
Add Startup dependencies the W C2WTS service
1here ls a known lssue wlLh Lhe C2W1S where lL may noL auLomaLlcally sLarLup
successfully on sysLem rebooL A workaround Lo Lhe lssue ls Lo conflgure a servlce
dependency on Lhe CrypLographlc Servlces servlce

ln addlLlon lf you experlence lssues wlLh Lhe C2W1S afLer resLarLlng Lhe servlce lL may
also be requlred Lo reseL Lhe llS appllcaLlon pools LhaL communlcaLe wlLh Lhe C2W1S
1 Cpen Lhe Command rompL wlndow
Configure Kerberos Authentication for SharePoint 2010 Products
13


2 1ype sc conf|g c2wts depend CryptSvc

3 lnd Lhe Clalms Lo Wlndows 1oken Servlce ln Lhe servlces console
4 Cpen Lhe properLles for Lhe servlce

3 Check Lhe Dependenc|es Lab Make sure Cryptograph|c Serv|ces ls llsLed

dentity deIegation for ceI Services (SharePoint Server 2010)
137

6 Cllck C
Grant the ceI Services service account permissions on the web
appIication content database
A requlred sLep ln conflgurlng ShareolnL Server 2010 Cfflce Web AppllcaLlons ls
allowlng Lhe web appllcaLlon's servlce accounL access Lo Lhe conLenL daLabases for a
glven web appllcaLlon ln Lhls example we wlll granL Lhe Lxcel Servlces servlce accounL
access Lo Lhe porLal" web appllcaLlon's conLenL daLabase by uslng Wlndows
owerShell
8un Lhe followlng command from Lhe ShareolnL 2010 ManagemenL Shell
w = 6et-SWeb^pp1caton -1dentty http:,,porta1
w.6rant^ccess1orocess1dentty{"vm1ab\svcLxce1")
Start the ceI Services service instance on the ceI Services
server
8efore creaLlng an Lxcel Servlces servlce appllcaLlon sLarL Lhe excel servlces serve
servlce on Lhe deslgnaLed arm servers
1 Cpen CenLral AdmlnlsLraLlon
2 Dnder servlces selecL ,anage serv|ces on server



3 ln Lhe server selecLlon box ln Lhe upper rlghL hand corner selecL Lhe server(s)
runnlng excel servlces ln Lhls example lL ls vMS10A01
4 SLarL Lhe Lxcel CalculaLlon Servlces servlce
Configure Kerberos Authentication for SharePoint 2010 Products
138



Create the ceI Services service appIication and proy
nexL conflgure a new Lxcel Servlces servlce appllcaLlon and appllcaLlon proxy Lo allow
web appllcaLlons Lo consume Lxcel Servlces
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement

3 SelecL -ew and Lhen cllck ce| Serv|ces App||cat|on

4 Conflgure Lhe new servlce appllcaLlon 8e sure Lo selecL Lhe correcL servlce accounL
(creaLe a new managed accounL lf Lhe excel servlce accounL ls noL ln Lhe llsL)
dentity deIegation for ceI Services (SharePoint Server 2010)
13


Configure ceI services trusted fiIe Iocation and authentication
settings
Cnce Lhe Lxcel Servlces appllcaLlon ls creaLed conflgure Lhe properLles on Lhe new
servlce appllcaLlon Lo speclfy a LrusLed hosL locaLlon and auLhenLlcaLlon seLLlngs
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement
Configure Kerberos Authentication for SharePoint 2010 Products
10



3 Cllck Lhe llnk for Lhe new Servlce AppllcaLlon ce| Serv|ces ln Lhls example

4 ln Lhe Lxcel Servlces managemenL page cllck 1rusLed lle LocaLlons

3 Add a new LrusLed flle locaLlon
dentity deIegation for ceI Services (SharePoint Server 2010)
11


6 Speclfy Lhe locaLlon Lo your LesL llbrary

-ote
ln our example we LrusL Lhe rooL web appllcaLlon D8L and all chlldren ln a producLlon
envlronmenL you may choose Lo consLraln Lhe LrusL Lo a more granular locaLlon
7 ln terna| Data SelecL trusted data connect|on ||brar|es and embedded
Configure Kerberos Authentication for SharePoint 2010 Products
12



-ote
1hls example wlll use an embedded connecLlon Lo connecL Lo SCL Server ln your
envlronmenL you may choose Lo creaLe a separaLe connecLlon flle and sLore lL ln a
LrusLed daLa connecLlon llbrary ln LhaL case you mlghL selecL 1rusLed daLa connecLlon
llbrarles only
8 Change Lhe LxLernal uaLa Cache Age or LesLlng purposes lL ls convenlenL Lo
change Lhe exLernal daLa cache llfeLlme Lo ensure daLa refreshes are comlng from
Lhe daLa source and noL Lhe cache Dnder LxLernal uaLa change Lhe followlng
seLLlngs

Automat|c refresh (per|od|c ] onopen) 0
,anua| refresh 0
-ote
ln a producLlon envlronmenL you wlll wanL Lo conflgure a cache seLLlng hlgher Lhan 0
SeLLlng Lhe cache Lo 0 ls for LesLlng purposes only
Verify ceI Services constrained deIegation
Create document Iibrary to host the test workbook
Cpen a slLe ln Lhe LrusLed paLh LhaL was conflgured ln Lhe prevlous sLep CreaLe a new
documenL llbrary Lo hosL a LesL Lxcel workbook
dentity deIegation for ceI Services (SharePoint Server 2010)
13

Create test ceI workbook with SQL data connection
nexL creaLe an Lxcel workbook wlLh a daLa connecLlon Lo Lhe new LesL daLabase
1 Cpen Lxcel
2 Cn Lhe Data Lab selecL Irom other sourcesIrom S Server

3 ConnecL Lo Lhe LesL SCL daLa source
Configure Kerberos Authentication for SharePoint 2010 Products
1



4 SelecL Lhe LesL daLabase and Lhe LesL Lable (Sa|es |n our eamp|e)

3 Cllck nexL Cllck Lhe auLhenLlcaLlon seLLlngs buLLon Lnsure Wlndows AuLhenLlcaLlon
ls speclfled
dentity deIegation for ceI Services (SharePoint Server 2010)
15


6 Cllck lnlsh
7 SelecL lvoL 1able 8eporL

8 Conflgure Lhe plvoL Lable Lnsure daLa ls reLurned from Lhe SCL source
Configure Kerberos Authentication for SharePoint 2010 Products
1



PubIish workbook to SharePoint Server and refresh data connection
1he lasL sLep Lo valldaLe Lhe Lxcel Servlces appllcaLlon ls Lo publlsh Lhe workbook and
LesL refreshlng Lhe embedded SCL connecLlon
1 Cllck Lhe I||e Lab
2 Cllck Save and Send Lhen cllck Save to Shareo|nt and Lhen cllck 8rowse for a
|ocat|on

dentity deIegation for ceI Services (SharePoint Server 2010)
17

3 LnLer Lhe locaLlon Lo Lhe LrusLed llbrary creaLed ln prevlous sLeps

4 Lnsure Cpen w|th ce| |n the browser ls selecLed
A new browser wlndow wlll open aL Lhls polnL wlLh your LesL workbook dlsplayed
Cnce Lhe workbook renders refresh Lhe daLa connecLlon by cllcklng Data and Lhen
cllcklng efresh A|| Connect|ons
Configure Kerberos Authentication for SharePoint 2010 Products
18



lf Lhe daLa connecLlon refreshes you have successfully conflgured kerberos delegaLlon
for excel servlces 1o furLher LesL connecLlvlLy change Lhe source daLa vla SCL
ManagemenL SLudlo Lhen refresh Lhe connecLlon ?ou should see Lhe newly changed
daLa ln your workbook lf you do noL see any changes and you do noL recelve any errors
on refresh you are mosL llkely seelng cached daLa 8y defaulL Lxcel Servlces wlll cache
daLa from exLernal sources for flve mlnuLes ?ou can change Lhls cache seLLlng see
Configure Excel services trusted file location and authentication settings ln Lhls arLlcle for
more lnformaLlon

dentity deIegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
1


dentity deIegation for PowerPivot for
SharePoint 2010 (SharePoint Server
2010)
ub||shed December 2 2010
1he farm Lopology descrlbed ln Environment and farm topology does noL requlre
kerberos auLhenLlcaLlon for owerlvoL for MlcrosofL ShareolnL 2010 Lo work 1he
owerlvoL SysLem Servlce ls clalms aware and uses Lhe Clalms 1o Wlndows 1oken
Servlce (C2W1S) Lo recreaLe Lhe cllenL's Wlndows ldenLlLy uslng Lhe cllenL's clalms Loken
ln order Lo connecL wlLh Lhe Analysls Servlce verLlpaq englne LhaL runs on Lhe
appllcaLlon server
When a owerlvoL workbook ls uploaded ln ShareolnL Server lL already conLalns Lhe
owerlvoL daLa LhaL Lhe workbook uses When Lhe user opens Lhe owerlvoL
workbook ln Lxcel Web Access and lnLeracLs wlLh Lhe sllcers Lhe owerlvoL SysLem
Servlce loads Lhe daLa ln Lhe workbook dlrecLly lnLo lLs Analysls Servlces englne no
access ls made Lo Lhe daLa connecLlon embedded ln Lhe workbook

When a daLa refresh [ob for a owerlvoL workbook sLarLs execuLlng Lhe owerlvoL
SysLem Servlce performs a Wlndows logln uslng Lhe credenLlals sLored ln Lhe ShareolnL
Server Secure SLore Servlce Slnce Lhe Wlndows ldenLlLy ls creaLed on Lhe appllcaLlon
server Lhe connecLlon from Lhe owerlvoL Analysls Servlces verLlpaq englne (on Lhe
same compuLer vMS10A01) Lo MySCLClusLer ls Lhe flrsL n1LM hop
Configure Kerberos Authentication for SharePoint 2010 Products
150




-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Scenarios requiring Kerberos authentication
As you can see from Lhe dlscusslon above mosL common slLuaLlons wlLh owerlvoL do
noL requlre kerberos auLhenLlcaLlon Powever Lhere are some unusual edge cases
where kerberos auLhenLlcaLlon would be requlred or example lf your owerlvoL
workbook conLalns a daLa connecLlon Lo a SCL Server lnsLance LhaL ls llnked Lo yeL
anoLher SCL Server lnsLance on a separaLe compuLer you wlll need Lo conflgure
kerberos auLhenLlcaLlon wlLh ldenLlLy delegaLlon for daLa refresh Lo work or example
lf MySCLClusLer ls llnked Lo anoLher remoLe SCL Server lnsLance Lhen Lhe llnk from
MySCLClusLer Lo Lhe llnked remoLe server ls Lhe second hop ln Lhls case n1LM ls no
longer adequaLe ?ou musL conflgure kerberos delegaLlon for Lhe daLa refresh Lo
process successfully
dentity deIegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
151


Whlle Lhey are ouLslde Lhe scope of Lhe scenarlos deflned ln Lhls paper Lhe ma[or sLeps
Lo conflgure ldenLlLy delegaLlon for owerlvoL are as follows
1 Change Lhe servlce accounL of Lhe C2W1S Wlndows servlce Lo a domaln accounL
(eg vMLA8svcC2W1S) Conflgurlng Lhe C2W1S ls a large Loplc and ls covered ln
deLall ln Lhe oLher scenarlos ln Lhls documenL
O Conflgure and SLarL Lhe Clalms Lo Wlndows 1oken Servlce on Lxcel Servlces
Servers
O Conflgure and SLarL Lhe Clalms Lo Wlndows 1oken Servlce on vlslo Craphlcs
Servers
O Conflgure and SLarL Lhe Clalms Lo Wlndows 1oken Servlce on erformanceolnL
Servlces Servers
2 Conflgure delegaLlon from Lhe vMLA8svcSCL accounL Lo Lhe Sn for Lhe llnked SCL
Server lnsLance ConflguraLlon CheckllsL

Area of conf|gurat|on Descr|pt|on
owerlvoL lnsLallaLlon lnsLall SCL Server owerlvoL for ShareolnL on Lhe
appllcaLlon server

Scenario dependencies
SLrlcLly speaklng Lhe followlng kerberos auLhenLlcaLlon scenarlos are noL requlred by
owerlvoL for ShareolnL Powever lL expedlLes your owerlvoL for ShareolnL
Configure Kerberos Authentication for SharePoint 2010 Products
152


lnsLallaLlon process lf you successfully compleLed Lhem as Lhe componenLs Lhemselves
are prerequlslLes for owerlvoL for ShareolnL
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP
O (CpLlonal) Scenarlo 3 Kerberos Authentication for SQL Analysis Services
O Scenarlo 3 dentity Delegation for Excel Services
Configuration instructions
lnsLall owerlvoL for ShareolnL on Lhe appllcaLlon server (vmsp10app01) or deLalled
lnsLrucLlons see How to: nstall PowerPivot for SharePoint in a Three-tier SharePoint
Farm ln Lhe MSun Llbrary onllne lf you have already performed Lhe dependenL
scenarlos ln Lhls paper you can sklp Lhe secLlons ln Lhe MSun arLlcle LhaL have already
been covered by Lhe scenarlo dependencles

mportant
1he appllcaLlon pool for Lhe SCL Server owerlvoL Servlce AppllcaLlon musL be run
uslng Lhe domaln accounL of Lhe ShareolnL Server farm admlnlsLraLor ln no oLher user
conLexL can Lhe owerlvoL SysLem Servlce reLrleve Lhe unaLLended accounL credenLlals
from Lhe Secure SLore Servlce

dentity deIegation for Visio Services (SharePoint Server 2010)
153


dentity deIegation for Visio Services
(SharePoint Server 2010)
ub||shed December 2 2010
ln Lhls scenarlo you add a vlslo Servlces servlce appllcaLlon Lo Lhe ShareolnL Server
envlronmenL and conflgure kerberos consLralned delegaLlon Lo allow Lhe servlce Lo
refresh daLa from an exLernal SCL Server daLa source ln a vlslo web drawlng

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Scenario dependencies
1o compleLe Lhls scenarlo you wlll need Lo have compleLed
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos authentication for SQL OLTP
Configuration checkIist

Area of Conf|gurat|on Descr|pt|on
AcLlve ulrecLory
ConflguraLlon
CreaLe vlslo Servlces servlce accounL
Conflgure Sn on vlslo Servlces servlce accounL
Configure Kerberos Authentication for SharePoint 2010 Products
15


Area of Conf|gurat|on Descr|pt|on
Conflgure kerberos consLralned delegaLlon for servers
runnlng vlslo Servlces
Conflgure kerberos consLralned delegaLlon for Lhe vlslo
Servlces servlce accounL
ShareolnL Server
conflguraLlon
SLarL Clalms Lo Wlndows 1oken Servlce on vlslo Servlces
Servers
CranL Lhe vlslo Servlces servlce accounL permlsslons on Lhe
web appllcaLlon conLenL daLabase
SLarL Lhe vlslo Servlces servlce lnsLance on Lhe vlslo Servlces
server
CreaLe Lhe vlslo Servlces servlce appllcaLlon and proxy
verlfy vlslo Servlces
ConsLralned uelegaLlon
Conflgure Lhe vlslo servlces cache seLLlngs
CreaLe documenL llbrary Lo hosL LesL vlslo ulagram
CreaLe a LesL vlslo web drawlng wlLh SCL Server daLa
connecLed shapes
ubllsh Lhe vlslo drawlng Lo ShareolnL Server and refresh
daLa connecLlon

dentity deIegation for Visio Services (SharePoint Server 2010)
155

Scenario environment detaiIs
Kerberos constrained deIegation paths
vlslo

ln Lhls scenarlo we wlll conflgure Lhe ShareolnL Server vlslo servlces appllcaLlon
servers and servlce accounLs for kerberos consLralned delegaLlon Lo Lhe SCL Server
servlce
SharePoint Server IogicaI authentication

AuLhenLlcaLlon ln Lhls scenarlo beglns wlLh Lhe cllenL auLhenLlcaLlng wlLh kerberos
auLhenLlcaLlon aL Lhe web fronL end ShareolnL Server 2010 wlll converL Lhe Wlndows
auLhenLlcaLlon Loken lnLo a clalms Loken uslng Lhe local SecurlLy 1oken Servlce (S1S)
1he vlslo servlce appllcaLlon wlll accepL Lhe clalms Loken and converL lL lnLo a wlndows
Loken (kerberos) uslng Lhe local Clalms Lo Wlndows 1oken Servlce (C2W1S) LhaL ls a parL
Configure Kerberos Authentication for SharePoint 2010 Products
15


of Wlndows ldenLlLy oundaLlon (Wl) 1he vlslo servlce appllcaLlon wlll Lhen use Lhe
cllenL's kerberos LlckeL Lo auLhenLlcaLe wlLh Lhe backend daLa source
Step-by-step configuration instructions
Active irectory configuration
Create Visio Services service account
As a besL pracLlce vlslo Servlces should run under lLs own domaln ldenLlLy 1o conflgure
Lhe Lxcel Servlce AppllcaLlon an AcLlve ulrecLory accounL musL be creaLed ln Lhls
example Lhe followlng accounLs were creaLed

Shareo|nt Server serv|ce S App oo| dent|ty
vlslo Servlces vmlabsvcvlslo

Configure SP on Visio Services service account
kerberos consLralned delegaLlon musL be conflgured lf vlslo Servlces ls golng Lo delegaLe
Lhe cllenL's Wlndows ldenLlLy Lo back end daLa source ln Lhls example vlslo servlces wlll
query daLa from a SCL Server LransacLlonal daLabase as Lhe cllenL Lherefor kerberos
delegaLlon ls requlred
1he AcLlve ulrecLory Dsers and CompuLers MMC snapln ls Lyplcally used Lo conflgure
kerberos delegaLlon 1o conflgure Lhe delegaLlon seLLlngs wlLhln Lhe snapln Lhe AcLlve
ulrecLory ob[ecL belng conflgured musL have a servlce prlnclpal name applled oLherwlse
Lhe de|egat|on Lab for Lhe ob[ecL wlll noL be vlslble ln Lhe ob[ecL's properLles dlalog
AlLhough vlslo Servlces does noL requlre a Sn Lo funcLlon we wlll conflgure one for Lhls
purpose
Cn Lhe command llne run Lhe followlng command
SL1Su -S S,vsoServces svc\vsoServces
dentity deIegation for Visio Services (SharePoint Server 2010)
157


-ote
1he Sn ls noL a valld Sn lL ls applled Lo Lhe speclfled servlce accounL Lo reveal Lhe
delegaLlon opLlons ln Lhe Au users and compuLers addln 1here are oLher supporLed
ways of speclfylng Lhe delegaLlon seLLlngs (speclflcally Lhe msuSAllowed1ouelegaLe1o
Au aLLrlbuLe) buL Lhls Loplc wlll noL be covered ln Lhls documenL

Configure Kerberos constrained deIegation for Visio Services
1o allow vlslo Servlces Lo delegaLe Lhe cllenL's ldenLlLy kerberos consLralned delegaLlon
musL be conflgured lL ls requlred Lo conflgure consLralned delegaLlon wlLh proLocol
LranslLlon for Lhe converslon of clalms Loken Lo wlndows Loken vla Lhe Wl C2W1S
Lach server runnlng vlslo servlces musL be LrusLed Lo delegaLe credenLlals Lo each back
end servlce vlslo wlll auLhenLlcaLe wlLh ln addlLlonal Lhe vlslo servlces servlce accounL
musL also be conflgured Lo allow delegaLlon Lo Lhe same backend servlces
ln our example Lhe followlng delegaLlon paLhs are deflned

r|nc|pa| @ype r|nc|pa| -ame De|egates @o Serv|ce
Dser vmlabsvcvlslo MSSCLSvC/MySqlClusLervmlablocal1433
*Dser vmlabsvcC2W1S MSSCLSvC/MySqlClusLervmlablocal1433
**CompuLer vmlabvmsp10app01 MSSCLSvC/MySqlClusLervmlablocal1433
* Conflgured laLer ln Lhls scenarlo
** CpLlonal ConsLralned delegaLlon on Lhe compuLer accounL ls only requlred when
runnlng Lhe C2W1S as Local SysLem

@o conf|gure constra|ned de|egat|on
1 Cpen Lhe AcLlve ulrecLory Cb[ecL's properLles ln AcLlve ulrecLory Dsers and
CompuLers
Configure Kerberos Authentication for SharePoint 2010 Products
158


2 navlgaLe Lo Lhe De|egat|on Lab

3 SelecL @rust th|s user for de|egat|on to spec|f|ed serv|ces on|y
4 SelecL Use any authent|cat|on protoco| 1hls enables proLocol LranslLlon and ls
requlred for Lhe vlslo servlce accounL Lo use Lhe C2W1S
3 Cllck Lhe add buLLon Lo selecL Lhe servlce prlnclpal allowed Lo delegaLe Lo
dentity deIegation for Visio Services (SharePoint Server 2010)
15


6 SelecL User and Computers

7 SelecL Lhe servlce accounL runnlng Lhe servlce you wlsh Lo delegaLe Lo ln Lhls
example lL ls Lhe servlce accounL for Lhe SCL Server servlce
-ote
Lhe servlce accounL selecLed musL have a Sn applled Lo lL ln our example Lhe Sn for
Lhls accounL was conflgured ln a prevlous scenarlo
8 Cllck C ?ou wlll Lhen be asked Lo selecL Lhe Sns you would llke Lo delegaLe Lo
Configure Kerberos Authentication for SharePoint 2010 Products
10



9 SelecL Lhe servlces for Lhe SCL Server clusLer and cllck C
10 ?ou should now see Lhe selecLed SnS ln Lhe serv|ces to wh|ch th|s account can
presented de|egated credent|a|s llsL
dentity deIegation for Visio Services (SharePoint Server 2010)
11


11 8epeaL Lhese sLeps for each delegaLlon paLh (CompuLer and Dser) deflned ln Lhe
beglnnlng of Lhls secLlon
Verify MSSQLSVC SP for the Service Account running the service
on the SQL Server (performed in Scenario 2)
verlfy Lhe Sn for Analysls Servlces servlce accounL (vmlabsvcSCL) exlsLs wlLh Lhe
followlng SeLSn command
SetSu -l vm1ab\svcSql
?ou should see Lhe followlng
MSSqlSvC,MySq1C1uster
MSSqlSvC,MySq1C1uster.vm1ab.1oca1:422
Configure Kerberos Authentication for SharePoint 2010 Products
12


SharePoint Server configuration
Configure and Start the CIaims to Windows Token Service on Visio
Graphics Servers
1he Clalms Lo Wlndows 1oken Servlce (C2W1S) ls a componenL of Lhe Wlndows ldenLlLy
oundaLlon (Wl) whlch ls responslble for converLlng user clalm Lokens Lo wlndows
Lokens 1he vlslo graphlcs servlce uses Lhe C2W1S Lo converL Lhe user's clalms Loken
lnLo a wlndows Loken when Lhe servlces needs Lo delegaLe credenLlals Lo a backend
sysLem whlch uses Wlndows auLhenLlcaLlon Wl ls deployed wlLh ShareolnL Server
2010 and Lhe C2W1S can be sLarLed from CenLral AdmlnlsLraLlon
Lach vlslo Craphlcs Servlce appllcaLlon server musL run Lhe C2W1S locally 1he C2W1S
does noL open any porLs and cannoL be accessed by a remoLe caller urLher Lhe C2W1S
servlce conflguraLlon flle musL be conflgured Lo speclflcally LrusL Lhe local calllng cllenL
ldenLlLy
As a besL pracLlce you should run Lhe C2W1S uslng a dedlcaLed servlce accounL and noL
as Local SysLem (Lhe defaulL conflguraLlon) 1he C2W1S servlce accounL requlres speclal
local permlsslons on each server Lhe servlce runs on so be sure Lo conflgure Lhese
permlsslons each Llme Lhe servlce ls sLarLed on a server CpLlmally you should conflgure
Lhe servlce accounL's permlsslons on Lhe local server before sLarLlng Lhe C2W1S buL lf
done afLer Lhe facL you can resLarL Lhe C2W1S from Lhe Wlndows servlces managemenL
console (servlcesmsc)
@o start the C2W@S
1 CreaLe a servlce accounL ln AcLlve ulrecLory Lo run Lhe servlce under ln Lhls example
we creaLed vmlabsvcC2W1S
2 Add an arblLrary Servlce rlnclpal name (Sn) Lo Lhe servlce accounL Lo expose Lhe
delegaLlon opLlons for Lhls accounL ln AcLlve ulrecLory Dsers and CompuLers 1he
Sn can be any formaL because we do noL auLhenLlcaLe Lo Lhe C2W1S uslng
kerberos auLhenLlcaLlon lL ls recommended Lo noL use an P11 Sn Lo avold
poLenLlally creaLlng dupllcaLe Sns ln your envlronmenL ln our example we
reglsLered S/C2W1S Lo Lhe vmlabsvcC2W1S uslng Lhe followlng command
SetSu -S S,CW1S vm1ab\svcCW1S
3 Conflgure kerberos consLralned delegaLlon on Lhe C2W1S servlces accounL ln Lhls
scenarlo we wlll delegaLe credenLlals Lo Lhe SCL Server servlce runnlng wlLh Lhe
MSSCLSvC/MySqlClusLervmlablocal1433 servlce prlnclpal name
dentity deIegation for Visio Services (SharePoint Server 2010)
13


4 Conflgure Lhe requlred local server permlsslons LhaL Lhe C2W1S requlres ?ou wlll
need Lo conflgure Lhese permlsslons on each server Lhe C2W1S runs on ln our
example Lhls ls vMS10A01 Log on Lo Lhe server and glve Lhe C2W1S Lhe
followlng permlsslons
a) Add Lhe servlce accounL Lo Lhe local AdmlnlsLraLors Croups
b) ln local securlLy pollcy (secpolmsc) under user rlghLs asslgnmenL glve Lhe
servlce accounL Lhe followlng permlsslons
l Act as part of the operat|ng system
ll mpersonate a c||ent after authent|cat|on
lll og on as a serv|ce
Configure Kerberos Authentication for SharePoint 2010 Products
1


3 Cpen CenLral AdmlnlsLraLlon
6 ln Secur|ty ln Lhe Conf|gure ,anaged Serv|ce Accounts secLlon reglsLer Lhe C2W1S
servlce accounL as a managed accounL

7 Dnder servlces selecL ,anage serv|ces on server

8 ln Lhe server selecLlon box ln Lhe upper rlghL corner selecL Lhe server(s) LhaL ls or
are runnlng Lhe vlslo Craphlcs Servlce ln Lhls example lL ls vMS10A01

9 lnd Lhe C|a|ms to W|ndows @oken Serv|ce and sLarL lL
10 Co Lo ,anage Serv|ce Accounts ln Lhe Secur|ty secLlon Change Lhe ldenLlLy of
Lhe C2W1S Lo Lhe new managed acounL
dentity deIegation for Visio Services (SharePoint Server 2010)
15



-ote
lf Lhe C2W1S was already runnlng before conflgurlng Lhe dedlcaLed servlce accounL or lf
you need Lo changes Lhe permlsslons of Lhe servlce accounL afLer Lhe C2W1S ls runnlng
you musL resLarL Lhe C2W1S from Lhe servlces console
ln addlLlon lf you experlence lssues wlLh Lhe C2W1S afLer resLarLlng Lhe servlce lL may
also be necessary Lo reseL Lhe llS appllcaLlon pools LhaL communlcaLe wlLh Lhe C2W1S
Add Startup dependencies the W C2WTS service
1here ls a known lssue wlLh Lhe C2W1S where lL may noL auLomaLlcally sLarL up
successfully on sysLem rebooL A workaround Lo Lhe lssue ls Lo conflgure a servlce
dependency on Lhe CrypLographlc Servlces servlce
1 Cpen a Command rompL wlndow
2 1ype sc conf|g c2wts depend CryptSvc
Configure Kerberos Authentication for SharePoint 2010 Products
1



3 lnd Lhe Clalms Lo Wlndows 1oken Servlce ln Lhe servlces console

4 Cpen Lhe properLles for Lhe servlce
3 Check Lhe Dependenc|es Lab Make sure Cryptograph|c Serv|ces ls llsLed

6 Cllck C
dentity deIegation for Visio Services (SharePoint Server 2010)
17

Grant the Visio Services service account permissions on the web
appIication content database
A requlred sLep ln conflgurlng ShareolnL Server 2010 Cfflce Web AppllcaLlons ls
allowlng Lhe web appllcaLlon's servlce accounL access Lo Lhe conLenL daLabases for a
glven web appllcaLlon ln Lhls example we wlll granL Lhe vlslo Craphlcs Servlce accounL
access Lo Lhe porta| web appllcaLlon's conLenL daLabase by uslng Wlndows owerShell
8un Lhe followlng command from Lhe ShareolnL 2010 ManagemenL Shell
w = 6et-SWeb^pp1caton -1dentty http:,,porta1
w.6rant^ccess1orocess1dentty{"vm1ab\svcvso")
Start the Visio Graphics Service instance on the Visio server
8efore creaLlng a vlslo Servlces servlce appllcaLlon sLarL Lhe vlslo servlces server servlce
on Lhe deslgnaLed arm servers
1 Cpen CenLral AdmlnlsLraLlon
2 Dnder servlces selecL ,anage serv|ces on server

3 ln Lhe server selecLlon box ln Lhe upper rlghL hand corner selecL Lhe server(s)
runnlng excel servlces ln Lhls example lL ls vMS10A01

4 SLarL Lhe I|s|o raph|cs Serv|ce

Create the Visio Graphics Service appIication and proy
nexL conflgure a new Lxcel Servlces servlce appllcaLlon and appllcaLlon proxy Lo allow
Web appllcaLlons Lo consume Lxcel Servlces (lf one does noL already exlsL)
Configure Kerberos Authentication for SharePoint 2010 Products
18


1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement

3 SelecL -ew and Lhen selecL I|s|o raph|cs Serv|ce

4 Conflgure Lhe new servlce appllcaLlon 8e sure Lo selecL Lhe correcL servlce accounL
(creaLe a new managed accounL lf Lhe vlslo servlce accounL ls noL ln Lhe llsL)
dentity deIegation for Visio Services (SharePoint Server 2010)
1


Verify Visio Graphic Service Constrained eIegation
Configure the Visio services cache settings
8y defaulL Lhe vlslo Craphlcs servlce wlll cache Lhe web drawlngs lL renders for web
cllenLs for a number of mlnuLes based on Lhe servlce's cache seLLlngs 1o LesL delegaLlon
we wlll conflgure Lhe servlce Lo noL cache drawlngs Lo easlly check daLa refresh ln a vlslo
web drawlng
Configure Kerberos Authentication for SharePoint 2010 Products
170



-ote
ulsabllng Lhe renderlng cache ls noL recommended for producLlon envlronmenLs
8emember Lo reenable Lhe cache once you have compleLed LesLlng delegaLlon ln vlslo

1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement

3 SelecL Lhe vlslo Craphlcs Servlce appllcaLlon creaLed ln Lhe prevlous sLep

4 SelecL |oba| Sett|ngs"

3 ln Lhe ,|n|mum Cache Age seLLlng seL Lhe cache Lo 0 (no cache)

dentity deIegation for Visio Services (SharePoint Server 2010)
171

-ote
SeLLlng Lhe mlnlmum cache age Lo 0 ls for LesLlng purposes only and should noL be used
ln a producLlon envlronmenL
Create document Iibrary to host a test Visio Web rawing
navlgaLe Lo Lhe porLal appllcaLlon (hLLp//porLal) CreaLe a new documenL llbrary Lo hosL
a LesL vlslo workbook 1he defaulL documenL llbrary
Create a test Visio web drawing with SQL Server data-connected
shapes
1 SLarL vlslo 2010
2 CreaLe a new 8as|c D|agram ln Lhe Ceneral secLlon under nome

3 Cn Lhe Data 8lbbon 1ab selecL |nk Data to Shapes
Configure Kerberos Authentication for SharePoint 2010 Products
172



4 ln Lhe daLa selecLor dlalog box selecL ,|crosoft S Server database

3 Speclfy Lhe SCL Server clusLer creaLed ln Scenarlo 2 and selecL W|ndows
Authent|cat|on
dentity deIegation for Visio Services (SharePoint Server 2010)
173


6 SelecL Lhe @est daLabase and Lhe Sa|es 1able
Configure Kerberos Authentication for SharePoint 2010 Products
17



7 Speclfy a frlendly name for Lhe connecLlon and save Lhe connecLlon Lo Lhe
documenL llbrary creaLed ln Lhe prevlous sLep
dentity deIegation for Visio Services (SharePoint Server 2010)
175


8 ln Lhe Data Se|ector dlalog selecL Lhe newly creaLed connecLlon and press I|n|sh
Configure Kerberos Authentication for SharePoint 2010 Products
17



?ou should now see Lhe exLernal daLa wlndow aL Lhe boLLom of Lhe drawlng wlndow
wlLh Lhe sample daLa LhaL was creaLed earller

9 urag Lhe flrsL daLa row onLo Lhe drawlng surface 1hls wlll creaLe a new shape LhaL ls
llnked Lo Lhe daLa row noLe LhaL Lhe LesL drawlng ls meanL Lo LesL delegaLlon and ls
noL meanL Lo demonsLraLe how Lo creaLe a fully funcLlonlng producLlon ready web
drawlng
dentity deIegation for Visio Services (SharePoint Server 2010)
177


PubIish the Visio drawing to SharePoint Server and refresh the data
connection
1 ubllsh Lhe drawlng Lo Lhe LesL ShareolnL documenL llbrary Cn Lhe I||e Lab cllck
Save and Send Save to Shareo|nt 8rowse for a |ocat|on and Lhen Web Draw|ng

2 8rowse Lo Lhe LesL documenL llbrary speclfy a name for Lhe LesL drawlng and Lhen
cllck Save
Configure Kerberos Authentication for SharePoint 2010 Products
178



1he drawlng opens ln Lhe browser
3 ln Lhe refresh dlsabled noLlflcaLlon selecL nab|e (a|ways)
dentity deIegation for Visio Services (SharePoint Server 2010)
17


4 1he daLa connecLlon should auLomaLlcally refresh and no errors should occur
3 Cpen SCL Server ManagemenL SLudlo and modlfy Lhe daLa row dlsplayed ln Lhe web
drawlng
6 8efresh Lhe daLa connecLlon by presslng Lhe efresh buLLon aL Lhe Lop of Lhe
drawlng wlndow lf delegaLlon ls conflgured correcLly you should see your daLa
refresh

Configure Kerberos Authentication for SharePoint 2010 Products
180



dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
181


dentity deIegation for PerformancePoint
Services (SharePoint Server 2010)
ub||shed December 2 2010
ln Lhls scenarlo you wlll add Lhe erformanceolnL Servlces servlce appllcaLlon Lo Lhe
ShareolnL Server envlronmenL and conflgure kerberos consLralned delegaLlon Lo allow
Lhe servlce Lo pull daLa from an exLernal Analysls Servlces cube and have Lhe opLlon Lo
pull daLa from SCL Server

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may need Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Scenario dependencies
1o compleLe Lhls scenarlo you wlll need Lo have compleLed
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP (opLlonal)
O Scenarlo 3 Kerberos Authentication for SQL Server Analysis Services
Configuration checkIist

Area of conf|gurat|on Descr|pt|on
Configure Kerberos Authentication for SharePoint 2010 Products
182


Area of conf|gurat|on Descr|pt|on
AcLlve ulrecLory
conflguraLlon
CreaLe erformanceolnL Servlces servlce accounL
CreaLe an Sn for Lhe servlce accounL runnlng Lhe
erformanceolnL Servlce on Lhe AppllcaLlon Server
verlfy Analysls Servlces Sn on SCL Server Analysls Servlces
servlce accounL vmlabsvcSCLAS (performed ln Scenarlo 3)
and
(CpLlonal) verlfy Lhe SCL Server daLabase englne servlce accounL
vmlabsvcSCL(performed ln Scenarlo 2)
Conflgure kerberos consLralned delegaLlon for Clalms Lo
Wlndows Servlces servlce accounL Lo Analysls Servlces
Conflgure kerberos consLralned delegaLlon for Lhe
erformanceolnL
Servlces servlce accounL Lo Analysls Servlces
ShareolnL Server
conflguraLlon
SLarL Clalms Lo Wlndows 1oken Servlce on erformanceolnL
Servlces Servers
SLarL Lhe erformanceolnL Servlces servlce lnsLance on Lhe
erformanceolnL Servlces server
CreaLe Lhe erformanceolnL Servlces servlce appllcaLlon and
proxy
Check Lhe ldenLlLy on erformanceolnL appllcaLlon
CranL Lhe erformanceolnL Servlces servlce accounL
permlsslons on Lhe web appllcaLlon conLenL daLabase
Conflgure erformanceolnL servlces LrusLed flle locaLlon and
auLhenLlcaLlon seLLlngs
verlfy
erformanceolnL
Servlce consLralned
CreaLe documenL llbrary Lo hosL a LesL dashboard
CreaLe a daLa source LhaL reference an exlsLlng SCL Server
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
183

Area of conf|gurat|on Descr|pt|on
delegaLlon Analysls Servlces cube
CreaLe a LrusLed erformanceolnL conLenL llsL
CreaLe LesL erformanceolnL dashboard
ubllsh dashboard Lo ShareolnL Server

Scenario environment detaiIs
Kerberos constrained deIegation paths

ln Lhls scenarlo we wlll conflgure Lhe erformanceolnL Servlces servlce accounL for
kerberos consLralned delegaLlon Lo Lhe SCL Server servlce
Configure Kerberos Authentication for SharePoint 2010 Products
18



-ote
ln Lhls scenarlo we wlll conflgure Lhe Clalms Lo Wlndows 1oken Servlces (C2W1S) Lo use
a dedlcaLed servlce accounL lf you leave Lhe C2W1S conflgured Lo use oca| System you
wlll need Lo conflgure consLralned delegaLlon on Lhe compuLer accounL for Lhe
compuLer runnlng Lhe C2W1S and Lxcel Servlces

SharePoint Server IogicaI authentication

AuLhenLlcaLlon ln Lhls scenarlo beglns wlLh Lhe cllenL auLhenLlcaLlng wlLh kerberos
auLhenLlcaLlon aL Lhe web fronL end ShareolnL Server 2010 wlll converL Lhe Wlndows
auLhenLlcaLlon Loken lnLo a clalms Loken uslng Lhe local SecurlLy 1oken Servlce (S1S)
1he erformanceolnL servlce appllcaLlon wlll accepL Lhe clalms Loken and converL lL
lnLo a Wlndows Loken (kerberos) uslng Lhe local Clalms Lo Wlndows 1oken Servlce
(C2W1S) LhaL ls a parL of Wlndows ldenLlLy ramework (Wl) 1he erformanceolnL
servlce appllcaLlon wlll Lhen use Lhe cllenL's kerberos LlckeL Lo auLhenLlcaLe wlLh Lhe
backend uaLaSource

dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
185

Step-by-step Configuration instructions
Active irectory configuration
Create PerformancePoint Services service account
As a besL pracLlce erformanceolnL Servlces should run under lLs own domaln ldenLlLy
1o conflgure Lhe erformanceolnL Servlce AppllcaLlon an AcLlve ulrecLory accounL
musL be creaLed and reglsLered as a managed accounL ln ShareolnL Server 2010 or
more lnformaLlon see Managed Accounts in SharePoint 2010 ln Lhls example Lhe
followlng accounL ls creaLed and reglsLered laLer ln Lhls scenarlo
Shareo|nt Server serv|ce S App oo| dent|ty
erformanceolnL Servlces vmlabsvcS

Create an SP for the Service Account that is running the
PerformancePoint service on the AppIication Server
1hls sLep ls necessary because Lhe Servlce AccounL LhaL ls runnlng Lhe ShareolnL
AppllcaLlon ool ls dlfferenL Lhan Lhe erformanceolnL accounL
1he AcLlve ulrecLory Dsers and CompuLers MMC snapln ls Lyplcally used Lo conflgure
kerberos delegaLlon 1o conflgure Lhe delegaLlon seLLlngs wlLhln Lhe snapln Lhe AcLlve
ulrecLory ob[ecL belng conflgured musL have a servlce prlnclpal name applled oLherwlse
Lhe de|egat|on Lab for Lhe ob[ecL wlll noL be vlslble ln Lhe ob[ecL's properLles dlalog
AlLhough erformanceolnL Servlces does noL requlre a Sn Lo funcLlon we wlll
conflgure one for Lhls purpose
Cn Lhe command llne run Lhe followlng command
Configure Kerberos Authentication for SharePoint 2010 Products
18


S51SN -S S/svcS

-ote
1he Sn ls noL a valld Sn lL ls applled Lo Lhe speclfled servlce accounL Lo reveal Lhe
delegaLlon opLlons ln Lhe Au users and compuLers addln 1here are oLher supporLed
ways of speclfylng Lhe delegaLlon seLLlngs (speclflcally Lhe msuSAllowed1ouelegaLe1o
Au aLLrlbuLe) buL Lhls Loplc wlll noL be covered ln Lhls documenL

Verify AnaIysis Services SP on SQL Server AnaIysis Services
service account, vmlab\svcSQLAS (performed in Scenario 3) A
(OptionaI) Verify the SQL Server database engine service account,
vmIab\svcSQL (performed in Scenario 2)
verlfy Lhe Sn for SCL Server servlce accounL (vmlabsvcSCLAS) exlsLs wlLh Lhe
followlng SeLSn command

SetSN -L vmlab\svcSQLAS

?ou should see Lhe followlng
MS0l^Svc.2,MySq1C1uster
verlfy Lhe Sn for Analysls Servlces servlce accounL (vmlabsvcSCL) exlsLs wlLh Lhe
followlng SeLSn command

SetSN -L vmlab\svcSQL

?ou should see Lhe followlng
MSSqlSvC,MySq1C1uster
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
187

Configure Kerberos constrained deIegation from the
PerformancePoint Services Service account to the SSAS Service and
optionaIIy for SQL Server service
1o allow erformanceolnL servlces Lo delegaLe Lhe cllenLs ldenLlLy kerberos
consLralned delegaLlon musL be conflgured ?ou musL also conflgure consLralned
delegaLlon wlLh proLocol LranslLlon for Lhe converslon of clalms Loken Lo Wlndows Loken
vla Lhe Wl C2W1S
Lach server runnlng erformanceolnL servlces musL be LrusLed Lo delegaLe credenLlals
Lo each backend servlce wlLh whlch erformanceolnL wlll auLhenLlcaLe ln addlLlon
Lhe erformanceolnL servlces servlce accounL musL also be conflgured Lo allow
delegaLlon Lo Lhe same backend servlces noLlce also LhaL P11/orLal and
P11/orLalvmlablocal are conflgured Lo delegaLe ln order Lo lnclude a ShareolnL llsL
as an opLlonal daLa source for your erformanceolnL dashboard
ln our example Lhe followlng delegaLlon paLhs are deflned

r|nc|pa| @ype r|nc|pa| -ame
Dser vmlabsvcC2W1S
Dser vmlabsvcS

@o conf|gure constra|ned de|egat|on
1 Cpen Lhe AcLlve ulrecLory Cb[ecL's properLles ln AcLlve ulrecLory Dsers and
CompuLers
2 navlgaLe Lo Lhe De|egat|on Lab
Configure Kerberos Authentication for SharePoint 2010 Products
188



3 SelecL @rust th|s computer for de|egat|on to spec|f|ed serv|ces on|y
4 SelecL Use any authent|cat|on protoco|
3 Cllck Lhe add buLLon Lo selecL Lhe servlce prlnclpal
6 SelecL User and Computers
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
18


7 SelecL Lhe servlce accounL runnlng Lhe servlce you wlsh Lo delegaLe Lo
-ote
1he servlce accounL selecLed musL have an Sn applled Lo lL ln our example Lhe Sn for
Lhls accounL was conflgured ln a prevlous scenarlo
8 Cllck C
9 SelecL Lhe Sns you would llke Lo delegaLe Lo and Lhen cllck C
Configure Kerberos Authentication for SharePoint 2010 Products
10



10 ?ou should now see Lhe selecLed SnS ln Lhe serv|ces to wh|ch th|s account can
presented de|egated credent|a|s llsL
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
11


11 8epeaL Lhese sLeps for each delegaLlon paLh deflned ln Lhe beglnnlng of Lhls secLlon
SharePoint Server configuration
Configure and Start the CIaims to Windows Token Service on
PerformancePoint Services Servers
1he Clalms Lo Wlndows 1oken Servlce (C2W1S) ls a componenL of Lhe Wlndows ldenLlLy
oundaLlon (Wl) whlch ls responslble for converLlng user clalm Lokens Lo Wlndows
Lokens erformanceolnL Servlces uses Lhe C2W1S Lo converL Lhe user's clalms Loken
lnLo a wlndows Loken when Lhe servlces needs Lo delegaLe credenLlals Lo a backend
sysLem whlch uses Wlndows auLhenLlcaLlon Wl ls deployed wlLh ShareolnL Server
2010 and Lhe C2W1S can be sLarLed from CenLral AdmlnlsLraLlon
Configure Kerberos Authentication for SharePoint 2010 Products
12


Lach erformanceolnL Servlces AppllcaLlon server musL run Lhe C2W1S locally 1he
C2W1S does noL open any porLs and cannoL be accessed by a remoLe caller urLher Lhe
C2W1S servlce conflguraLlon flle musL be conflgured Lo speclflcally LrusL Lhe local calllng
cllenL ldenLlLy
As a besL pracLlce you should run Lhe C2W1S uslng a dedlcaLed servlce accounL and noL
as Local SysLem (Lhe defaulL conflguraLlon) 1he C2W1S servlce accounL requlres speclal
local permlsslons on each server Lhe servlce runs on so be sure Lo conflgure Lhese
permlsslons each Llme Lhe servlce ls sLarLed on a server CpLlmally you should conflgure
Lhe servlce accounL's permlsslons on Lhe local server before sLarLlng Lhe C2W1S buL lf
done afLer Lhe facL you can resLarL Lhe C2W1S from Lhe Wlndows servlces managemenL
console (servlcesmsc)
@o start the C2W@S
1 CreaLe a servlce accounL ln AcLlve ulrecLory Lo run Lhe servlce under ln Lhls example
we creaLed vmlabsvcC2W1S
2 Add an arblLrary Servlce rlnclpal name (Sn) Lo Lhe servlce accounL Lo expose Lhe
delegaLlon opLlons for Lhls accounL ln AcLlve ulrecLory Dsers and CompuLers 1he
Sn can be any formaL because we do noL auLhenLlcaLe Lo Lhe C2W1S uslng
kerberos auLhenLlcaLlon lL ls recommended Lo noL use an P11 Sn Lo avold
poLenLlally creaLlng dupllcaLe Sns ln your envlronmenL ln our example we
reglsLered S/C2W1S Lo Lhe vmlabsvcC2W1S uslng Lhe followlng command

SetSN -S S/CW1S vmlab\svcCW1S
3 Conflgure kerberos consLralned delegaLlon on Lhe C2W1S servlces accounL ln Lhls
scenarlo we delegaLe credenLlals Lo Lhe SCL Server servlce LhaL ls runnlng wlLh Lhe
MSCLAsvc3/MySqlClusLervmlablocal servlce prlnclpal name
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
13


4 nexL conflgure Lhe requlred local server permlsslons Lhe C2W1S requlres ?ou have
Lo conflgure Lhese permlsslons on each server Lhe C2W1S runs on ln our example
Lhls ls vMS10A01 Log onLo Lhe server and glve Lhe C2W1S Lhe followlng
permlsslons
a) Add Lhe servlce accounL Lo Lhe local AdmlnlsLraLors Croups
Configure Kerberos Authentication for SharePoint 2010 Products
1


b) ln local securlLy pollcy (secpolmsc) under user rlghLs asslgnmenL glve Lhe
servlce accounL Lhe followlng permlsslons
l Act as part of the operat|ng system
ll mpersonate a c||ent after authent|cat|on
lll og on as a serv|ce
3 Cpen CenLral AdmlnlsLraLlon
6 ln Lhe Secur|ty secLlon under Conf|gure ,anaged Serv|ce Accounts reglsLer Lhe
C2W1S servlce accounL as a managed accounL

7 Dnder servlces selecL ,anage serv|ces on server

8 ln Lhe server selecLlon box ln Lhe upper rlghL hand corner selecL Lhe server(s)
runnlng erformanceolnL servlces ln Lhls example lL ls vMS10A01
9 lnd Lhe C|a|ms to W|ndows @oken Serv|ce and sLarL lL

10 Co Lo ,anage Serv|ce Accounts ln Lhe Secur|ty secLlon Change Lhe ldenLlLy of
Lhe C2W1S Lo Lhe new managed acounL
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
15



-ote
lf Lhe C2W1S was already runnlng before conflgurlng Lhe dedlcaLed servlce accounL or lf
you need Lo changes Lhe permlsslons of Lhe servlce accounL afLer Lhe C2W1S ls runnlng
you musL resLarL Lhe C2W1S from Lhe servlces console
ln addlLlon lf you experlence lssues wlLh Lhe C2W1S afLer resLarLlng Lhe servlce lL
may also be requlred Lo reseL Lhe llS appllcaLlon pools LhaL communlcaLe wlLh Lhe
C2W1S
Add startup dependencies to the W C2WTS service
1here ls a known lssue wlLh Lhe C2W1S where lL may noL auLomaLlcally sLarLup
successfully on sysLem rebooL A workaround Lo Lhe lssue ls Lo conflgure a servlce
dependency on Lhe CrypLographlc Servlces servlce
1 Cpen Lhe commandprompL wlndow
2 1ype sc conf|g c2wts depend CryptSvc
Configure Kerberos Authentication for SharePoint 2010 Products
1



3 lnd Lhe Clalms Lo Wlndows 1oken Servlce ln Lhe servlces console

4 Cpen Lhe properLles for Lhe servlce
3 Check Lhe Dependenc|es Lab Make sure Cryptograph|c Serv|ces ls llsLed

6 Cllck C
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
17

Start the PerformancePoint Services service instance on the
PerformancePoint Services server
8efore creaLlng a erformanceolnL Servlces servlce appllcaLlon sLarL Lhe
erformanceolnL servlces serve servlce on Lhe deslgnaLed arm servers 1o learn more
abouL erformanceolnL Servlces conflguraLlon see PerformancePoint Services
administration on MlcrosofL 1echneL
1 Cpen CenLral AdmlnlsLraLlon
2 Dnder servlces selecL ,anage serv|ces on server
3 ln Lhe server selecLlon box ln Lhe upper rlghL hand corner selecL Lhe server(s)
runnlng erformanceolnL servlces ln Lhls example lL ls vMS10A01


4 SLarL Lhe erformanceo|nt Serv|ces servlce

Create the PerformancePoint Services service appIication and proy
nexL conflgure a new erformanceolnL Servlces servlce appllcaLlon and appllcaLlon
proxy Lo allow web appllcaLlons Lo consume erformanceolnL Servlces
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement
Configure Kerberos Authentication for SharePoint 2010 Products
18



3 SelecL -ew and Lhen cllck erformanceo|nt Serv|ces App||cat|on

4 Conflgure Lhe new servlce appllcaLlon 8e sure Lo selecL Lhe correcL servlce accounL
or creaLe a new managed accounL lf you dld noL perform Lhls sLep prevlously
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
1


-ote
Conflgurlng Lhe DnaLLended Servlces AccounL ls opLlonal ln Lhls scenarlo and only used lf
you wanL Lo also LesL n1LM auLhenLlcaLlon

?ou can creaLe and reglsLer a new servlce accounL for an exlsLlng appllcaLlon pool
dedlcaLed for erformanceolnL Servlces before Lhls sLep or when you creaLe Lhe new
erformanceolnL Servlce 1o assoclaLe Lhe servlce accounL wlLh an exlsLlng appllcaLlon
pool dedlcaLed Lo erformanceolnL or verlfy an exlsLlng accounL do Lhe followlng
Configure Kerberos Authentication for SharePoint 2010 Products
200


1 navlgaLe Lo ShareolnL CenLral AdmlnlsLraLlon lnd Conf|gure managed accounts
ln Lhe Secur|ty secLlon
2 SelecL Lhe dropdown box and selecL Lhe appllcaLlon pool
3 SelecL Lhe AcLlve ulrecLory accounL

Grant the PerformancePoint Services service account permissions
on the web appIication content database
A requlred sLep ln conflgurlng ShareolnL Server 2010 Cfflce Web AppllcaLlons ls
allowlng Lhe web appllcaLlon's servlce accounL access Lo Lhe conLenL daLabases for a
glven web appllcaLlon ln Lhls example we wlll granL Lhe erformanceolnL Servlces
accounL access Lo Lhe porLal web appllcaLlon's conLenL daLabase by uslng Wlndows
owerShell
8un Lhe followlng command from Lhe ShareolnL 2010 ManagemenL Shell
w = 6et-SWeb^pp1caton -1dentty http:,,porta1
w.6rant^ccess1orocess1dentty{"vm1ab\svcS")
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
201

Configure PerformancePoint Services trusted fiIe Iocation and
authentication settings
Cnce Lhe erformanceolnL Servlces appllcaLlon ls creaLed you musL conflgure Lhe
properLles on Lhe new servlce appllcaLlon Lo speclfy a LrusLed hosL locaLlon and
auLhenLlcaLlon seLLlngs
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement

3 Cllck Lhe llnk for Lhe new Servlce AppllcaLlon erformanceo|nt Serv|ces and cllck
Lhe ,anage buLLon ln Lhe rlbbon

4 ln Lhe erformanceolnL servlces managemenL screen cllck @rusted Data Source
ocat|ons

Configure Kerberos Authentication for SharePoint 2010 Products
202


3 SelecL Lhe Cn|y spec|f|c |ocat|ons opLlon and cllck Add @rusted Data Source
ocat|on
6 1ype Lhe D8L of Lhe locaLlon selecL Lhe S|te Co||ect|on (and subtree) opLlon and
Lhen cllck C


7 SelecL Lhe Cn|y spec|f|c |ocat|ons opLlon and cllck Add @rusted Data Source
ocat|on
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
203

8 1ype Lhe D8L of Lhe locaLlon selecL Lhe S|te (and subtree) opLlon and Lhen cllck C


Configure Kerberos Authentication for SharePoint 2010 Products
20


Verify PerformancePoint Service Constrained eIegation
Create test PerformancePoint dashboard with a SQL Server AS data
connection
nexL open erformanceolnL uashboard ueslgner and creaLe an Analysls Servlces daLa
connecLlon
1 Cpen erformanceolnL uashboard ueslgner and rlghLcllck daLa source Lo creaLe a
connecLlon

2 SelecL Ana|ys|s Serv|ces
dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
205


3 Speclfy Lhe server daLabase and cube and selecL eruser dent|ty

Configure Kerberos Authentication for SharePoint 2010 Products
20



4 Cllck @est Data Source Lo LesL Lhe connecLlon

dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
207

3 CreaLe a reporL and dashboard

6 Make sure you have a daLa connecLlon by dragglng measures and dlmenslons from
Lhe deLalls paln lnLo Lhe reporL deslgner

Configure Kerberos Authentication for SharePoint 2010 Products
208


7 ?our reporL can be lncluded ln Lhe dashboard

SelecL eports and Lhen drag My 8eporL onLo Lhe uashboard ConLenL page

PubIish the dashboard to SharePoint Server
1he lasL sLep Lo valldaLe Lhe erformanceolnL Servlces appllcaLlon ls Lo publlsh Lhe
dashboard and LesL refreshlng and vlewlng Lhe Analysls Servlces daLa 1o do Lhls
1 SelecL Lhe brlghL flle buLLon lcon

dentity deIegation for PerformancePoint Services (SharePoint Server 2010)
20

2 Cllck Dep|oy ln Lhe flle selecLlon

3 SelecL a MasLer age Lo whlch you wanL Lo publlsh
4 Cllck Lhe refresh buLLon ln your browser
lf Lhe daLa connecLlon refreshes you have successfully conflgured kerberos
delegaLlon for erformanceolnL Servlces
Configure Kerberos Authentication for SharePoint 2010 Products
210



dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
211


dentity deIegation for usiness
Connectivity Services (SharePoint Server
2010)
ub||shed December 2 2010
ln Lhls scenarlo you conflgure Lhe 8uslness uaLa ConnecLlvlLy servlce appllcaLlon Lo use
kerberos consLralned delegaLlon Lo auLhenLlcaLe wlLh SCL Server Cnce lL ls conflgured
you creaLe a new exLernal conLenL Lype and exLernal llsL Lo LesL auLhenLlcaLlon and read
operaLlons wlLhln a ShareolnL slLe
ln Lhls scenarlo Lhe ShareolnL Server arm and 8CS daLa source are boLh ln Lhe same
domaln 1herefore we conflgure kerberos consLralned delegaLlon Lo allow ldenLlLy
delegaLlon Lo Lhe backend daLa source lf you are requlred Lo auLhenLlcaLe wlLh daLa
sources ln oLher domalns wlLhln Lhe same foresL you have Lo conflgure baslc
(unconsLralned) kerberos delegaLlon 8emember LhaL 8CS does noL leverage Lhe C2W1S
Lherefore you can use baslc delegaLlon

-ote
lf you are lnsLalllng on Wlndows Server 2008 you may have Lo lnsLall Lhe followlng
hoLflx for kerberos auLhenLlcaLlon
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
Scenario dependencies
1o compleLe Lhls scenarlo you have Lo have compleLed Lhe followlng
O Scenarlo 1 Core Configuration
O Scenarlo 2 Kerberos Authentication for SQL OLTP
Configure Kerberos Authentication for SharePoint 2010 Products
212


Configuration checkIist

Area of conf|gurat|on Descr|pt|on
AcLlve ulrecLory conflguraLlon CreaLe 8CS AppllcaLlon Servlce AccounL
valldaLe Servlce rlnclpal names
Conflgure uelegaLlon
ShareolnL Server conflguraLlon SLarL Lhe 8CS Servlce lnsLance
CreaLe Lhe 8CS Servlce AppllcaLlon
verlflcaLlon CreaLe a 8CS LxLernal ConLenL 1ype
Conflgure 8CS SecurlLy
CreaLe a 8CS LxLernal LlsL
Cpen Lhe exLernal llsL ln Lhe browser

dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
213

Scenario nvironment etaiIs

Configure Kerberos Authentication for SharePoint 2010 Products
21


Step-by-step configuration instructions
Active irectory configuration
Create CS AppIication Service Account
As a besL pracLlce 8uslness ConnecLlvlLy Servlces should run under lLs own domaln
ldenLlLy 1o conflgure Lhe 8CS AppllcaLlon an AcLlve ulrecLory accounL musL be creaLed
ln Lhls example Lhe followlng accounLs were creaLed

Shareo|nt Server serv|ce S App oo| dent|ty
8uslness ConnecLlvlLy Servlce vmlabsvc8uC

VaIidate Service PrincipaI ames
8CS exLernal conLenL Lypes run wlLhln Lhe conLexL of Lhe llS appllcaLlon pool uslng Lhe
LC1 Lype when 8CS daLa ls used ln ShareolnL slLes or 8CS Lo connecL and auLhenLlcaLe
wlLh exLernal daLa sources uslng kerberos auLhenLlcaLlon Lhe llS appllcaLlon pool servlce
accounL and Lhe servlce accounL for Lhe exLernal daLa source musL have servlce prlnclpal
names conflgured 8efer Lo scenarlos 1 2 ln Lhls documenL Lo conflgure and valldaLe
Lhe necessary SnS on Lhe web appllcaLlons and SCL Server servlce accounLs
Configure deIegation
1o allow 8CS Lo delegaLe Lhe cllenL's ldenLlLy kerberos delegaLlon musL be conflgured
AlLhough consLralned delegaLlon ls Lechnlcally noL requlred llke Lxcel Servlces
unconsLralned delegaLlon can be used for 8CS lL ls a besL pracLlce Lo llmlL Lhe scope of
delegaLlon Lhe servlce ls allowed Lo perform Lherefore consLralned delegaLlon wlll be
conflgured ln Lhls example
Lach llS appllcaLlon pool servlce accounL hosLlng Lhe slLe runnlng Lhe LC1 musL be
conflgured Lo allow delegaLlon Lo Lhe backend servlces
ln our example Lhe followlng delegaLlon paLhs are needed

dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
215

r|nc|pa| @ype r|nc|pa| -ame De|egates @o Serv|ce
Dser svcorLal10App MSSCLSvC/MySqlClusLervmlablocal1433
Dser svc1eams10App MSSCLSvC/MySqlClusLervmlablocal1433

@o conf|gure constra|ned de|egat|on
1 Cpen Lhe AcLlve ulrecLory Cb[ecL's properLles ln AcLlve ulrecLory Dsers and
CompuLers
2 navlgaLe Lo Lhe De|egat|on Lab

Configure Kerberos Authentication for SharePoint 2010 Products
21


3 SelecL @rust th|s user for de|egat|on to spec|f|ed serv|ces on|y
-ote
lf you need 8CS Lo auLhenLlcaLe wlLh daLa sources wlLhln Lhe same foresL buL ouLslde of
Lhe domaln LhaL ShareolnL Server resldes ln you wlll wanL Lo selecL @rust th|s computer
for de|egat|on to any serv|ce Lo conflgure baslc delegaLlon lnsLead of consLralned
delegaLlon 1he 8CS exLernal conLenL Lype wlll execuLe ln Lhe web appllcaLlon's llS
worker process and does noL leverage Lhe C2W1S 8emember LhaL cross foresL kerberos
delegaLlon ls noL posslble
4 Cllck Lhe Add buLLon Lo selecL Lhe servlce prlnclpal allowed Lo delegaLe Lo

3 SelecL User and Computers
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
217


6 SelecL Lhe servlce accounL runnlng Lhe servlce you wlsh Lo delegaLe Lo ln Lhls
example lL ls Lhe servlce accounL for Lhe SCL Server servlce
-ote
1he servlce accounL selecLed musL have a Sn applled Lo lL ln our example Lhe Sn for
Lhls accounL was conflgured ln a prevlous scenarlo
7 Cllck C
8 SelecL Lhe Sns you would llke Lo delegaLe and Lhen cllck C

Configure Kerberos Authentication for SharePoint 2010 Products
218


9 SelecL Lhe servlces for Lhe SCL Server clusLer and cllck C
?ou should now see Lhe selecLed SnS ln Lhe serv|ces to wh|ch th|s account can
presented de|egated credent|a|s llsL

10 8epeaL Lhese sLeps for each delegaLlon paLh ldenLlfled earller ln Lhls secLlon
Verify MSSQLSVC SP for the Service Account running the service
on the SQL Server (performed in Scenario 2)
verlfy Lhe Sn for Analysls Servlces servlce accounL (vmlabsvcSCL) exlsLs wlLh Lhe
followlng SeLSn command
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
21


SetSN -L vmlab\svcSQL

?ou should see Lhe followlng
MSSqlSvC,MySq1C1uster
MSSqlSvC,MySq1C1uster.vm1ab.1oca1:422
SharePoint Server configuration
Start the CS service instance
8efore creaLlng a 8CS servlce appllcaLlon sLarL Lhe 8CS servlce on Lhe deslgnaLed farm
servers
1 Cpen CenLral AdmlnlsLraLlon
2 Dnder Servlces selecL ,anage serv|ces on server

3 ln Lhe Server SelecLlon box ln Lhe upperrlghL corner selecL Lhe server(s) runnlng
Lxcel Servlces ln Lhls example lL ls vMS10A01

4 SLarL Lhe 8us|ness Data Connect|v|ty Serv|ce servlce

Configure Kerberos Authentication for SharePoint 2010 Products
220


Create the CS service appIication
nexL conflgure a new 8uC servlce appllcaLlon and appllcaLlon proxy Lo allow web
appllcaLlons Lo consume 8uC servlces
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement

3 SelecL -ew Lhen 8us|ness Data Connect|v|ty Serv|ce

4 Conflgure Lhe new servlce appllcaLlon 8e sure Lo selecL Lhe correcL servlce accounL
(creaLe a new managed accounL lf Lhe 8uC servlce accounL ls noL ln Lhe llsL)
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
221


Verification
Create a CS eternaI content type
1o access exLernal daLa Lhrough 8uC a 8uC eLernal conLenL Lype musL be creaLed ln Lhls
example we wlll use ShareolnL ueslgner 2010 Lo creaLe Lhe exLernal conLenL Lype ln Lhe
orLal web appllcaLlon (hLLp//porLal)
1 Cpen ShareolnL ueslgner 2010
2 Cpen Lhe LesL slLe collecLlon aL hLLp//porLal
Configure Kerberos Authentication for SharePoint 2010 Products
222



3 Cn Lhe lefL hand navlgaLlon cllck terna| Content @ypes
4 SelecL terna| Content @ype ln Lhe -ew secLlon of Lhe rlbbon ln Lhe upper lefL
hand corner of Lhe page
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
223


3 Clve Lhe LxLernal ConLenL 1ype a dlsplay name
Configure Kerberos Authentication for SharePoint 2010 Products
22



6 1hen selecL C||ck here to d|scover eterna| data sources and def|ne operat|ons
7 Cllck Add Connect|on
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
225


8 SelecL S Server from Lhe Data Source @ype dropdown llsL and add Lhe
lnformaLlon Lo connecL Lo Lhe LesL daLabase 8e sure Lo selecL Connect w|th the
User's dent|ty Lo LesL delegaLlon
Configure Kerberos Authentication for SharePoint 2010 Products
22



9 Lxpand Lhe new connecLlon 8lghLcllck Lhe LesL Lable (Sa|es) and selecL Create A||
Cperat|ons

10 ?ou should see an error explalnlng Lhere lsn'L a unlque ldenLlfler deflned SelecL Lhe
ldenLlfler column and selecL Lhe ,ap to dent|f|er check box Cllck I|n|sh Lo accepL
Lhe defaulL opLlons and creaLe Lhe LC1 operaLlons
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
227


11 Cllck Save (C18L+S) 1hls wlll publlsh Lhe LC1 Lo Lhe 8uC servlce appllcaLlon
meLadaLa sLore
Configure CS security
8efore cllenLs can use Lhe 8CS exLernal conLenL Lype ln Lhe porLal web appllcaLlon 8CS
permlsslons musL be conflgured 8CS supporLs a granular permlsslon model buL for Lhe
purposes of Lhls demo we wlll conflgure secure aL Lhe MeLadaLa sLore level and
propagaLe Lhe securlLy changes Lo all ob[ecLs ln Lhe sLore
1 Cpen CenLral AdmlnlsLraLlon
2 SelecL ,anage Serv|ce App||cat|ons under App||cat|on ,anagement
Configure Kerberos Authentication for SharePoint 2010 Products
228



3 Cllck Lhe llnk for Lhe new Servlce AppllcaLlon 8us|ness Data Serv|ces ln Lhls
example

4 SelecL Set ,etadata Store erm|ss|ons

dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
22

3 ln our example we conflgured LnLerprlse Admlns wlLh all permlsslons and All
AuLhenLlcaLed Dsers wlLh all permlsslons excepL Lhe Set erm|ss|ons permlsslon

6 Lnsure Lhe ropagate perm|ss|ons check box ls selecLed and cllck C Lo save your
changes
Create a CS ternaI List
1o LesL Lhe exLernal conLenL Lype we wlll conflgure an exLernal llsL Lo dlsplay Lhe
exLernal daLa ln Lhe porLal appllcaLlon
1 Cpen ShareolnL ueslgner 2010
2 Cpen Lhe LesL slLe collecLlon aL hLLp//porLal
Configure Kerberos Authentication for SharePoint 2010 Products
230



3 SelecL terna| Content @ypes on Lhe lefL slde
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
231



Configure Kerberos Authentication for SharePoint 2010 Products
232



4 Cllck Lhe conLenL Lype LhaL you creaLed earller
3 ln Lhe rlbbon cllck Create |sts Iorm
6 lf you are prompLed Lo save Lhe exLernal conLenL Lype cllck es
7 Cn Lhe Create |st and Iorm dlalog box Lype a llsL name ln Lhe |st -ame LexL box
and Lhen cllck C
Open the eternaI Iist in the browser
1 Cpen ShareolnL ueslgner 2010
2 Cpen Lhe LesL slLe collecLlon aL hLLp//porLal
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
233


3 Cllck LlsLs and Llbrarles ln Lhe lefL hand navlgaLlon
4 SelecL Lhe exLernal llsL aL Lhe boLLom of Lhe |st and |brar|es llsL
3 Cllck Lhe rev|ew |n 8rowser buLLon
Configure Kerberos Authentication for SharePoint 2010 Products
23



lnLerneL Lxplorer wlll open and dlsplay Lhe selecLed slLe and exLernal llsL
dentity deIegation for usiness Connectivity Services (SharePoint Server 2010)
235


6 valldaLe Lhe exLernal daLa ls dlsplayed correcLly 1o furLher valldaLe Lhe connecLlon
change Lhe source daLa ln SCL Server ManagemenL SLudlo and refresh Lhe browser
page ?ou should see Lhe daLa changes reflecLed ln Lhe browser

Configure Kerberos Authentication for SharePoint 2010 Products
23



Kerberos configuration known issues
(SharePoint Server 2010)
ub||shed December 2 2010
Kerberos authentication and non-defauIt
ports
1here ls a known lssue where some kerberos cllenLs (nL1 ramework lnLerneL Lxplorer
7 and 8 lncluded) do noL correcLly form servlce prlnclpal names when aLLempLlng Lo
auLhenLlcaLe wlLh kerberos enabled web appllcaLlons LhaL are conflgured on non
defaulL porLs (porLs oLher Lhan 80 and 443) 1he rooL of Lhe problem ls Lhe cllenL does
noL properly form Lhe Sn ln Lhe 1CS requesL by speclfylng lL wlLhouL Lhe porL number
(as seen ln Lhe Sname of Lhe 1CS requesL)
Lxample
lf Lhe web appllcaLlon ls runnlng aL hLLp//lnLraneLconLosocom1234 Lhe cllenL wlll
requesL a LlckeL for a servlce wlLh a Sn equal Lo hLLp/lnLraneLconLosocom lnsLead of
hLLp/lnLraneLconLosocom1234
ueLalls regardlng Lhe lssue can be found ln Lhe followlng arLlcles
O nternet Explorer cannot use the Kerberos authentication protocol to connect to a
Web site that uses a non-standard port in Windows XP and in Windows Server 2003
(hLLp//supporLmlcrosofLcom/kb/908209/enus)
O Configure Kerberos authentication (Office SharePoint Server 2007)
(hLLp//gomlcrosofLcom/fwllnk/?Llnkld196987)
1o work around Lhls lssue reglsLer Sns wlLh and wlLhouL porL number Lxample
O hLLp//lnLraneLconLosocom12343
O hLLp/lnLraneL
O hLLp/lnLraneLconLosocom
O hLLp/lnLraneL12343
Kerberos configuration known issues (SharePoint Server 2010)
237

O hLLp/lnLraneLconLosocom12343
We recommend LhaL you reglsLer Lhe nondefaulL porL Lo ensure LhaL lf Lhe lssue ls
resolved ln some fuLure servlce pack or hoL flx Lhe appllcaLlons uslng Lhe workaround
wlll sLlll conLlnue Lo funcLlon
noLe LhaL Lhls workaround wlll noL work lf Lhe followlng condlLlons are Lrue
O 1here ls more Lhan one web appllcaLlon runnlng on a nondefaulL porL
O 1he web appllcaLlons elLher blnd Lo Lhe hosL name of Lhe server or blnd Lo Lhe same
hosL header (on dlfferenL porLs)
O 1he web appllcaLlon llS appllcaLlon pools use dlfferenL servlce accounLs
O hLLp//serverconLosocom3000 Appool ld conLososvcA
O hLLp//serverconLosocom3001 Appool ld conLososvc8
lf Lhese condlLlons are Lrue followlng Lhe recommendaLlon ln Lhls workaround wlll yleld
dupllcaLe Sns reglsLered Lo dlfferenL servlce accounLs whlch wlll break kerberos
auLhenLlcaLlon
lf you have mulLlple web slLes sharlng a common hosL name runnlng on mulLlple porLs
and you use dlfferenL llS appllcaLlon pool ldenLlLles for Lhe web appllcaLlons Lhen you
cannoL use kerberos auLhenLlcaLlon on all web slLes (Cne appllcaLlon can use kerberos
Lhe resL wlll requlre anoLher auLhenLlcaLlon proLocol) 1o use kerberos on all
appllcaLlons ln Lhls scenarlo you would need Lo elLher
1 8un all web appllcaLlons under 1 shared servlce accounL
2 8un each slLe wlLh lLs own hosL header
Kerberos authentication and S CAMs
1here ls a known lssue wlLh some kerberos cllenLs (lnLerneL Lxplorer 7 and 8 lncluded)
LhaL aLLempL Lo auLhenLlcaLe wlLh kerberos enabled servlces LhaL are conflgured Lo
resolve uslng unS CnAMLs lnsLead of A 8ecords 1he rooL of Lhe problem ls Lhe cllenL
does noL correcLly form Lhe Sn ln Lhe 1CS requesL by creaLlng lL uslng Lhe hosL name (A
8ecord) lnsLead of Lhe allas name (CnAML)
Lxample
A 8ecord wfe01conLosocom
Configure Kerberos Authentication for SharePoint 2010 Products
238


CnAML lnLraneLconLosocom (allases wfe01conLosocom)
lf Lhe cllenL aLLempLs Lo auLhenLlcaLe wlLh hLLp//lnLraneLconLosocom Lhe cllenL does
noL correcLly form Lhe Sn and requesLs a kerberos LlckeL for hLLp/wfe01conLosocom
lnsLead of hLLp/lnLraneLconLosocom
ueLalls regardlng Lhe lssue can be found ln Lhe followlng arLlcles
http://supportmicrosoftcom/kb/111/en-us
http://supportmicrosoftcom/kb/38305/en-us
1o work around Lhls lssue conflgure kerberos enabled servlces uslng unS A records
lnsLead of CnAML allases 1he hoLflx menLloned ln k8 arLlcle wlll correcL Lhls lssue for
lnLerneL Lxplorer buL wlll noL correcL Lhe lssue for Lhe nL1 framework (whlch ls used by
MlcrosofL Cfflce ShareolnL Server for web servlce communlcaLlon)
Kerberos authentication and KerneI Mode
Authentication

-ote
kernel Mode AuLhenLlcaLlon ls noL supporLed ln ShareolnL 2010 roducLs 1hls
lnformaLlon ls provlded for lnformaLlonal purposes only

8eglnnlng ln llS verslon 70 Lhere ls a new auLhenLlcaLlon feaLure called kernel Mode
AuLhenLlcaLlon When an llS web slLe ls conflgured Lo use kernel Mode auLhenLlcaLlon
P11sys wlll auLhenLlcaLe Lhe cllenL's requesLs lnsLead of Lhe appllcaLlon pool's worker
process 8ecause P11sys runs ln kernel mode Lhls ylelds beLLer performance buL also
lnLroduces a blL of complexlLy when conflgurlng kerberos 1hls ls due Lo P11sys
runnlng under Lhe compuLer's ldenLlLy and noL under Lhe ldenLlLy of Lhe worker process
When P11sys recelves a kerberos LlckeL by defaulL lL wlll aLLempL Lo decrypL Lhe LlckeL
uslng Lhe server's encrypLlon key (aka secreL) and noL Lhe key for Lhe ldenLlLy Lhe worker
process ls runnlng under
lf a slngle web server ls conflgured Lo use kernel Mode auLhenLlcaLlon kerberos wlll
work wlLhouL any addlLlonal conflguraLlon or addlLlonal Sns because Lhe server wlll
auLomaLlcally reglsLer a PCS1 Sn when lL ls added Lo Lhe domaln lf mulLlple web
Kerberos configuration known issues (SharePoint Server 2010)
23

servers are load balanced Lhe defaulL kernel Mode AuLhenLlcaLlon conflguraLlon wlll
noL work or aL leasL wlll lnLermlLLenLly fall because Lhe cllenL has no way of ensurlng
Lhe servlce LlckeL Lhey recelved ln Lhe 1CS requesL wlll work wlLh Lhe server
auLhenLlcaLlng Lhe requesL
1o work around Lhls lssue you can do Lhe followlng
O 1urn off kernel Mode AuLhenLlcaLlon
O Conflgure P11sys Lo use Lhe llS appllcaLlon pool's ldenLlLy when decrypLlng servlce
LlckeLs See nternet nformation Services (S) 70 Kernel Mode Authentication
Settings
?ou may also need a hoLflx when conflgurlng P11sys Lo use Lhe appllcaLlon pool's
credenLlals FX: You receive a Stop 0x0000007e error message on a blue screen
when the AppPoolCredentials attribute is set to true and you use a domain account
as the application pool identity in S 70
Kerberos authentication and session-based
authentication
?ou may noLlce lncreased auLhenLlcaLlon Lrafflc when uslng kerberos auLhenLlcaLlon
wlLh llS 70 and greaLer 1hls may be relaLed Lo Wlndows auLhenLlcaLlon seLLlngs ln llS
ln parLlcular

Sett|ng Descr|pt|on
AuLherslsLnonn1LM CpLlonal 8oolean aLLrlbuLe
Speclfles wheLher llS auLomaLlcally reauLhenLlcaLes every
nonn1LM (for example kerberos) requesL even Lhose on
Lhe same connecLlon 1rue enables mulLlple
auLhenLlcaLlons for Lhe same connecLlons
1he defaulL ls alse
-ote
A seLLlng of alse means LhaL Lhe cllenL wlll be
auLhenLlcaLed only once on Lhe same connecLlon llS wlll
cache a Loken or LlckeL on Lhe server for a 1C sesslon LhaL
Configure Kerberos Authentication for SharePoint 2010 Products
20


Sett|ng Descr|pt|on
sLays esLabllshed

auLherslsLSlngle8equesL CpLlonal 8oolean aLLrlbuLe
SeLLlng Lhls flag Lo 1rue speclfles LhaL auLhenLlcaLlon
perslsLs only for a slngle requesL on a connecLlon llS
reseLs Lhe auLhenLlcaLlon aL Lhe end of each requesL and
forces reauLhenLlcaLlon on Lhe nexL requesL of Lhe
sesslon
1he defaulL value ls alse

or lnsLrucLlons on how Lo conflgure auLhenLlcaLlon perslsLence ln llS 70 see You may
experience slow performance when you use ntegrated Windows authentication together
with the Kerberos authentication protocol in S 70 and mplementing Access Control
Kerberos authentication and
dupIicate/missing SP issues
When conflgurlng kerberos auLhenLlcaLlon lL ls easy Lo accldenLally conflgure dupllcaLe
servlce prlnclpal names especlally lf you use SetS- A or Lhe AuSl LdlL (adsledlLmsc)
Lool Lo creaLe your Sns 1he general recommendaLlon ls Lo use SetS- S Lo creaLe
Sns because Lhe S swlLch wlll check for a dupllcaLe Sn before creaLlng Lhe speclfled
Sn
lf you suspecL you have dupllcaLe Sns ln your envlronmenL use Lhe SetS- k
command Lo query for all dupllcaLe Sns ln your envlronmenL (Wlndows 2008 or greaLer
only) lf any Sns are reLurned you should lnvesLlgaLe why Lhe Sns have been
reglsLered and deleLe any Sns LhaL are dupllcaLes and are noL needed lf you have Lwo
servlces runnlng wlLh Lwo dlfferenL ldenLlLles and boLh use Lhe same Sn (dupllcaLe Sn
lssue) you need Lo reconflgure one of Lhose servlces Lo elLher use a dlfferenL Sn or
share a common servlce ldenLlLy

Kerberos configuration known issues (SharePoint Server 2010)
21

lf you suspecL a Sn has noL been reglsLered or noL reglsLered ln a formaL requlred you
can use Lhe SeLSn C lnserL Sn Lo query for Lhe exlsLence of a parLlcular Sn

Kerberos Ma Token Size
ln some envlronmenLs users may be members of many AcLlve ulrecLory groups whlch
can lncrease Lhe slze of Lhelr kerberos LlckeLs lf Lhe LlckeLs grow Loo large kerberos
auLhenLlcaLlon can fall or more lnformaLlon abouL how Lo ad[usL Lhe max Loken slze
see New resolution for problems with Kerberos authentication when users belong to
many groups (hLLp//supporLmlcrosofLcom/kb/327823)

-ote
When ad[usLlng maxlmum Loken slze be aware LhaL lf you conflgure Lhe maxlmum
Loken slze beyond Lhe maxlmum value for Lhe reglsLry seLLlng you may see kerberos
auLhenLlcaLlon errors We recommend noL exceedlng 63333 declmal hexadeclmal
for maxlmum Loken slze

Kerberos authentication hotfies for Windows
Server 2008 and Windows Vista
A Kerberos authentication fails together with the error code 0X8000302 or 0x800030f
on a computer that is running Windows Server 2008 or Windows Vista when the AES
algorithm is used (hLLp//supporLmlcrosofLcom/kb/969083)
?ou may need Lo lnsLall a hoLflx for kerberos auLhenLlcaLlon on all compuLers LhaL are
runnlng Wlndows Server 2008 or Wlndows vlsLa ln your envlronmenL 1hls lncludes all
compuLers LhaL are runnlng ShareolnL Server 2010 SCL Server or Wlndows Server
2008 LhaL ShareolnL Server aLLempLs Lo auLhenLlcaLe wlLh by uslng kerberos
Configure Kerberos Authentication for SharePoint 2010 Products
22


auLhenLlcaLlon ollow Lhe lnsLrucLlons ln Lhe supporL page Lo apply Lhe hoLflx lf you
experlence Lhe sympLoms documenLed ln Lhe supporL case

How to reset the CIaims to Windows Token Service account (SharePoint Server
2010)
23


How to reset the CIaims to Windows
Token Service account (SharePoint
Server 2010)
ub||shed December 2 2010
Scenarlo 1he Clalms Lo Wlndows 1oken Servlce accounL ls changed unlnLenLlonally or
oLherwlse needs Lo be reseL back Lo defaulL
SoIution
1he Clalms Lo Wlndows 1oken Servlce cannoL be reseL Lo Lhe Local SysLem accounL by
uslng CenLral AdmlnlsLraLlon 1he followlng Wlndows owerShell cmdleLs can be used Lo
reseL Lhe Clalms Lo Wlndows 1oken Servlce back Lo Local SysLem
Launch Lhe ShareolnL ManagemenL Shell from Lhe compuLer LhaL ls runnlng ShareolnL
Server
8un Lhe followlng cmdleL Lo vlew a llsL of servlces
Get-SPServiceInstance

lnd and copy Lhe ld of Lhe Clalms 1o Wlndows 1oken Servlce 8lghLcllck ln Lhe
Wlndows owerShell wlndow and choose ,ark 1hls wlll allow you Lo selecL and copy
Lhe ld wlLh your mouse cursor AfLer hlghllghLlng Lhe ld press Ln1L8 on your keyboard
1esL your ld by runnlng Lhe followlng cmdleL
Configure Kerberos Authentication for SharePoint 2010 Products
2



et-SService1nstance -identity <aste the CW1S 1d>

8lghLcllck ln Lhe owerShell wlndow and pasLe Lhe ld you copled earller

nexL seL a varlable by runnlng Lhls cmdleL

$claims = get-spserviceinstance -identity <aste the CW1S 1d>

8un Lhese cmdleLs Lo reseL Lhe C2W1S back Lo Local SysLem

$claims.Service.rocess1dentity.Current1dentity1ype= // 1he in the preceding
line is 1dentity1ype.LocalSystem $claims.Service.rocess1dentity.0pdate{}
$claims.Service.rocess1dentity.0eploy{} $claims.Service.rocess1dentity //
1his output demonstrates that the cmdlet was success1ul Current1dentity1ype :
LocalSystem CurrentSecurity1denti1ier : S--5-8 ManagedAccount : rocessAccount
: S--5-8 0sername : N1 A01H0k11\SS15M