Documente Academic
Documente Profesional
Documente Cultură
Tom Wisnowski
Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, PejJavaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, PrashShirolkar, Norm Warren, Josh Zimmerman
Summary: This document covers the concepts of identity in SharePoint 2010 products, how Kerberos authentication plays a critical role in authentication and delegation in business intelligence scenarios, and the situations where Kerberos authentication should be leveraged or may be required in solution designs. It also covers how to configure Kerberos authentication end-to-end within your environment, including scenarios which use various service applications in SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration. Category: Guide Applies to: SharePoint 2010 Source: White paper (link to source content) E-book publication date: May 2012 220 pages
Copyright 2012 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the authors views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
TableofContents
ConfigureKerberosAuthenticationforSharePoint2010Products..........................1 Configure Kerberos authentication for SharePoint 2010 Products...........................7 Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.....8 Who should read these articles about Kerberos authentication?..........................9 Identity scenarios in SharePoint 2010 Products....................................................11 Claims primer.............................................................................................................. 19 Kerberos protocol primer........................................................................................... 20 Benefits of the Kerberos protocol............................................................................. 20 Kerberos delegation, constrained delegation, and protocol transition ................21 Kerberos authentication changes in Windows 2008R2 and Windows 7............22 Kerberos configuration changes in SharePoint 2010 Products...........................23 Considerations when you are upgrading from Office SharePoint Server 2007 23 Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)................................................................................................................ 24 Environment and farm topology................................................................................ 24 Web Application specification................................................................................... 27 SQL aliasing................................................................................................................ 29 SharePoint Server Services and service accounts...............................................30 C2WTS Service Identity............................................................................................. 31
Tips for working through the scenarios...................................................................31 Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)............................................................................................................................. 33 Configuration checklist............................................................................................... 34 Step-by-step configuration instructions...................................................................35 Kerberos authentication for SQL OLTP (SharePoint Server 2010)........................81 Configuration checklist............................................................................................... 82 Scenario environment details .................................................................................... 83 Step-by-step configuration instructions...................................................................83 Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)............................................................................................................................. 89 Configuration checklist............................................................................................... 89 Step-by-step configuration instructions...................................................................90 Identity delegation for SQL Server Reporting Services (SharePoint Server 2010) .......................................................................................................................................94 Scenario dependencies............................................................................................. 94 Configuration checklist............................................................................................... 95 Scenario environment details .................................................................................... 96 Cross-domain Kerberos delegation......................................................................... 96 Step-by-step configuration instructions...................................................................97 SSL configuration for Reporting Services.............................................................122 Identity delegation for Excel Services (SharePoint Server 2010).........................124 Scenario dependencies........................................................................................... 124
4
Configuration checklist............................................................................................. 124 Step-by-step configuration instructions.................................................................127 Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010) .....................................................................................................................................151 Scenarios requiring Kerberos authentication.......................................................152 Scenario dependencies........................................................................................... 153 Configuration instructions........................................................................................ 154 Identity delegation for Visio Services (SharePoint Server 2010)..........................155 Scenario dependencies........................................................................................... 155 Configuration checklist............................................................................................. 155 Scenario environment details .................................................................................. 157 Step-by-step configuration instructions.................................................................158 Identity delegation for PerformancePoint Services (SharePoint Server 2010) ...183 Scenario dependencies........................................................................................... 183 Configuration checklist............................................................................................. 183 Scenario environment details .................................................................................. 185 Step-by-step Configuration instructions................................................................187 Identity delegation for Business Connectivity Services (SharePoint Server 2010) .....................................................................................................................................213 Scenario dependencies........................................................................................... 213 Configuration checklist............................................................................................. 214 Scenario Environment Details................................................................................ 215
Step-by-step configuration instructions.................................................................216 Kerberos configuration known issues (SharePoint Server 2010).........................238 Kerberos authentication and non-default ports....................................................238 Kerberos authentication and DNS CNAMEs........................................................239 Kerberos authentication and Kernel Mode Authentication.................................240 Kerberos authentication and session-based authentication..............................241 Kerberos authentication and duplicate/missing SPN issues..............................242 Kerberos Max Token Size....................................................................................... 243 Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista ..................................................................................................................................243 How to reset the Claims to Windows Token Service account (SharePoint Server 2010)........................................................................................................................... 245 Solution ....................................................................................................................... 245
Thisdocumentgivesyouinformationthatwillhelpyouunderstandtheconceptsof identityinMicrosoftSharePoint2010Products,howKerberosauthenticationplaysa veryimportantroleinauthenticationanddelegationscenarios,andthesituations whereKerberosauthenticationshouldbeusedormayberequiredinsolutiondesigns. Scenariosincludebusinessintelligenceimplementationswhichsecureaccesstoexternal datasourcessuchasSQLServer. ThedocumentalsoshowshowtoconfigureKerberosauthenticationendtoendwithin yourenvironment,includingscenariosthatusevariousserviceapplicationsinMicrosoft SharePointServer.Additionaltoolsandresourcesaredescribedtohelpyoutestand validateKerberosconfiguration.The"StepbyStepConfiguration"sectionsofthis documentcoverthefollowingscenariosforSharePointServer2010. ThesameinformationaboutConfiguringKerberosauthenticationforSharePoint2010 ProductsisavailableisalsoavailableasasetofarticleshereintheTechNetLibrary.It beginshere:Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.
7
MicrosoftSharePoint2010Productsintroducesignificantimprovementsinhowidentity ismanagedintheplatform.Itisveryimporttounderstandhowthesechangesaffect solutiondesignandplatformconfigurationtoenablescenariosthatrequireuseridentity tobedelegatedtointegratedsystems.TheKerberosversion5protocolplaysakeyrole inenablingdelegationandsometimesmayberequiredinthesescenarios. Thissetofarticlesgivesyouinformationthathelpsyoudothefollowing: UnderstandtheconceptsofidentityinSharePoint2010Products LearnhowKerberosauthenticationplaysaveryimportantroleinauthentication anddelegationscenarios IdentifythesituationswhereKerberosauthenticationshouldbeleveragedormay berequiredinsolutiondesigns ConfigureKerberosauthenticationendtoendwithinyourenvironment,including scenariosthatusevariousserviceapplicationsinSharePointServer TestandvalidatethatKerberosauthenticationisconfiguredcorrectlyandworking asexpected FindadditionaltoolsandresourcestohelpyouconfigureKerberosauthenticationin yourenvironment
ThisgroupofarticlesdiscussesthestepsthatarerequiredtoconfigureKerberos authenticationanddelegationinvariousSharePointsolutionscenarios.
8
Beginning to end
"TellmeeverythingthereistoknowaboutIdentityandKerberosauthenticationin SharePoint2010Products" IfyouareonlystartingoutandlearningaboutSharePoint2010Products,Kerberos authentication,andclaimsauthentication,youwillwanttothereadthefirstsectionof thisdocument.Itcoversthebasicconceptsofidentityanddelegationandoffersprimers aboutClaimsandKerberosauthentication.Besuretofollowthelinkstoexternal articlesandadditionalinformationtobuildasolidfoundationofknowledgebefore continuingontothestepbystepconfigurationarticles.
Step-by-step walkthrough
"IwantdetailedstepbystepinstructionsonhowtoconfigureKerberosdelegationin SharePointServerandapplicableSharePointServerserviceapplications" ThestepbystepconfigurationarticlescoverseveralSharePoint2010Products scenarioswhichcanbeconfiguredtouseKerberosdelegation.Eachscenarioiscovered indetail,includingaconfigurationchecklistandstepbystepinstructionstohelpyou successfullyconfigureKerberosauthenticationinyourenvironment.Thescenarios coveredincludethefollowing: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP Scenario3:Kerberos Authentication for SQL Analysis Services Scenario4:Identity Delegation for SQL Reporting Services Scenario5:Identity Delegation for Excel Services Scenario6:Identity Delegation for PowerPivot for SharePoint 2010 Scenario7:Identity Delegation for Visio Services Scenario8:Identity Delegation for Performance Point Services Scenario9:Identity Delegation for Business Connectivity Services
Besuretothoroughlyreviewthefirstcoreconfigurationscenario,becauseitisa prerequisiteforallthescenariosthatfollow.
10
11
Incoming Identity
Theincomingauthenticationscenariorepresentsthemeansinwhichaclientpresents itsidentitytotheplatform,orinotherwordsauthenticateswiththewebapplicationor webservice.SharePointServerwillusetheclient'sidentitytoauthorizetheclientto accessSharePointServersecuredresourcessuchaswebpages,documents,andsoon. SharePoint2010Productssupporttwomodesinwhichaclientcanauthenticatewith theplatform:ClassicmodeandClaimsmode.
Classic mode
ClassicmodeallowsthetypicalInternetInformationServices(IIS)authentication methodsthatyoumayalreadybefamiliarwithfrompreviousversionsofSharePoint Server.WhenaSharePointServer2010WebApplicationisconfiguredtouseclassic mode,youhavetheoptionofusingthefollowingIISauthenticationmethods: IntegratedWindowsauthentication IntegratedWindowsauthenticationenablesWindowsclientstoseamlesslyauthenticate withSharePointServerwithouthavingtomanuallyprovidecredentials(user name/password).UsersaccessingSharePointServerfromInternetExplorerwill authenticatebyusingthecredentialsthattheInternetExplorerprocessisrunning underbydefaultthecredentialsthattheuserusedtologontothedesktop.Services orapplicationsthataccessSharePointServerinWindowsintegratedmodeattemptto authenticatebyusingthecredentialsoftherunningthread,which,bydefault,isthe identityoftheprocess.
12
NTLM NTLANManager(NTLM)isthedefaultprotocoltypewhenIntegratedWindows authenticationisselected.Thisprotocoltakesadvantageofathreepartchallenge responsesequencetoauthenticateclients.FormoreinformationaboutNTLM,see Microsoft NTLM(http://go.microsoft.com/fwlink/?LinkId=196643). Pros: Itiseasytoconfigureandtypicallyrequiresnoadditional infrastructure/environmentconfigurationtofunction Itworkswhentheclientisnotpartofthedomain,orisnotinadomaintrustedby thedomainthatSharePointServerresidesin
Kerberosprotocol TheKerberosprotocolisamoresecureprotocolthatsupportsticketingauthentication. AKerberosauthenticationservergrantsaticketinresponsetoaclientcomputer authenticationrequest,iftherequestcontainsvalidusercredentialsandavalidService PrincipalName(SPN).Theclientcomputerthenusesthetickettoaccessnetwork resources.ToenableKerberosauthentication,theclientandservercomputersmust haveatrustedconnectiontothedomainKeyDistributionCenter(KDC).TheKDC distributessharedsecretkeystoenableencryption.Theclientandservercomputers mustalsobeabletoaccessActiveDirectorydirectoryservices.ForActiveDirectory,the forestrootdomainisthecenterofKerberosauthenticationreferrals.Formore informationabouttheKerberosprotocol,seeHow the Kerberos Version 5 Authentication Protocol Works(http://go.microsoft.com/fwlink/?LinkId=196644)and Microsoft Kerberos.(http://go.microsoft.com/fwlink/?LinkId=196645)
13
Othermethods InadditiontoNTLMandKerberosauthentication,SharePointServersupportsother kindsofIISauthenticationsuchasbasic,digest,andcertificatebasedauthentication, whicharenotcoveredinthisdocument.Formoreinformationabouthowthese protocolsfunction,seeAuthentication Methods Supported in IIS 6.0 (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=196646).
Claims-based authentication
SupportforclaimsauthenticationisanewfeatureinSharePoint2010Productsandis builtonWindowsIdentityFoundation(WIF).Inaclaimsmodel,SharePointServer acceptsoneormoreclaimsaboutanauthenticatingclienttoidentifyandauthorizethe client.TheclaimscomeintheformofSAMLtokensandarefactsabouttheclientstated byatrustedauthority.Forexample,aclaimcouldstate,"Bobisamemberofthe EnterpriseAdminsgroupforthedomainContoso.com."Ifthisclaimcamefroma providertrustedbySharePointServer,theplatformcouldusethisinformationto authenticateBobandtoauthorizehimtoaccessSharePointServerresources.Formore informationaboutclaimsauthentication,seeA Guide to Claims-based Identity and Access Control(http://go.microsoft.com/fwlink/?LinkID=187911). ThekindofclaimsthatSharePoint2010Productssupportforincomingauthentication areWindowsClaims,formsbasedauthenticationClaims,andSAMLClaims.
14
WindowsClaims IntheWindowsclaimsmodesignin,SharePointServerauthenticatestheclientusing standardIntegratedWindowsauthentication(NTLM/Kerberos),andthentranslatesthe resultingWindowsIdentityintoaClaimsIdentity. FormsbasedauthenticationClaims InFormsbasedauthenticationclaimsmode,SharePointServerredirectstheclienttoa logonpagethathoststhestandardASP.NETlogoncontrols.Thepageauthenticatesthe clientbyusingASP.NETmembershipandroleproviders,similartohowformsbased authenticationfunctionedinOfficeSharePointServer2007.Aftertheidentityobject thatrepresentstheuseriscreated,SharePointServerthentranslatesthisidentityintoa claimsidentityobject. SAMLClaims InSAMLClaimsmode,SharePointServeracceptsSAMLtokensfromatrustedexternal SecurityTokenProvider(STS).Whentheuserattemptstologon,seecommentis directedtoanexternalclaimsprovider(forexample,WindowsLiveIDclaimsprovider) whichauthenticatestheuserandproducesaSAMLtoken.SharePointServeraccepts andprocessesthistoken,augmentingtheclaimsandcreatingaclaimsidentityobject fortheuser. FormoreinformationaboutclaimsbasedauthenticationinSharePoint2010Products, seeSharePoint Claims-Based Identity.
Note about incoming claims authentication and the Claims to Windows Token Service (C2WTS)
SomeserviceapplicationsrequirethatyouusetheWindowsIdentityFoundation(WIF) ClaimstoWindowsTokenService(C2WTS)totranslateclaimswithinthefarmto Windowscredentialsforoutboundauthentication.Itisimportanttounderstandthat C2WTSonlyfunctionsiftheincomingauthenticationmethodiseitherclassicmodeor Windowsclaims.Ifclaimsisconfigured,theC2WTSrequiresonlyWindowsclaims;the webapplicationcannotusemultipleformsofclaimsonthewebapplication,otherwise theC2WTSwillnotfunction.
integratedproductsregardlessoftheincomingauthenticationmechanismused.This meansthatevenwhereclassicauthenticationisusedtoauthenticatewithaparticular webapplication,SharePointProductsconverttheincomingidentityintoaclaims identitytoauthenticatewithSharePointServiceApplicationsandproductsthatare claimsaware.Bystandardizingontheclaimsmodelforintra/interfarm communications,theplatformcanabstractitselffromtheincomingprotocolsthatare used. Note: SomeproductsintegratedwithSharePointServer,suchasSQLServerReporting Services,arenotclaimsawareanddonottakeadvantageoftheintrafarmclaims authenticationarchitecture.SharePointServermayalsorelyonclassicKerberos delegationandclaimsinotherscenarios,forexamplewhentheRSSviewerwebpartis configuredtoconsumeanauthenticatedfeed.Refertoeachproductorservice application'sdocumentationtodeterminewhetheritcansupportclaimsbased authenticationandidentitydelegation.
Outbound identity
OutboundidentityinSharePoint2010Productsrepresentsthescenarioswhereservices withinthefarmhavetoauthenticatewithexternallineofbusinesssystemsand services.Dependingonthescenario,authenticationcanbeperformedinoneoftwo basicconceptualmodels:
Trusted subsystem
Inthetrustedsubsystem,thefrontendserviceauthenticatesandauthorizestheclient, andthenauthenticateswithadditionalbackendserviceswithoutpassingtheclient identitytothebackendsystem.Thebackendsystemtruststhefrontendservicetodo authenticationandauthorizationonitsbehalf.Themostcommonwaytoimplement thismodelistousesharedserviceaccounttoauthenticatewiththeexternalsystem:
16
InSharePointServer,thismodelcanbeimplementedinvariousways: UsingtheIISapplicationpoolidentityusuallyachievedbyrunningcodeinthe webapplicationthatelevatespermissionswhilemakingacalltoanexternalsystem. OthermethodssuchasusingRevertToSelfcanalsousetheapplicationpool's identitytoauthenticatewithexternalsystems. Usingaserviceaccounttypicallyachievedbystoringapplicationcredentialsinthe SecureStorethenusingthosecredentialstoauthenticatewithanexternalsystem. Othermethodsincludestoringtheserviceaccountcredentialsinotherwayssuchas embeddedconnectionstrings. AnonymousAuthenticationthisiswheretheexternalsystemrequiresno authentication.ThereforethefrontendSharePointServerservicedoesnothaveto passanyidentitytothebackendsystem.
Delegation
IntheDelegationmodel,thefrontendservicefirstauthenticatestheclient,andthen usestheclient'sidentitytoauthenticatewithanotherbackendsystemthatperformsits ownauthenticationandauthorization:
17
boundaryregardlessoftrustrelationship.Kerberosconstraineddelegationcannotcross domainorforestboundariesinanyscenario. SomeSharePointServerservicescanbeconfiguredtousebasicKerberosdelegation, butotherservicesrequirethatyouuseconstraineddelegation.Anyservicethatrelies ontheClaimstoWindowstokenservice(C2WTS)mustuseKerberosconstrained delegationtoallowtheC2WTStouseKerberosprotocoltransitiontotranslateclaims intoWindowscredentials. ThefollowingserviceapplicationsandproductsrequiretheC2WTSandKerberos constraineddelegation: ExcelServices PerformancePointServices VisioServices
Claims primer
ForanintroductiontoClaimsconceptsandClaimsbaseauthentication,seeAn Introduction to Claims(http://go.microsoft.com/fwlink/?LinkId=196648)andSharePoint Claims-Based Identity(http://go.microsoft.com/fwlink/?LinkID=196647).
19
Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos PAC Validation).IfPACverificationisdisabledornotneeded,theservicethat authenticatestheclientdoesnothavetomakeanRPCcalltotheDC(see:You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003).
20
Basic delegation
Constrained delegation CantransitionnonKerberos incomingauthenticationprotocol toKerberos(example:NTLMto Kerberos,ClaimstoKerberos) Moresecure.Identitiescanonly bedelegatedtospecifiedservice. Cannotcrossdomain boundaries Requiresadditionalsetup configuration
delegateacrossadomainboundary),allservicesinfrontofthebackendservicemust usebasicdelegation.Ifanyfrontendserviceusesconstraineddelegation,thebackend servicecannotchangetheconstrainedtokenintoanunconstrainedtokentocrossa domainboundary. ProtocoltransitionallowsaKerberosenabledauthenticatingservice(frontendservice) toconvertanonKerberosidentityintoaKerberosidentitythatcanbedelegatedto otherKerberosenabledservices(backendservice).Protocoltransitionrequires Kerberosconstraineddelegationandthereforeprotocoltransitionedidentitiescannot crossdomainboundaries.Dependingontheuserrightsofthefrontendservice,the Kerberosticketreturnedbyprotocoltransitioncanbeanidentificationtokenoran impersonationtoken.Formoreinformationaboutconstraineddelegationandprotocol transition,seethefollowingarticles:
Kerberos Protocol Transition and Constrained Delegation
(http://technet.microsoft.com/enus/library/cc739587(WS.10).aspx)
Protocol Transition with Constrained Delegation Technical Supplement
(http://msdn.microsoft.com/enus/library/ff650469.aspx)
Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop Scenarios(http://support.microsoft.com/kb/2005838)
22
Considerations when you are upgrading from Office SharePoint Server 2007
IfyouareupgradinganOfficeSharePointServer2007farmtoSharePointServer2010, thereareseveralthingsyoushouldconsiderasyoucompletetheupgrade: IfwebapplicationsarechangingURLs,makesurethatyouupdatetheService PrincipleNamestoreflecttheDNSnames. DeletetheSSPserviceprincipalnames,becausetheyarenolongerneededin SharePointServer2010. StarttheClaimstoWindowsTokenServiceontheserversthatarerunningservice applicationsthatrequiredelegation(forexample,ExcelServices,VisioGraphics Service). ConfigureKerberosconstraineddelegationwith"useanyauthenticationprotocol" toallowKerberosconstraineddelegationwiththeC2WTS. EnsureKernelmodeauthenticationisdisabledinIIS.
23
24
Note: Thefarmconfigurationinthedemonstrationsisnotmeanttobeareference architectureoranexampleofhowtodesignatopologyforproductionenvironments. Forexample,thedemotopologyrunsallSharePointServer2010serviceapplicationson asingleserverwhichcreatesasinglepointoffailurefortheseservices.Formore informationonhowtodesignandbuildaproductionSharePointServerenvironment, seeSharePoint Server 2010 Physical and Logical ArchitectureandTopologies for SharePoint Server 2010.
25
Environment specification
AllcomputersinthedemonstrationenvironmentarevirtualizedrunningonWindows Server2008R2HyperV.ThecomputersarejoinedtoasingleWindowsdomain, vmlab.local,runninginWindowsServer2008ForestandDomainfunctionlevels. ClientComputer Windows7Professional,64bit
SharePointServerApplicationServer WindowsServer2008R2Enterprise,64bit MicrosoftSharePointServer2010(RTM) Services: WIFClaimstoWindowsTokenService ManagedMetadataService SharePointIndex SharePointQuery ExcelServices VisioGraphicsService
26
BusinessConnectivityServices PerformancePointServices
28
SSL configuration
SomeofthewalkthroughscenarioswilluseSSLtodemonstratehowtoconfigure delegationwithHTTPS.Itisassumedthatthecertificatesbeingusedcomefroma trustedrootcertificateauthority,eitherinternalorpublic,oryouhaveconfiguredall computerstotrustthecertificatesbeingused.Thedocumentwillnotcoverhowto properlyconfigurecertificatetrustnorwillitprovideguidanceaboutdebuggingissues relatedtoSSLcertificateinstallation.Itishighlyrecommendedtoreviewthesetopics andtestyourSSLconfigurationbeforeconfiguringKerberosconstraineddelegationwith SSLprotectedservices.Formoreinformationsee:
Active Directory Certificate Services Overview (http://go.microsoft.com/fwlink/?LinkId=196660) Active Directory Certificate Services Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=196661)
Configuring Server Certificates in IIS 7 (http://go.microsoft.com/fwlink/?LinkId=196662) How to Set Up SSL on IIS 7: Configuring Security : Installing and Configuring IIS 7 : The Official Microsoft IIS Site(http://go.microsoft.com/fwlink/?LinkID=193447) Add a Binding to a Site (IIS 7)(http://go.microsoft.com/fwlink/?LinkId=196663) Configure a Host Header for a Web Site (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=196664)(HowtouseSSLwithhost headers) Create a Self-Signed Server Certificate in IIS 7
(http://go.microsoft.com/fwlink/?LinkId=196665)
Load balancing
LoadbalancingontheSharePointServerfrontendWebsandSQLServerReporting ServicesserverswasimplementedbyusingWindowsServer2008NetworkLoad Balancing(NLB).HowtoconfigureNLBandNLBbestpracticesarenotcoveredinthis document.FormoreinformationonNLB,refertoOverview of Network Load Balancing.
SQL aliasing
ThefarmwasbuiltusingaSQLclientaliastoconnecttotheSQLcluster.Thisistypically abestpracticeandwasdonetodemonstratehowKerberosauthenticationisconfigured
29
whenSQLaliasingisused.Scenario2assumestheenvironmentisconfiguredinthis manner,butitisnotrequiredtouseSQLaliasestocompleteanyofthescenariosbelow. FormoreinformationonhowtoconfigureSQLaliasesseeHow to: Create a Server Alias for Use by a Client (SQL Server Configuration Manager).
30
Trytopayspecialattentiontoeachstepandavoidskippinganysteps Workthroughscenario1andspendtimeusingthedebuggingtoolsmentionedin thescenarioastheycanbeusedinotherscenariostotriageconfigurationissues. Remembertoworkthroughscenario2.YoullneedacomputerrunningSQLServer thatisconfiguredtoacceptKerberosauthenticationandwillrequirethetest databasethatyousetupinthisscenarioforsomeofthelaterscenarios. AlwaysdoublecheckSPNconfigurationineachscenariobyusingSetSPNXand SetSPNQ.Seetheappendixformoreinformation. AlwaysbesuretochecktheservereventlogsandULSlogswhenattemptingto debugaconfigurationissue.Therearetypicallygoodpointersintheselogswhich canquicklypointouttheissuesyouareencountering. TurnupdiagnosticloggingforSharePointFoundation>ClaimsAuthenticationand anyserviceapplicationsthatyouareattemptingtotriageifissuesoccur. Rememberthateachscenariomaybeaffectedbyserviceapplicationcaching.Ifyou makeconfigurationchangesbutdonotseechangesinplatformbehavior,try restartingtheservicesapplicationpoolorwindowsservice.Ifthishasnoeffect, sometimesasystemrebootwillhelp. RememberthatKerberosticketsarecachedoncerequested.Ifyouareusingatool likeNetMontoviewTGTandTGSrequests,youmayneedtoemptytheticketcache ifyoudontseetherequesttrafficyouexpect.Scenario1,Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)explainshowtodothis withtheKLISTandKerbTrayutilities. RemembertorunNetMonwithAdministrativeprivilegestocaptureKerberos traffic. ForadvanceddebuggingscenariosyoumaywanttoturnonWIFtracingforthe ClaimstoWindowsTokenServiceandWCFtracingfortheSharePointService Applications(WCFservices).See:
WIF Tracing How to: Enable Tracing Configuring Tracing
32
InthefirstscenarioyouwillconfiguretwoSharePointServer2010webapplicationsto usetheKerberosprotocolforauthenticatingincomingclientrequests.For demonstrationpurposes,onewebapplicationwillbeconfiguredtousestandardports (80/443)andtheotherwilluseanondefaultport(5555).Thisscenariowillbethebasis ofallthefollowingscenarioswhichassumetheactivitiesbelowhavebeencompleted. Important: ItisarequirementtoconfigureyourwebapplicationswithclassicWindows authenticationusingKerberosauthenticationtoensurethatthescenariosworkas expected.WindowsClaimsauthenticationcanbeusedinsomescenariosbutmaynot producetheresultsdetailedinthescenariosbelow. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)
Configuration checklist
AreaofConfiguration Description
DNS ActiveDirectory
SharePointWebApp CreateSharePointServermanagedaccounts CreatetheSharePointSearchServiceApplication CreatetheSharePointwebapplications IIS ValidatethatKerberosauthenticationisEnabled VerifyKernelmodeauthenticationisdisabled InstallcertificatesforSSL Windows7Client EnsurewebapplicationURLsareintheintranetzone,ora zoneconfiguredtoautomaticallyauthenticatewith integratedWindowsauthentication OpenfirewallportstoallowHTTPtrafficinondefaultand
34
Firewall
Configuration
TestBrowser Authentication
TestSharePoint Verifybrowseraccessfromtheindexserver(s) ServerSearchIndex Uploadsamplecontentandperformacrawl andQuery Testsearch TestWFEDelegation ConfigureRSSFeedsourcesoneachsitecollection AddRSSviewwebpartstothehomepageofeachsite collection
http://teams:5555ConfigureanewDNSARecordforthefortheteam'sweb application
36
Note: ItisimportanttoensuretheDNSentriesareARecordsandnotCNAMEaliasesfor Kerberosauthenticationtoworksuccessfullyinenvironmentswithmorethanoneweb applicationrunningwithhostheadersandseparatededicatedserviceaccounts.See Kerberos configuration known issues (SharePoint Server 2010)foranexplanationofthe knownissuewithusingCNAMEwithKerberosenabledwebapplications.
http://portal http://teams:5555
vmlab\svcPortal10App vmlab\svcTeams10App
Example: Note: SeetheappendixforanexplanationofwhyitisrecommendedtoconfigureSPNswith andwithoutportnumberforHTTPservicesrunningonnondefaultports(80,443). TechnicallythecorrectwaytorefertoaHTTPservicethatrunsonanondefaultportis toincludetheportnumberintheSPNbutbecauseofknownissuesdescribedinthe appendixweneedtoconfigureSPNswithoutportaswell.NotethattheSPNswithout portfortheteamswebapplicationdoesnotmeanserviceswillbeaccessedusingthe defaultports(80,443)inourexample. Inourexampleweconfiguredthefollowingserviceprincipalnamesforthetwo accountswecreatedinthepreviousstep: HTTP/teams:5555 HTTP/teams.vmlab.local:5555
38
Portal.vmlab.local
vmlab\svcPortal10App
HTTP/portal HTTP/portal.vmlab.local
Teams.vmlab.local
vmlab\svcTeams10App
Tocreatetheserviceprincipalnamesthefollowingcommandswereexecuted:
SetSPNSHTTP/Portalvmlab\svcportal10App SetSPNSHTTP/Portal.vmlab.localvmlab\svcportal10App SetSPNSHTTP/Teamsvmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.localvmlab\svcTeams10App SetSPNSHTTP/Teams:5555vmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.local:5555vmlab\svcTeams10App
39
41
User
svcPortal10App
42
User
svcTeams10App
Note: Itmayseemredundanttoconfiguredelegationfromaservicetoitself,suchasthe portalserviceaccountdelegatingtotheportalserviceapplication,butthisisrequiredin scenarioswhereyouhavemultipleserversrunningtheservice.Thisistoaddressthe scenariowhereoneservermayneedtodelegatetoanotherserverrunningthesame service;forinstanceaWFEprocessingarequestwithaRSSviewerwhichusesthelocal webapplicationasthedatasource.Dependingonfarmtopologyandconfiguration thereisapossibilitythattheRSSrequestmaybeservicedbyadifferentserverwhich wouldrequiredelegationtoworkcorrectly. ToconfiguredelegationyoucanusetheActiveDirectoryUsersandComputersnapin. Rightclickeachserviceaccountandopenthepropertiesdialog.Inthedialogyouwill seeatabfordelegation(notethatthistabonlyappearsiftheobjecthasanSPN assignedtoit;computershaveanSPNbydefault).Onthedelegationtab,selectTrust thisuserfordelegationtospecifiedservicesonly,thenselectUseanyauthentication protocol.
43
44
Youwillthenbepromptedtoselecttheservicesassignedtotheobjectsbyservice principalname.
45
46
Performthesestepsforeachserviceaccountinyourenvironmentthatrequires delegation.Inourexamplethisistheserviceaccountslist
2. UnderGeneralSecurityclickConfiguremanagedaccounts:
3. ClickRegisterManagedAccountandcreateamanagedaccountforeachservice account.Inthisexamplewecreatedfivemanagedserviceaccounts:
Account Purpose
VMLAB\svcSP10Search VMLAB\svcSearchAdmin
SharePointSearchServiceAccount SharePointSearchAdministrationServiceAccount
48
ManagedaccountsinSharePointServer2010arenotthesameasmanaged serviceaccountsinWindowsServer2008R2ActiveDirectory.
Inthisexample,twowebapplicationswerecreatedwiththefollowingsettings:
ClassicMode
Name:SharePointPortal80 Name:SharePointTeams5555 Port:80 HostHeader:Portal Port:80 HostHeader:Teams AuthProvider:Negotiate AllowAnonymous:No UseSecureSocketLayer:No http://Teams:5555
Security Configuration
PublicURL
http://Portal:80
ApplicationPoolName:SharePointPortal80 Name:SharePointTeams5555 SecurityAccount: vmlab\svcPortal10App Whencreatingthenewwebapplicationyouarealsocreateanewzone,thedefault zone,configuredtousetheWindowsauthenticationprovider.Youcanseetheprovider anditssettingsforthezoneinwebapplicationmanagementbyfirstselectingtheweb application,thenclickingAuthenticationProvidersinthetoolbar.Theauthentication providersdialogboxlistsallthezonesfortheselectedwebapplicationalongwiththe authenticationproviderforeachzone.Byselectingthezone,youwillseethe authenticationoptionsforthatzone. SecurityAccount: vmlab\svcTeams10App
50
Theauthenticationprovidersdialogwilllistallthezonesfortheselectedweb applicationalongwiththeauthenticationproviderforeachzone:
Byselectingthezone,youwillseetheauthenticationoptionsforthatzone:
51
http://portal http://teams:5555
/ /
PublishingPortal TeamSite
53
3. IntheSelectAlternateAccessMappingCollectiondropdown,selecttheChange AlternateAccessMappingCollection.
4. Selecttheportalwebapplication.
5. ClickEditPublicUrlsinthetoptoolbar.
6. Inafreezone,addthehttpsURLforthewebapplication.ThisURLwillbethename ontheSSLcertificateyouwillcreateinthenextsteps.
7. ClickSave. YoushouldnowseetheHTTPSURLinthezonelistforthewebapplication.
54
IIS configuration
Install SSL certificates
YouwillneedtoconfigureanSSLcertificateoneachSharePointServerhostingtheweb applicationserviceforeachwebapplicationthatusesSSL.Again,thetopicofhowto configureanSSLcertificateandcertificatetrustisoutofscopeforthisdocument.See theSSLConfigurationsectioninthisdocumentforreferencestomaterialabout configuringSSLcertificatesinIIS.
55
4. SelectWindowsAuthenticationwhichshouldbeenabled.
5. OntherighthandsideunderActions,selectProviders.VerifyNegotiateisatthetop ofthelist.
56
57
Open firewall ports to allow HTTP traffic in on default and non-default ports
TypicallyyouhavetoconfigurethefirewalloneachfrontendWebtoallowincoming requestsoverportsTCP80andTCP443.OpenWindowsFirewallwithAdvanced SecurityandbrowsetothefollowingInboundRules:
WorldWideWebServices(HTTPTrafficIn) WorldWideWebServices(HTTPSTrafficIn)
58
Ensure that clients can connect to Kerberos ports on the Active Directory role
TouseKerberosauthentication,clientswillhavetorequestticketgrantingtickets(TGT) andservicetickets(ST)fromtheKeyDistributionCenter(KDC)overUDPorTCPport88. Bydefault,whenyouinstalltheActiveDirectoryRoleinWindowsServer2008andlater, therolewillconfigurethefollowingincomingrulestoallowthiscommunicationby default:
Inyourenvironmentensuretheserulesareenabledandthatclientscanconnecttothe KDC(domaincontroller)overport88.
2. ThetestuserisusingInternetExplorer7.0orlater(InternetExplorer6.0isno longersupportedinSharePointServer2010;seePlan browser support (SharePoint Server 2010)). 3. IntegratedWindowsauthenticationisenabledinthebrowser.UnderInternet OptionsintheAdvancedtab,makesureEnableIntegratedWindows Authentication*isenabledintheSecuritysection:
60
ScrolldownandmakesureAutomaticlogononlyinIntranetzoneisselected:
61
62
63
64
InthegeneralinformationfortheseeventsyoushouldseethesecurityIDbeinglogged ontothecomputerandtheLogonProcessused,whichshouldbeKerberos.
KList
KListisacommandlineutilityincludedinthedefaultinstallationofWindowsServer 2008andWindowsServer2008R2whichcanbeusedtolistandpurgeKerberostickets
65
onagivencomputer.TorunKLIST,openacommandpromptinWindowsServer2008 andtypeKlist.
Ifyouwanttopurgetheticketcache,runKlistwiththeoptionalpurgeparameter:Klist purge
KerbTray
KerbTrayisafreeutilityincludedwiththeWindowsServer2000ResourceKitToolthat canbeinstalledonyourclientcomputertoviewtheKerberosticketcache.Download andinstallfromWindows 2000 Resource Kit Tool: Kerbtray.exe.Onceyouhaveit installed,performthefollowingactions: 1. NavigatetothewebsitesthatuseKerberosAuthentication. 2. RunKerbTray.exe. 3. ViewtheKerberosTicketcachebyrightclickingonthekerbtrayiconinthesystem trayandselectingListTickets.
66
http://portal
HTTP/Portal.vmlab.local
http://teams:5555 HTTP/Teams.vmlab.local
67
68
Fiddler
FiddlerisafreeHTTPtrafficanalyzerthatcanbedownloadedfromthefollowing location:http://www.fiddlertool.com/.Infiddleryouwillseetheclientandserver negotiateKerberosauthenticationandyouwillbeabletoseetheclientsendthe KerberosServiceTicketstotheserverintheHTTPheadersofeachrequest.Tovalidate thatKerberosauthenticationisworkingcorrectlyusingfiddlerperformthefollowing actions: 1. DownloadandinstallFiddler(www.fiddlertool.com)ontheclientcomputer. 2. Logoutofthedesktopandlogbackintoflushanycachedconnectionstotheweb serverandforcethebrowsertonegotiateKerberosauthenticationandperformthe authenticationhandshake. 3. StartFiddler. 4. OpenInternetExplorerandbrowsetothewebapplication(http://portalinour example). YoushouldseetherequestsandresponsestotheSharePointServerfrontendwebin Fiddler.
ThefirstHTTP401isthebrowserattempttodotheGETrequestwithoutauthentication.
69
Inresponse,theserversendsbackan"HTTP401unauthorized"andinthisresponse indicateswhatauthenticationmethodsitsupports:
Inthenextrequest,theclientresendsthepreviousrequest,butthistimesendsthe serviceticketforthewebapplicationintheheadersoftherequest:
70
IfyouselecttheAuthviewwithintheFiddlerinspectorwindowyouwillalsoseethe KerberosticketintherequestandtheKerberosresponse:
71
Ifauthenticatedsuccessfully,theserverwillsendbacktherequestedresource.
NetMon 3.4
NetMon3.4isafreenetworkpacketanalyzerfromMicrosoftthatcanbedownloaded fromtheMicrosoftDownloadCenter:Microsoft Network Monitor 3.4. InNetMonyouseeallTCPrequestandresponsestotheKDCandtheSharePointServer webservers,givingyouacompleteviewoftrafficthatmakesupacomplete authenticationrequest.TovalidatethatKerberosauthenticationisworkingbyusing netmon,performthefollowingactions:
72
1. DownloadandinstallNetMon3.4(Microsoft Network Monitor 3.4). 2. LogoutoftheclientthenlogbackintoflushtheKerberosticketcache.Optionally youcanuseKerbTraytopurgetheticketcachebyrightclickingonKerbTrayand selectingPurgeTickets. 3. StartNetMoninadministratormode.RightclicktheNetMonshortcut,andselect RunasAdministrator. 4. Startanewcaptureontheinterfacesthatconnecttotheactivedirectorycontroller inyourenvironmentandthewebfrontends. 5. Openinternetexplorerandbrowsetothewebapplication. 6. Afterthewebsiterenders,stopthecaptureandaddadisplayfiltertoshowthe framesforKerberosauthenticationandHTTPtraffic.
7. IntheframeswindowyoushouldseebothHTTPandKerberosV5traffic.
73
74
Notethatthe"Sname"isHTTP/portal.vmlab.localandnotHTTPS/portal.vmlab.local.
Test search
Ifindexingcompletedsuccessfully,youshouldseesearchableitemsinyourindexandno errorsinthecrawllog.
76
Note:IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperforminga crawlontheprofilestorebesuretoconfiguretheappropriatepermissionsontheUPA toallowthecontentaccessaccounttoaccessprofiledata.Ifyouhavenotconfigured theUPApermissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawler couldnotaccesstheprofileservicebecauseitreceivedanHTTP401whentryingto accesstheservice.The401returnedisnotduetoKerberos,butinsteadisduetothe contentaccessaccountnothavingpermissionstoreadprofiledata. Note: IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperformingacrawlon theprofilestore,besuretoconfiguretheappropriatepermissionsontheUPAtoallow thecontentaccessaccounttoaccessprofiledata.IfyouhavenotconfiguredtheUPA permissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawlercouldnot accesstheprofileservicebecauseitreceivedanHTTP401whentryingtoaccessthe service.The401returnedisnotduetoKerberos,butinsteadisduetothecontent accessaccountnothavingpermissionstoreadprofiledata. Next,browsetoeachsitecollectionandperformasearchfortheseeddocument.Each sitecollectionssearchqueryshouldreturntheseeddocumentuploaded.
77
78
Performthisstepforeachsitecollection.
Add RSS view web parts to the home page of each site collection
OntheportalapplicationyoullneedtoenabletheSharePointEnterpriseFeaturessite collectionfeaturetousetheRSSviewerwebpart.OnceenabledaddtwoRSSviewer webpartstothehomepage.Forthefirstwebpart,configurethefeedURLtopointat thelocalRSSfeedyoucreatedinthepreviousstep.Forthesecondwebpart,configure thefeedURLtopointattheremotefeedURL.Whencompleted,youshouldseeboth webpartssuccessfullyrenderingcontentfromthelocalandremoteRSSfeeds.
79
80
81
Configuration checklist
Areaofconfiguration Description
82
LocalSQLClientAlias: SPFarmSQL
vmSQL2k8r202
SharePoint
SQLCluster
ThisscenariodemonstratesaSharePointServerfarmconfiguredtouseaSQLaliasfora connectiontoaSQLServerclusterthatisconfiguredtouseKerberosauthentication.
83
Note: Technically,becauseSQLServerSPNsincludeaninstancename(ifyouareusingthe secondnamedinstanceonthesamecomputer),youcanregistertheDNShostforthe clusterasaCNAMEaliasandavoidtheCNAMEissuedescribedinAppendixA,Kerberos configuration known issues (SharePoint Server 2010).However,ifyouchoosetouse CNAMEs,youhavetoregisteranSPNusingtheDNS(A)recordhostnametheCNAME aliases.
SQL aliases
Asabestpractice,whenbuildingyourfarmyoushouldconsiderusingSQLaliasesfor connectionstoyourSQLServercomputer.IfyouchoosetouseSQLaliases,theKerberos SPNformatforthoseconnectionsdoesnotchange.Youcontinuetousetheregistered DNShostname(Arecord)intheSPNforSQLServer.Forexample,ifyouregisteranalias "SPFARMSQL"for"MySQLCluster.vmlab.local"theSPNwhenyouareconnectingto SPFarmSQLremains"MSSQLSVC/MySQLCluster.vmlab.local:1433".
2. OpenSQLServerManagementStudioandrunthefollowingquery:
Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c innerjoin sys.dm_exec_sessions s on c.session_id = s.session_id
4. .IfKerberosauthenticationisconfiguredcorrectly,youseeKerberosinthe auth_schemecolumnofthequeryresults.
86
No No No No
87
88
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)
Published:December2,2010
Configuration checklist
Areaofconfiguration Description
Configuration
2010
90
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)
An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005
91
Note: TousetheAdventureWorks2008R2sampledatabases,downloadfromMicrosoft SQL Server Community Projects & Samplesandfollowtheinstallationinstructions. 3. Opentheeventvieweronthedatabaseserver(vmsql2k8r201).Youshouldnowbe abletoseeanauditsuccessinthesecuritylogsimilartotheoneyouseeinthe verificationstepsforScenario2,Kerberos authentication for SQL OLTP (SharePoint Server 2010).
92
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)
93
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Published:December2,2010
InthisscenarioyouconfigureapairofloadbalancedSQLServerReportingServices (SSRS)serversinascaledoutconfigurationrunninginSharePointintegratedmode.The serversareconfiguredtoacceptKerberosauthenticationandtheydelegate authenticationtoabackendSQLServercluster. Inthisscenario,theSharePointServerfarmandReportingServicesdatasourceareboth inthesamedomain;thereforeinthisscenarioweconfigureKerberosconstrained delegationtoallowidentitydelegationtothebackenddatasource.Ifyouarerequired toauthenticatewithdatasourcesinotherdomainswithinthesameforest,youhaveto configurebasic(unconstrained)Kerberosdelegation.RememberthatReportingServices doesnotleveragetheC2WTSandthereforecanusebasicdelegation. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP (Optional)Scenario3:Kerberos Authentication for SQL Analysis Services
94
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Configuration checklist
Areaofconfiguration Description
ActiveDirectory
CreateSSRSserviceaccount ConfigureKerberosconstraineddelegation
SQLServerReporting Services
ConfigureSharePoint Server
Verifyconfiguration
95
Inthisscenario,theInternetInformationServices(IIS)applicationpoolserviceaccounts areconfiguredtodelegatetotheSQLServerReportingServices(SSRS)service.TheSSRS serviceaccountisconfiguredtodelegatecredentialstotheSQLServerservice.Note thatSQLServerReportingServicesinSharePointintegratedmodedoesnotleverage intrafarmClaimsauthenticationandrequiresKerberosauthenticationfordelegated authentication.Formoreinformation,seeClaims Authentication and Reporting Services.
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Service ServiceIdentity
SQLServerReportingServices
vmlab\svcSQLRS
97
FarmReports.vmlab.local vmlab\svcSQLRS
HTTP/FarmReports HTTP/FarmReports.vmlab.local
Inthisexamplethefollowingcommandswereexecuted:
SetSPNSHTTP/FarmReportsvmlab\svcSQLRS SetSPNSHTTP/FarmReports.vmlab.localvmlab\svcSQLRS
Configure delegation
KerberosdelegationmustbeconfiguredforSSRStodelegatetheclient'sidentityto backenddatasource.Inthisexample,SSRSqueriesdatafromaSQLServer transactionaldatabasebyusingtheclient'sidentity,thereforeKerberosdelegationis required.Kerberosconstraineddelegation(KCD)isnotarequirementinthisscenario (becauseprotocoltransitionisnotneeded),butKCDisconfiguredasabestpractice. TheSSRSserviceaccountthatisrunningtheSSRSservicesmustbetrustedtodelegate credentialstoeachbackendservice.Inourexample,thefollowingdelegationpathsare needed:
98
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Principaltype Principalname Delegatestoservice
User
User
Vmlab\svcSQLRS
MSSQLSVC/MySqlCluster.vmlab.local:1433
Optionally,ifyouwishtoreportagainstAnalysisServicesdatasources,configurethe followingdelegationpaths:
User
Vmlab\svcSQLRS
MSOLAPSvc.3/MySqlCluster.vmlab.local
99
100
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
6. SelectUserandComputers.
7. Selecttheserviceaccountthatisrunningtheserviceyouwanttodelegateto.Inthis example,itistheserviceaccountfortheSQLServerReportingService.
101
102
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
103
Verify MSSQLSVC SPN for the service account running the service on SQL Server (performed in Scenario 2)
VerifythattheSPNfortheAnalysisServicesserviceaccount(vmlab\svcSQL)existsby usingthefollowingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
Verify MSOLAPSvc.3 SPN for the Service Account running the SSAS service on the SQL Server Analysis Services server (performed in Scenario 3)
VerifythattheSPNfortheSQLServerserviceaccount(vmlab\svcSQLAS)existsbyusing thefollowingSetSPNcommand:
SetSPNLvmlab\svcSQLAS
Youshouldseethefollowing:
MSOLAPSvc.3/MySqlCluster MSOLAPSvc.3/MySqlCluster.vmlab.local
104
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
105
Modify ReportingServer.config
ThefollowingchangeshavetobemadetotheReportingServer.configfilesoneachSSRS server.TheReportingServer.configfilecanbefoundintheprogramfilesdirectory whereSSRSisinstalled: EnableKerberosauthentication ToenableKerberosauthentication,settheauthenticationtypeto "RSWindowsNegotiate".Changethe<AuthenticationTypes/> elementandadd<RSWindowsNegotiate/>
<AuthenticationTypes><RSWindowsNegotiate/></AuthenticationTypes>
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
BackConnectionHostNames,seeYou receive an error message when you use SQL Server 2008 Reporting Services. Inourexample,weconfigurethefollowingvaluesforBackConnectionHostNames: FarmReports FarmReports.vmlab.local
OncetheBackConnectionHostNamesvaluesareset,reboottheSSRSserver.
107
Grant the Reporting Services service account permissions on the web application content database
ArequiredstepinconfiguringSQLServerReportingServicesinSharePointintegrated modeisallowingtheReportingServicesserviceaccountaccesstothecontentdatabases forwebapplicationshostingreports.Inthisexample,wegranttheReportingServices accountaccesstothe"portal"webapplication'scontentdatabasethroughWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcSQLRS")
108
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
109
Verify configuration
Create a document library for reports
CreateadocumentlibrarytohostSSRSreportsinyourSharePointsite.Inthisexample, weassumetheexistenceofadocumentlibrarycalled"reports"athttp://portal/reports.
110
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
IfyoudonotseetheReportingServicesfeatureinthesitecollectionsfeatureslist,you mayneedtoactivateitfromCentralAdministration.Formoreinformation,seeHow to: Activate the Report Server Feature in SharePoint Central Administration (http://go.microsoft.com/fwlink/?LinkId=196878). ClicktheReportingServicessitesettingslinktoensurethesettingsareaccessible.
111
Note: NochangestoReportingServicesSiteSettingsarerequiredforthisdemonstration.
Create and publish a test report in SQL Server Business Intelligence Development Studio
AfteryouconfigureSSRSandtheintegrationwithSharePointServer,youcreateatest reporttoensureidentitydelegationisworkingcorrectly. 1. OpenSQLServerBusinessIntelligenceDevelopmentStudio.ClickFile,pointtoNew, andthenclickProject.
2. SelectReportServerProjectWizardandenteraprojectname.
112
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
3. Nextconfigureanewdatasource.ChoosethetypeMicrosoftSQLServerandclick theEditbutton.
113
4. InConnectionPropertiesentertheinformationtoconnecttothedemoSQLServer clustercreatedinscenario2.
114
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
5. Openquerydesigner,rightclickthequerywindowandselectAddtable.
115
6. ChoosetheSalestable(createdinscenario2)andselectAllColumns.
116
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
7. Selectatabularreporttype.
117
8. 9. Inourexamplewegroupbyregion;youcanskipthisstepifyouwantto. Oncetheprojectiscreated,opentheprojectpropertiesontheProjectmenu.
118
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
119
120
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Clickthereportanditwillrenderinthebrowser.
121
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)
Scenario dependencies
Tocompletethisscenarioyouneedtohavecompletedthefollowingarticles: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP
Configuration checklist
AreaofConfiguration Description
ActiveDirectory Configuration
CreateExcelServicesserviceaccount ConfigureSPNonExcelServicesserviceaccount
124
ConfigureKerberosconstraineddelegationforserversrunning ExcelServices ConfigureKerberosconstraineddelegationfortheExcelServices serviceaccount SharePointServer configuration StartClaimstoWindowsTokenServiceonExcelServicesServers StarttheExcelServicesserviceinstanceontheExcelServices server CreatetheExcelServicesserviceapplicationandproxy ConfigureExcelservicestrustedfilelocationandauthentication settings VerifyExcelService Constrained Delegation Createdocumentlibrarytohosttestworkbook CreatetestSQLdatabaseandtesttable CreatetestExcelworkbookwithSQLdataconnection PublishworkbooktoSharePointServerandrefreshdata connection
125
InthisscenariowewillconfiguretheSharePointServerExcelServicesserviceaccount forKerberosconstraineddelegationtotheSQLServerservice.
126
127
ExcelServices
vmlab\svcExcel
128
129
130
6. SelectUserandComputers.
7. Selecttheserviceaccountrunningtheserviceyouwishtodelegateto.Inthis exampleitistheserviceaccountfortheSQLservice.
131
132
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
Verify MSSQLSVC SPN for the Service Account running the service on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
133
134
4. Next,configuretherequiredlocalserverpermissionsthattheC2WTSrequires.You willneedtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour examplethisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe followingpermissions: a) AddtheserviceaccounttothelocalAdministratorsGroups. b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe serviceaccountthefollowingpermissions: i. ii. iii. Actaspartoftheoperatingsystem Impersonateaclientafterauthentication Logonasaservice
135
7. Underservices,selectManageservicesonserver.
8.
Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningexcelservices.InthisexampleitisVMSP10APP01:
136
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole. 4. Openthepropertiesfortheservice.
5. ChecktheDependenciestab.MakesureCryptographicServicesislisted.
6. ClickOK.
138
Grant the Excel Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgranttheExcelServicesserviceaccount accesstotheportalwebapplicationscontentdatabasebyusingWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcExcel")
Start the Excel Services service instance on the Excel Services server
BeforecreatinganExcelServicesserviceapplication,starttheexcelservicesserve serviceonthedesignatedFarmservers. 1. OpenCentralAdministration. 2. Underservices,selectManageservicesonserver.
3. SelectNew,andthenclickExcelServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheexcelserviceaccountisnotinthelist).
140
141
3. ClickthelinkforthenewServiceApplication,ExcelServicesinthisexample.
4. IntheExcelServicesmanagementpage,click"TrustedFileLocations".
5. Addanewtrustedfilelocation.
142
6. Specifythelocationtoyourtestlibrary.
143
3. ConnecttothetestSQLdatasource.
145
4. Selectthetestdatabaseandthetesttable(Salesinourexample).
5. ClickNext.Clicktheauthenticationsettingsbutton.EnsureWindowsAuthentication isspecified.
146
6. ClickFinish. 7. SelectPivotTableReport.
8. Configurethepivottable.EnsuredataisreturnedfromtheSQLsource.
147
148
3. Enterthelocationtothetrustedlibrarycreatedinprevioussteps.
149
IfthedataconnectionrefreshesyouhavesuccessfullyconfiguredKerberosdelegation forexcelservices.Tofurthertestconnectivity,changethesourcedataviaSQL ManagementStudiothenrefreshtheconnection.Youshouldseethenewlychanged datainyourworkbook.Ifyoudonotseeanychanges,andyoudonotreceiveanyerrors onrefreshyouaremostlikelyseeingcacheddata.Bydefault,ExcelServiceswillcache datafromexternalsourcesforfiveminutes.Youcanchangethiscachesetting;see Configure Excel services trusted file location and authentication settingsinthisarticlefor moreinformation.
150
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
Published:December2,2010
ThefarmtopologydescribedinEnvironment and farm topologydoesnotrequire KerberosauthenticationforPowerPivotforMicrosoftSharePoint2010towork.The PowerPivotSystemServiceisclaimsaware,andusestheClaimsToWindowsToken Service(C2WTS)torecreatetheclientsWindowsidentityusingtheclientsclaimstoken inordertoconnectwiththeAnalysisServiceVertipaqenginethatrunsonthe applicationserver. WhenaPowerPivotworkbookisuploadedinSharePointServer,italreadycontainsthe PowerPivotdatathattheworkbookuses.WhentheuseropensthePowerPivot workbookinExcelWebAccessandinteractswiththeslicers,thePowerPivotSystem ServiceloadsthedataintheworkbookdirectlyintoitsAnalysisServicesengine.No accessismadetothedataconnectionembeddedintheworkbook.
152
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)
Whiletheyareoutsidethescopeofthescenariosdefinedinthispaper,themajorsteps toconfigureidentitydelegationforPowerPivotareasfollows: 1. ChangetheserviceaccountoftheC2WTSWindowsservicetoadomainaccount (e.g.VMLAB\svcC2WTS).ConfiguringtheC2WTSisalargetopicandiscoveredin detailintheotherscenariosinthisdocument: ConfigureandStarttheClaimstoWindowsTokenServiceonExcelServices Servers ConfigureandStarttheClaimstoWindowsTokenServiceonVisioGraphics Servers ConfigureandStarttheClaimstoWindowsTokenServiceonPerformancePoint ServicesServers
2. ConfiguredelegationfromtheVMLAB\svcSQLaccounttotheSPNforthelinkedSQL ServerinstanceConfigurationChecklist.
Areaofconfiguration Description
PowerPivotinstallation
InstallSQLServerPowerPivotforSharePointonthe applicationserver
Scenario dependencies
Strictlyspeaking,thefollowingKerberosauthenticationscenariosarenotrequiredby PowerPivotforSharePoint.HoweveritexpeditesyourPowerPivotforSharePoint
153
installationprocessifyousuccessfullycompletedthem,asthecomponentsthemselves areprerequisitesforPowerPivotforSharePoint. Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP (Optional)Scenario3:Kerberos Authentication for SQL Analysis Services Scenario5:Identity Delegation for Excel Services
Configuration instructions
InstallPowerPivotforSharePointontheapplicationserver(vmsp10app01).Fordetailed instructions,seeHow to: Install PowerPivot for SharePoint in a Three-tier SharePoint FarmintheMSDNLibraryonline.Ifyouhavealreadyperformedthedependent scenariosinthispaper,youcanskipthesectionsintheMSDNarticlethathavealready beencoveredbythescenariodependencies. Important: TheapplicationpoolfortheSQLServerPowerPivotServiceApplicationmustberun usingthedomainaccountoftheSharePointServerfarmadministrator.Innootheruser contextcanthePowerPivotSystemServiceretrievetheunattendedaccountcredentials fromtheSecureStoreService.
154
Scenariodependencies
Tocompletethisscenarioyouwillneedtohavecompleted: Scenario1:Core Configuration Scenario2:Kerberos authentication for SQL OLTP
Configurationchecklist
AreaofConfiguration Description
ActiveDirectory Configuration
CreateVisioServicesserviceaccount ConfigureSPNonVisioServicesserviceaccount
155
ConfigureKerberosconstraineddelegationforservers runningVisioServices ConfigureKerberosconstraineddelegationfortheVisio Servicesserviceaccount SharePointServer configuration StartClaimstoWindowsTokenServiceonVisioServices Servers GranttheVisioServicesserviceaccountpermissionsonthe webapplicationcontentdatabase StarttheVisioServicesserviceinstanceontheVisioServices server CreatetheVisioServicesserviceapplicationandproxy VerifyVisioServices ConfiguretheVisioservicescachesettings ConstrainedDelegation CreatedocumentlibrarytohosttestVisioDiagram CreateatestVisiowebdrawingwithSQLServerdata connectedshapes PublishtheVisiodrawingtoSharePointServerandrefresh dataconnection
156
Visio c2WTS
ofWindowsIdentityFoundation(WIF).TheVisioserviceapplicationwillthenusethe clientsKerberostickettoauthenticatewiththebackenddatasource.
SharePointServerservice IISAppPoolIdentity
VisioServices
vmlab\svcVisio
158
Vmlab\svcVisio Vmlab\svcC2WTS
MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433
Vmlab\vmsp10app01 MSSQLSVC/MySqlCluster.vmlab.local:1433
2. NavigatetotheDelegationtab.
160
6. SelectUserandComputers.
162
Verify MSSQLSVC SPN for the Service Account running the service on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
163
4. ConfiguretherequiredlocalserverpermissionsthattheC2WTSrequires.Youwill needtoconfigurethesepermissionsoneachservertheC2WTSrunson.Inour example,thisisVMSP10APP01.LogontotheserverandgivetheC2WTSthe followingpermissions: a) AddtheserviceaccounttothelocalAdministratorsGroups. b) Inlocalsecuritypolicy(secpol.msc)underuserrightsassignmentgivethe serviceaccountthefollowingpermissions: i. ii. iii. Actaspartoftheoperatingsystem Impersonateaclientafterauthentication Logonasaservice
165
7. Underservices,selectManageservicesonserver.
8. Intheserverselectionboxintheupperrightcorner,selecttheserver(s)thatisor arerunningtheVisioGraphicsService.InthisexampleitisVMSP10APP01.
166
167
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice. 5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
168
Grant the Visio Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgranttheVisioGraphicsServiceaccount accesstotheportalwebapplicationscontentdatabasebyusingWindowsPowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcVisio")
3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningexcelservices.InthisexampleitisVMSP10APP01.
4. StarttheVisioGraphicsService.
1. OpenCentralAdministration. 2. SelectManageServiceApplicationsunderApplicationManagement.
3. SelectNew,andthenselectVisioGraphicsService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheVisioserviceaccountisnotinthelist).
170
171
3. SelecttheVisioGraphicsServiceapplicationcreatedinthepreviousstep.
4. SelectGlobalSettings.
5. IntheMinimumCacheAgesetting,setthecacheto0(nocache).
172
Create a test Visio web drawing with SQL Server data-connected shapes
1. StartVisio2010. 2. CreateanewBasicDiagramintheGeneralsectionunderHome.
3. OntheDataRibbonTab,selectLinkDatatoShapes.
173
4. Inthedataselectordialogbox,selectMicrosoftSQLServerdatabase.
5. SpecifytheSQLServerclustercreatedinScenario2andselectWindows Authentication.
174
6. SelecttheTestdatabaseandtheSalesTable.
175
7. Specifyafriendlynamefortheconnectionandsavetheconnectiontothe documentlibrarycreatedinthepreviousstep.
176
8. IntheDataSelectordialog,selectthenewlycreatedconnectionandpressFinish.
177
Youshouldnowseetheexternaldatawindowatthebottomofthedrawingwindow withthesampledatathatwascreatedearlier.
178
Publish the Visio drawing to SharePoint Server and refresh the data connection
1. PublishthedrawingtothetestSharePointdocumentlibrary.OntheFiletabclick SaveandSend,SavetoSharePoint,Browseforalocation,andthenWebDrawing.
2. Browsetothetestdocumentlibrary,specifyanameforthetestdrawing,andthen clickSave.
179
Thedrawingopensinthebrowser. 3. Intherefreshdisablednotification,selectEnable(always).
180
181
182
Scenario dependencies
Tocompletethisscenarioyouwillneedtohavecompleted: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP(optional) Scenario3:Kerberos Authentication for SQL Server Analysis Services
Configuration checklist
Areaofconfiguration Description
183
ActiveDirectory configuration
CreatePerformancePointServicesserviceaccount CreateanSPNfortheserviceaccountrunningthe PerformancePointServiceontheApplicationServer VerifyAnalysisServicesSPNonSQLServerAnalysisServices serviceaccount,vmlab\svcSQLAS(performedinScenario3) and (Optional)verifytheSQLServerdatabaseengineserviceaccount, vmlab\svcSQL(performedinScenario2). ConfigureKerberosconstraineddelegationforClaimsto WindowsServicesserviceaccounttoAnalysisServices ConfigureKerberosconstraineddelegationforthe PerformancePoint ServicesserviceaccounttoAnalysisServices
SharePointServer configuration
StartClaimstoWindowsTokenServiceonPerformancePoint ServicesServers StartthePerformancePointServicesserviceinstanceonthe PerformancePointServicesserver CreatethePerformancePointServicesserviceapplicationand proxy ChecktheidentityonPerformancePointapplication GrantthePerformancePointServicesserviceaccount permissionsonthewebapplicationcontentdatabase ConfigurePerformancePointservicestrustedfilelocationand authenticationsettings
Createdocumentlibrarytohostatestdashboard CreateadatasourcethatreferenceanexistingSQLServer
184
delegation
InthisscenariowewillconfigurethePerformancePointServicesserviceaccountfor KerberosconstraineddelegationtotheSQLServerservice.
185
186
PerformancePointServices
vmlab\svcPPS
*NOTE:Youcanoptionallyreuseasingledomainaccountformultipleservices.This configurationisnotcoveredinthefollowingsections.
Create an SPN for the Service Account that is running the PerformancePoint service on the Application Server
TheActiveDirectoryUsersandComputersMMCsnapinistypicallyusedtoconfigure Kerberosdelegation.Toconfigurethedelegationsettingswithinthesnapin,theActive Directoryobjectbeingconfiguredmusthaveaserviceprincipalnameapplied;otherwise thedelegationtabfortheobjectwillnotbevisibleintheobjectspropertiesdialog. AlthoughPerformancePointServicesdoesnotrequireaSPNtofunction,wewill configureoneforthispurpose.NotethatiftheserviceaccountalreadyhasanSPN applied(inthecaseofsharingaccountsacrossservices)thisstepisnotrequired. Onthecommandline,runthefollowingcommand:
187
Verify Analysis Services SPN on SQL Server Analysis Services service account, vmlab\svcSQLAS(performed in Scenario 3) AND (Optional) Verify the SQL Server database engine service account, vmlab\svcSQL(performed in Scenario 2)
VerifythattheSPNfortheSQLAnalysisServicesaccount(vmlab\svcSQLAS)existswith thefollowingSetSPNcommand:
SetSPNLvmlab\svcSQLAS
Youshouldseethefollowing:
MSOLAPSvc.3/MySqlCluster
VerifytheSPNfortheSQLServerserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
SetSPNLvmlab\svcSQL
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster
188
Configure Kerberos constrained delegation from the PerformancePoint Services Service account to the SSAS Service and optionally for SQL Server service
ToallowPerformancePointservicestodelegatetheclient'sidentity,Kerberos constraineddelegationmustbeconfigured.Youmustalsoconfigureconstrained delegationwithprotocoltransitionfortheconversionofclaimstokentoWindowstoken viatheWIFC2WTS. EachserverrunningPerformancePointservicesmustbetrustedtodelegatecredentials toeachbackendservicewithwhichPerformancePointwillauthenticate.Inaddition, thePerformancePointservicesserviceaccountmustalsobeconfiguredtoallow delegationtothesamebackendservices.NoticealsothatHTTP/Portaland HTTP/Portal.vmlab.localareconfiguredtodelegateinordertoincludeaSharePointlist asanoptionaldatasourceforyourPerformancePointdashboard. Inourexamplethefollowingdelegationpathsaredefined:
PrincipalType PrincipalName
User User
Vmlab\svcC2WTS Vmlab\svcPPS
189
190
191
192
11. Repeatthesestepsforeachdelegationpathdefinedinthebeginningofthissection.
EachPerformancePointServicesApplicationservermustruntheC2WTSlocally.The C2WTSdoesnotopenanyportsandcannotbeaccessedbyaremotecaller.Further,the C2WTSserviceconfigurationfilemustbeconfiguredtospecificallytrustthelocalcalling clientidentity. AsarecommendedpracticeyoushouldruntheC2WTSusingadedicatedservice accountandnotasLocalSystem(thedefaultconfiguration).TheC2WTSserviceaccount requiresspeciallocalpermissionsoneachserverthattheservicerunson.Besureto configurethesepermissionswhenyouchoosetoruntheC2WTSwithadomainaccount. ToensuretheC2WTSaccountpicksuptheneededprivileges,reboottheserverafteryou haveconfiguredtheC2WTS. *NOTE:IfyouchoosetoconfiguretheC2WTSaslocalsystemyoudonotneedto configureanyadditionallocalprivileges. TostarttheC2WTS 1. CreateaserviceaccountinActiveDirectorytoruntheserviceunder.Inthisexample wecreatedvmlab\svcC2WTS. 2. AddanarbitraryServicePrincipalName(SPN)totheserviceaccounttoexposethe delegationoptionsforthisaccountinActiveDirectoryUsersandComputers.The SPNcanbeanyformatbecausewedonotauthenticatetotheC2WTSusing Kerberosauthentication.ItisrecommendedtonotuseanHTTPSPNtoavoid potentiallycreatingduplicateSPNsinyourenvironment.Inourexamplewe registeredSP/C2WTStothevmlab\svcC2WTSusingthefollowingcommand:
SetSPNSSP/C2WTSvmlab\svcC2WTS
194
195
7. Underservices,selectManageservicesonserver.
197
3. FindtheClaimstoWindowsTokenServiceintheservicesconsole.
4. Openthepropertiesfortheservice. 5. ChecktheDependenciestab.MakesureCryptographicServicesislisted:
6. ClickOK.
198
7. Reboottheserver.MakesurethattheC2WTShasstartedoncethecomputer reboots.
Start the PerformancePoint Services service instance on the PerformancePoint Services server
BeforecreatingaPerformancePointServicesserviceapplication,startthe PerformancePointservicesserveserviceonthedesignatedFarmservers.Tolearnmore aboutPerformancePointServicesconfiguration,seePerformancePoint Services administrationonMicrosoftTechNet. 1. OpenCentralAdministration. 2. Underservices,selectManageservicesonserver. 3. Intheserverselectionboxintheupperrighthandcornerselecttheserver(s) runningPerformancePointservices.InthisexampleitisVMSP10APP01:
4. StartthePerformancePointServicesservice.
199
3. SelectNew,andthenclickPerformancePointServicesApplication.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount orcreateanewmanagedaccountifyoudidnotperformthissteppreviously.
200
Grant the PerformancePoint Services service account permissions on the web application content database
ArequiredstepinconfiguringSharePointServer2010OfficeWebApplicationsis allowingthewebapplicationsserviceaccountaccesstothecontentdatabasesfora givenwebapplication.Inthisexample,wewillgrantthePerformancePointServices accountaccesstothe"portal"webapplicationscontentdatabasebyusingWindows PowerShell. RunthefollowingcommandfromtheSharePoint2010ManagementShell:
$w=GetSPWebApplicationIdentityhttp://portal $w.GrantAccessToProcessIdentity("vmlab\svcPPS")
202
3. ClickthelinkforthenewServiceApplication,PerformancePointServicesandclick theManagebuttonintheribbon.
4. InthePerformancePointservicesmanagementscreen,clickTrustedDataSource Locations.
203
7. SelecttheOnlyspecificlocationsoptionandclickAddTrustedDataSource Location.
204
8. TypetheURLofthelocation,selecttheSite(andsubtree)option,andthenclickOK.
205
2. SelectAnalysisServices.
206
3. Specifytheserver,database,andcubeandselectPeruserIdentity.
207
4. ClickTestDataSourcetotesttheconnection.
208
5. Createareportanddashboard.
6. Makesureyouhaveadataconnectionbydraggingmeasuresanddimensionsfrom thedetailspainintothereportdesigner.
209
7. Yourreportcanbeincludedinthedashboard.
SelectReportsandthendragMyReportontotheDashboardContentpage.
210
2. ClickDeployinthefileselection.
211
212
InthisscenarioyouconfiguretheBusinessDataConnectivityserviceapplicationtouse KerberosconstraineddelegationtoauthenticatewithSQLServer.Onceitisconfigured, youcreateanewexternalcontenttypeandexternallisttotestauthenticationandread operationswithinaSharePointsite. Inthisscenario,theSharePointServerFarmandBCSdatasourcearebothinthesame domain.Therefore,weconfigureKerberosconstraineddelegationtoallowidentity delegationtothebackenddatasource.Ifyouarerequiredtoauthenticatewithdata sourcesinotherdomainswithinthesameforest,youhavetoconfigurebasic (unconstrained)Kerberosdelegation.RememberthatBCSdoesnotleveragetheC2WTS; thereforeyoucanusebasicdelegation. Note: IfyouareinstallingonWindowsServer2008,youmayhavetoinstallthefollowing hotfixforKerberosauthentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)
Scenario dependencies
Tocompletethisscenarioyouhavetohavecompletedthefollowing: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP
213
Configuration checklist
Areaofconfiguration Description
ActiveDirectoryconfiguration
SharePointServerconfiguration
StarttheBCSServiceInstance CreatetheBCSServiceApplication
Verification
214
vmSQL2k8r202 vmSP10WFE02
215
SharePointServerservice IISAppPoolIdentity
BusinessConnectivityService vmlab\svcBDC
Configure delegation
ToallowBCStodelegatetheclientsidentityKerberosdelegationmustbeconfigured. AlthoughconstraineddelegationistechnicallynotrequiredlikeExcelServices, unconstraineddelegationcanbeusedforBCS,itisabestpracticetolimitthescopeof delegationtheserviceisallowedtoperformthereforeconstraineddelegationwillbe configuredinthisexample. EachIISapplicationpoolserviceaccounthostingthesiterunningtheECTmustbe configuredtoallowdelegationtothebackendservices. Inourexamplethefollowingdelegationpathsareneeded:
216
User User
svcPortal10App svcTeams10App
MSSQLSVC/MySqlCluster.vmlab.local:1433 MSSQLSVC/MySqlCluster.vmlab.local:1433
217
5. SelectUserandComputers.
218
219
10. Repeatthesestepsforeachdelegationpathidentifiedearlierinthissection.
Verify MSSQLSVC SPN for the Service Account running the service on the SQL Server (performed in Scenario 2)
VerifytheSPNforAnalysisServicesserviceaccount(vmlab\svcSQL)existswiththe followingSetSPNcommand:
220
Youshouldseethefollowing:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
3. IntheServerSelectionboxintheupperrightcorner,selecttheserver(s)running ExcelServices.Inthisexample,itisVMSP10APP01.
4. StarttheBusinessDataConnectivityServiceservice.
221
3. SelectNewthenBusinessDataConnectivityService.
4. Configurethenewserviceapplication.Besuretoselectthecorrectserviceaccount (createanewmanagedaccountiftheBDCserviceaccountisnotinthelist).
222
Verification
Create a BCS external content type
ToaccessexternaldatathroughBDCaBDCeternalcontenttypemustbecreated.Inthis examplewewilluseSharePointDesigner2010tocreatetheexternalcontenttypeinthe Portalwebapplication(http://portal): 1. OpenSharePointDesigner2010. 2. Openthetestsitecollectionathttp://portal.
223
224
5. GivetheExternalContentTypeadisplayname.
225
6. ThenselectClickheretodiscoverexternaldatasourcesanddefineoperations. 7. ClickAddConnection.
226
227
9. Expandthenewconnection.Rightclickthetesttable(Sales)andselectCreateAll Operations.
228
229
3. ClickthelinkforthenewServiceApplication,BusinessDataServicesinthis example.
4. SelectSetMetadataStorePermissions.
230
5. Inourexample,weconfiguredEnterpriseAdminswithallpermissionsandAll AuthenticatedUserswithallpermissionsexcepttheSetPermissionspermission.
6. EnsurethePropagatepermissionscheckboxisselectedandclickOKtosaveyour changes.
231
3. SelectExternalContentTypesontheleftside.
232
233
234
235
InternetExplorerwillopenanddisplaytheselectedsiteandexternallist.
236
237
(http://support.microsoft.com/kb/908209/enus)
Configure Kerberos authentication (Office SharePoint Server 2007)
http/intranet.contoso.com:12345
Werecommendthatyouregisterthenondefaultporttoensurethatiftheissueis resolvedinsomefutureservicepackorhotfix,theapplicationsusingtheworkaround willstillcontinuetofunction. Notethatthisworkaroundwillnotworkifthefollowingconditionsaretrue: Thereismorethanonewebapplicationrunningonanondefaultport Thewebapplicationseitherbindtothehostnameoftheserverorbindtothesame hostheader(ondifferentports) ThewebapplicationIISapplicationpoolsusedifferentserviceaccounts http://server.contoso.com:5000AppPoolId:contoso\svcA http://server.contoso.com:5001AppPoolId:contoso\svcB
Iftheseconditionsaretrue,followingtherecommendationinthisworkaroundwillyield duplicateSPNsregisteredtodifferentserviceaccountswhichwillbreakKerberos authentication. Ifyouhavemultiplewebsitessharingacommonhostnamerunningonmultipleports, andyouusedifferentIISapplicationpoolidentitiesforthewebapplications,thenyou cannotuseKerberosauthenticationonallwebsites.(OneapplicationcanuseKerberos, therestwillrequireanotherauthenticationprotocol.)TouseKerberosonall applicationsinthisscenario,youwouldneedtoeither: 1. Runallwebapplicationsunder1sharedserviceaccount 2. Runeachsitewithitsownhostheader
serversareloadbalanced,thedefaultKernelModeAuthenticationconfigurationwill notwork,oratleastwillintermittentlyfail,becausetheclienthasnowayofensuring theservicetickettheyreceivedintheTGSrequestwillworkwiththeserver authenticatingtherequest. Toworkaroundthisissueyoucandothefollowing: TurnoffKernelModeAuthentication ConfigureHTTP.systousetheIISapplicationpoolsidentitywhendecryptingservice tickets.SeeInternet Information Services (IIS) 7.0 Kernel Mode Authentication Settings. YoumayalsoneedahotfixwhenconfiguringHTTP.systousetheapplicationpools credentials:FIX: You receive a Stop 0x0000007e error message on a blue screen
when the AppPoolCredentials attribute is set to true and you use a domain account as the application pool identity in IIS 7.0
Setting Description
AuthPersistNonNTLM
OptionalBooleanattribute. SpecifieswhetherIISautomaticallyreauthenticatesevery nonNTLM(forexample,Kerberos)request,eventhoseon thesameconnection.Falseenablesmultiple authenticationsforthesameconnections. ThedefaultisFalse. Note: AsettingofTruemeansthattheclientwillbe authenticatedonlyonceonthesameconnection.IISwill cacheatokenorticketontheserverforaTCPsessionthat
241
staysestablished.
242
IfyoususpectaSPNhasnotbeenregistered,ornotregisteredinaformatrequired,you canusetheSetSPNQ<insertSPN>toqueryfortheexistenceofaparticularSPN.
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083).
authentication.Followtheinstructionsinthesupportpagetoapplythehotfixifyou experiencethesymptomsdocumentedinthesupportcase.
244
How to reset the Claims to Windows Token Service account (SharePoint Server 2010)
How to reset the Claims to Windows Token Service account (SharePoint Server 2010)
Published:December2,2010
Scenario:TheClaimstoWindowsTokenServiceaccountischangedunintentionallyor otherwiseneedstoberesetbacktodefault.
Solution
TheClaimstoWindowsTokenServicecannotberesettotheLocalSystemaccountby usingCentralAdministration.ThefollowingWindowsPowerShellcmdletscanbeusedto resettheClaimstoWindowsTokenServicebacktoLocalSystem. LaunchtheSharePointManagementShellfromthecomputerthatisrunningSharePoint Server. Runthefollowingcmdlettoviewalistofservices.
Get-SPServiceInstance
RightclickinthePowerShellwindowandpastetheIdyoucopiedearlier.
Next,setavariablebyrunningthiscmdlet:
$claims=getspserviceinstanceidentity<PastetheC2WTSId>
RunthesecmdletstoresettheC2WTSbacktoLocalSystem:
$claims.Service.ProcessIdentity.CurrentIdentityType=0//The0inthepreceding lineisIdentityType.LocalSystem$claims.Service.ProcessIdentity.Update() $claims.Service.ProcessIdentity.Deploy()$claims.Service.ProcessIdentity// ThisoutputdemonstratesthatthecmdletwassuccessfulCurrentIdentityType: LocalSystemCurrentSecurityIdentifier:S1518ManagedAccount:ProcessAccount :S1518Username:NTAUTHORITY\SYSTEM
246