370 likes | 667 Views
DBI304. Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012). Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation. www.sqlcat.com. chuck.heinzelman @ microsoft.com. @ SQLBoyWonder. Chuck Heinzelman. Abstract.
E N D
DBI304 Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation
www.sqlcat.com chuck.heinzelman@ microsoft.com @SQLBoyWonder Chuck Heinzelman
Abstract • A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.
Definitions • Kerberos • Authentication Protocol developed at MIT • Delegation • Granting your authority to someone else • Impersonation • I can “be” someone else • Authentication • Verification that I am who I say I am • Authorization • Verification that I have the rights to do what I want to do
Why Kerberos? • Delegate user credentials to a back end data source (double-hop issue) • Service Applications that would leverage Kerberos: • PerformancePoint • Excel Services • Reporting Services (SQL Server 2012 change)
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine
Real-World Scenarios • Multiple Web Front Ends • Load Balanced URLs • Multiple Application Servers • Multiple Service Application Accounts • SQL Server Services
Multiple Web Front EndsLoad Balanced URLs • Set an HTTP SPN for Every URL • Each WFE (and FQDN) • Load Balancer URL • Don’t Forget Alternate Access Mappings • Remember to check for additional CNAME entries
Multiple Application ServersMultiple Service Application Accounts • No service-specific SPN is required for the service applications • You will need to set up constrained delegation on the service account • You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers • Enable C2WTS on each server
SQL Server Services • Clustered SQL Server • Set the SPN on the VNN • Non-Default Instance of Analysis Services • SQL Browser service needs to be running • An SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3 • Standard MSOLAPSvc.3 SPN required as well
Related Content • Breakout Sessions (session codes and titles) • OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010 • OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the Enterprise • DBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012 • DBI301 – Building Self-Service BI Applications Using PowerPivot • OSP339 – Advanced Microsoft SharePoint 2010 Upgrade Troubleshooting • DBI332 – Running Reporting Services in SharePoint Integrated Mode: How and Why • DBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BI • DBI327 – How to Extend Your SharePoint BI Dashboard to ALL Devices • OSP431 – Security Design with Claims-Based Authentication • Find Me Later At… • SQL Server TLC Area – I’ll be there quite often!
Track Resources Hands-On Labs @sqlserver @TechEd_NA #msTechEd SQL Server 2012 Eval Copy Get Certified! mva • Microsoft Virtual Academy
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Breakout – Step 1 • Enable Kerberos on your SharePoint Web Application • Central Administration | Application Management | Manage Web Applications | Authentication Providers
Breakout – Step 2 • Enable Claims to Windows Token Service in SharePoint • Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service
Breakout – Step 3 • Create an HTTP SPN for the account that is running the Portal application pool • Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server) • Create HTTP SPN for all applicable URLs • SetSPN –S HTTP/<Server> Domain\<Service Account> • SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account> • Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)
Breakout – Step 4 • Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server) • Create 1 Dummy SPN per Service • SetSPN –S PPS/<Server> Domain\<Service Account> • SetSPN –S RS/<Server> Domain\<Service Account>
Breakout – Step 5 • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server) • Create MSOLAPSvc.3 SPNs • SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account> • SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>
Breakout – Step 6 • Configure Constrained Delegation for the Service Application account to Analysis Services • Log onto the Domain Controller and open Active Directory Users and Computers • Locate the Service Application Account and edit the properties • Find the Delegation Tab • Select the Option Trust this user for delegation to specified services only • Select Use any authentication protocol • Click on the Add button • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services • Highlight the service and select OK
Breakout – Step 7 • Configure Constrained Delegation from the Application Server machine • Log onto the Domain Controller and open Active Directory Users and Computers • Locate the computer account for the Application Server • Find the Delegation Tab • Select the Option Trust this user for delegation to specified services only • Select Use any authentication protocol • Click on the Add button • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services • Highlight the service and select OK