1 / 37

Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)

DBI304. Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012). Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation. www.sqlcat.com. chuck.heinzelman @ microsoft.com. @ SQLBoyWonder. Chuck Heinzelman. Abstract.

dea
Télécharger la présentation

Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DBI304 Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation

  2. www.sqlcat.com chuck.heinzelman@ microsoft.com @SQLBoyWonder Chuck Heinzelman

  3. Abstract • A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.

  4. Kerberos – In 7 Easy Steps

  5. Solve 95% Of Your Kerberos Problems…

  6. Kerberos Terminology and Overview

  7. Definitions • Kerberos • Authentication Protocol developed at MIT • Delegation • Granting your authority to someone else • Impersonation • I can “be” someone else • Authentication • Verification that I am who I say I am • Authorization • Verification that I have the rights to do what I want to do

  8. Why Kerberos? • Delegate user credentials to a back end data source (double-hop issue) • Service Applications that would leverage Kerberos: • PerformancePoint • Excel Services • Reporting Services (SQL Server 2012 change)

  9. Breakdown of 7 Steps

  10. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  11. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  12. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  13. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  14. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  15. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  16. 7 Easy Steps! • Enable Kerberos on your SharePoint Web Application • Enable the Claims to Windows Token Service in SharePoint • Create an HTTP SPN for the account that is running Portal application Pool • Create a dummy SPN for the account that is running the service application • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Configure Constrained Delegation for the Service Application account to Analysis Services • Configure Constrained Delegation for the Application Server machine

  17. Kerberos in the Real World

  18. Real-World Scenarios • Multiple Web Front Ends • Load Balanced URLs • Multiple Application Servers • Multiple Service Application Accounts • SQL Server Services

  19. Multiple Web Front EndsLoad Balanced URLs • Set an HTTP SPN for Every URL • Each WFE (and FQDN) • Load Balancer URL • Don’t Forget Alternate Access Mappings • Remember to check for additional CNAME entries

  20. Multiple Application ServersMultiple Service Application Accounts • No service-specific SPN is required for the service applications • You will need to set up constrained delegation on the service account • You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers • Enable C2WTS on each server

  21. SQL Server Services • Clustered SQL Server • Set the SPN on the VNN • Non-Default Instance of Analysis Services • SQL Browser service needs to be running • An SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3 • Standard MSOLAPSvc.3 SPN required as well

  22. Related Content • Breakout Sessions (session codes and titles) • OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010 • OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the Enterprise • DBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012 • DBI301 – Building Self-Service BI Applications Using PowerPivot • OSP339 – Advanced Microsoft SharePoint 2010 Upgrade Troubleshooting • DBI332 – Running Reporting Services in SharePoint Integrated Mode: How and Why • DBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BI • DBI327 – How to Extend Your SharePoint BI Dashboard to ALL Devices • OSP431 – Security Design with Claims-Based Authentication • Find Me Later At… • SQL Server TLC Area – I’ll be there quite often!

  23. Track Resources Hands-On Labs @sqlserver @TechEd_NA #msTechEd SQL Server 2012 Eval Copy Get Certified! mva • Microsoft Virtual Academy

  24. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  25. Complete an evaluation on CommNet and enter to win!

  26. MS Tag Scan the Tag to evaluate this session now on myTechEd Mobile

  27. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  28. Appendix

  29. Breakout – Step 1 • Enable Kerberos on your SharePoint Web Application • Central Administration | Application Management | Manage Web Applications | Authentication Providers

  30. Breakout – Step 2 • Enable Claims to Windows Token Service in SharePoint • Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service

  31. Breakout – Step 3 • Create an HTTP SPN for the account that is running the Portal application pool • Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server) • Create HTTP SPN for all applicable URLs • SetSPN –S HTTP/<Server> Domain\<Service Account> • SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account> • Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)

  32. Breakout – Step 4 • Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server) • Create 1 Dummy SPN per Service • SetSPN –S PPS/<Server> Domain\<Service Account> • SetSPN –S RS/<Server> Domain\<Service Account>

  33. Breakout – Step 5 • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server) • Create MSOLAPSvc.3 SPNs • SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account> • SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>

  34. Breakout – Step 6 • Configure Constrained Delegation for the Service Application account to Analysis Services • Log onto the Domain Controller and open Active Directory Users and Computers • Locate the Service Application Account and edit the properties • Find the Delegation Tab • Select the Option Trust this user for delegation to specified services only • Select Use any authentication protocol • Click on the Add button • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services • Highlight the service and select OK

  35. Breakout – Step 7 • Configure Constrained Delegation from the Application Server machine • Log onto the Domain Controller and open Active Directory Users and Computers • Locate the computer account for the Application Server • Find the Delegation Tab • Select the Option Trust this user for delegation to specified services only • Select Use any authentication protocol • Click on the Add button • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services • Highlight the service and select OK

More Related