Kerberos Constrained Delegation – Wrap-up (Part 6 of 6)


This article was accidentally deleted.  This is a recreated and enhanced version.

This is the final installment for this Kerberos series.  I’ve listed the various parts of the series below for easy reference.  Initially, the idea of a SPN setup tool was introduced.  The next segments walked through some of the set up needed for Active Directory, IIS, and IE.  Part 5 has the best troubleshooting tools available to help you resolve any issues with your setup.

What is missing now is an example.  The picture below shows an example setup of a reporting infrastructure.  Let’s review the SPN setup needed.

SPN Example

SQL Database – ServerSQL.domain.com (Relational Database Server – assumes single server using default port)

Domain\SQLService (SQL Server Service Account)

MSSQLSvc/ServerSQL
MSSQLSvc/ServerSQL:1433
MSSQLSvc/ServerSQL.domain.com
MSSQLSvc/ServerSQL.domain.com:1433

Domain\SSASService (Analysis Services Service Account)

MSOLAPSvc.3/ServerSQL
MSOLAPSvc.3/ServerSQL.domain.com

Reporting Services – ServerSSRS.domain.com

Domain\SSRSwebapp (IIS Identity)

http/ServerSSRS
http/ServerSSRS.domain.com

ProClarity – ServerPAS.domain.com

Domain\PASwebapp (IIS Identity)

http/ServerPAS
http/ServerPAS.domain.com

PerformancePoint and MOSS – ServerPPS.domain.com

Domain\PPSwebapp (IIS Identity)

http/ServerPPS
http/ServerPPS.domain.com

Domain\MOSS2007webapp (IIS Identity – Assumes only 1 main portal site being configured)

http/ServerPPSAlias
http/ServerPPSAlias.domain.com

A few things to note about the above SPNs.

  1. For an programs that use IIS sites (SharePoint, PerformancePoint, ProClarity, SSRS), most likely the SPNs will contain http or https
  2. For relational data, the SPNs will be MSSQLSvc
  3. For OLAP data, the SPNs will be MSOLAPSvc.3 (assumes SQL Server 2005 and higher)

Example

Delegation

Once the SPNs are set up and checked for duplicates, you must delegate.  Basically, Constrained Delegation is the process of setting up a trust between accounts on various machines for a particular service.  The way that I think about this is to follow the data for the delegations needed.

For example, I would like the following to happen:

  1. View SSRS reports from within SharePoint
  2. View PerformancePoint dashboards from within SharePoint that contain both SSRS reports and ProClarity (cube) reports
  3. View PerformancePoint dashboards that contain both SSRS reports and ProClarity (cube) reports

What needs to be delegated (the Million Dollar Question)?

The simple way to think about delegation is to follow the data path.  Start at the front end and follow the path to the database.

View SSRS reports from within SharePoint (can not view ProClarity views for this part of the example)

  1. MOSS2007webapp delegates to SSRSwebapp (view SSRS reports in SharePoint)
  2. SSRSwebapp delegates to SSASService and SQLService (report data sources for cube and Relational data)

View PerformancePoint dashboards from within SharePoint that contain both SSRS reports and ProClarity (cube) reports

  1. MOSS2007webapp delegates to PASwebapp (view cube reports in SharePoint)
  2. PASwebapp delegates to SSASService (cube data source)
  3. MOSS2007webapp delegates to SSRSwebapp – already done above for SSRS reports from within SharePoint
  4. SSRSwebapp delegates to SSASService and SQLService – already done above for SSRS reports from within SharePoint

Note: You do not need to have MOSS2007webapp delegate to PPSwebapp because you have deployed the PerformancePoint dashboard to SharePoint.  Basically, the dashboard is now running as MOSS2007webapp instead of PPSwebapp.

View PerformancePoint dashboards that contain both SSRS reports and ProClarity (cube) reports

  1. PPSwebapp delegates to PASwebapp (view cube reports in PerformancePoint)
  2. PASwebapp delegates to SSASService (cube data source) – already done above for SharePoint
  3. PPSwebapp delegates to SSRSwebapp (view SSRS reports in PerformancePoint)
  4. SSRSwebapp delegates to SSASService and SQLService – already done above for SharePoint

Notes:

  • Make sure not to delegate the same thing twice.  Some paths following the data exist for both SharePoint and PerformancePoint (i.e.: SSRSwebapp –> SSASService and SQL service)
  • Many blogs and articles have erroneously stated that you must use the same application pool identity for PerformancePoint and SharePoint.  This is not necessarily true.  Mainly this is done because people don’t understand how to delegate and set up the proper security for SSRS, SSAS, etc. for multiple service accounts.  Some older technologies may require this scenario to overcome various issues with browsers, ports, etc.

What if you wanted to use a SharePoint list as the data source for a PerformancePoint report and view it from within PerformancePoint Preview site?

Hint: Follow the data path.  Would PPSwebapp have to delegate to MOSS2007webapp?

Setup Tool Needed

Now that we have reviewed some of the basics of Kerberos setup, and walked through an example, I would like to make a tool that helps create the SPNs needed for Microsoft products.  My question to the community is:

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht.

del.icio.us Tags: , , , ,, , , , , , , , , , , , , , , , ,
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

3 Responses to Kerberos Constrained Delegation – Wrap-up (Part 6 of 6)

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool Overview | FUTURESULTS, LLC Blog

  3. Pingback: The things that are better left unspoken : New features in Active Directory Domain Services in Windows Server 2012, Part 10: Improved KCD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s