Kerberos Constrained Delegation – Setup Tools are Needed! (Part 1 of 6).


Microsoft security tools for product installation seem minimalistic when trying to set up Kerberos security.  Kerberos is used on many implementations of SharePoint, PerformancePoint, Reporting Services, etc.  It is required when you do a “double hop” such as between a SharePoint server and a SSRS (SQL Server Reporting Services) server.  There are some good descriptions of how to set up Constrained Delegation (a more restrictive type of Kerberos delegation) for some products.  An example of this can be seen at TechNet for PerformancePoint Server.

Since most of us only set up security like this occasionally, there really should be a tool to help clients with the setup.  This post is dedicated to proposing such a tool.  It is assumed that you will have some background with Kerberos Constrained Delegation prior to reading this post.  It is not meant to be a comprehensive guide in how to set up security.  I will spend some time in the next few blog posts to describe various tools to help you troubleshoot Kerberos issues once it is configured.

The Basics for a Tool (Example)

For the sake of this example, we will have three servers.  The front-end SharePoint web server will be called ServerMOSS.  This server will have an Application pool identity of (domain\MOSS2007webapp) for the SharePoint application pool.  The second server is a front-end SSRS server and will be called ServerSSRS.  ServerSSRS will have an Application pool identity of (domain\SSRSwebapp).  We would like reports from the ServerSSRS to be viewed via ServerMOSS.  The third (back-end) SQL Server database server will be called ServerSQL.  This server will have the “SQL Server” service running and configured with a domain user (domain\SQLService).  It contains all of the databases for this example.  This is an example of the Kerberos trust relationship that the tool would have to be able to set up.

Server Oriented Information Needed

Machine Type Front-End Server – MOSS Description
Machine Name ServerMOSS May have multiple machines
DNS Alias Used (A record) / host header None
App Pool / Service Account domain\MOSS2007webapp
SPNs (or URLs) Needed http/ServerMOSS SPNs vary based on application needs
http/ServerMOSS.domain.com
Machine Type Front-End Server – SSRS Description
Machine Name ServerSSRS May have multiple machines
DNS Alias Used (A record) / host header None
App Pool / Service Account domain\SSRSwebapp
SPNs (or URLs) Needed http/ServerSSRS SPNs vary based on application needs
http/ServerSSRS.domain.com
Machine Type Back-End Server – Database for SSRS & MOSS Description
Machine Name ServerSQL May have multiple machines
DNS Alias Used (A record) / host header None
App Pool / Service Account domain\SQLService
SPNs (or URLs) Needed MSSQLSvc/ServerSQL SPNs vary based on application needs
MSSQLSvc/ServerSQL:1433 Std Port Example (port # configurable)
MSSQLSvc/ServerSQL.domain.com With Domain
MSSQLSvc/ServerSQL.domain.com:1433 With Domain and Std Port

Delegation Information Needed

Account Delegates to Account
domain\MOSS2007webapp domain\SSRSwebapp
domain\SSRSwebapp domain\SQLService

Number of delegations varies.

Other Setup Items

  • Graphical tool for the associations
  • Set up of users in Active Directory
  • Configure the Identity for the application pool(s),
  • Check for application pool identity to be in proper groups (like IIS_WPG)
  • Integrated Windows authentication questions for the appropriate web site(s)
  • Setup, check and correct duplicate SPNs
  • Set NTAuthenticationProviders to “NTLM,Negotiate” in the IIS Metabase
  • Check Active Directory information such as “Trust this account for delegation” and “Account is sensitive and cannot be delegated”.
  • Report of what was configured, how everything is configured, any issues, etc.
  • Supports multiple applications and SPN types (like SSAS, etc.)
  • Set up IE policy for “Enable Integrated Windows Authentication” and “Automatic logon with current user name and password”.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht.

del.icio.us Tags: , , , , ,
, , , , ,
, , ,
, , , , ,
, ,
Advertisements
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Kerberos Constrained Delegation – Setup Tools are Needed! (Part 1 of 6).

  1. Pingback: Kerberos Constrained Delegation – Active Directory (Part 2 of 6) | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos Constrained Delegation – IIS Setup (Part 3 of 6) | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos Constrained Delegation – Internet Explorer Setup (Part 4 of 6) | FUTURESULTS, LLC Blog

  4. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s