Delegation Process – PAS Example
This post takes a short departure from directly discussing the “Kerberos SPN Generation Setup Tool” as there needs to be a process discussion on how to do “Kerberos Constrained Delegation”. This is a manual step that needs to be accomplished after completing the Generate SPNs process. This post shows you how to do the “Kerberos Constrained Delegation” process. It also shows you how to review SPN setup and Delegation information in Active Directory. If you need to, you can download the Kerberos SPN Generation Setup Tool Beta at FUTURESULTS, LLC.
For more details about this example, we will reference a previous post describing how to set up the Kerberos portion of the ProClarity Analytics Server (PAS) 6.3. The setup for that post will consist of only the “PAS Tab” information. In other words, imagine that we have only entered information into the “Common Tab” and the “PAS Tab”. While this example is for a ProClarity setup, it works the same with other Microsoft BI technologies.
As always, we draw a picture to help us understand the definition of the setup.
ADSI Edit and SPNs
This example assumes that you have completed the Generate SPNs process for PAS. After you have completed the Generate SPNs process, the rest of the information in this section is optional (it is listed so you know the details of how to check what the tool did). The Generate SPNs process essentially creates the SPNs and puts them into the appropriate servicePrincipalName (SPN) for you. This section shows you how to manually check SPNs.
Start by logging into your Active Directory Domain Controller. ADSI Edit is a snap-in that can manage objects in Active Directory. You can use ADSI Edit to check out if the Generate SPNs batch file added the SPNs correctly. Start ADSI Edit and go to each of the domain user accounts to check the SPN setup. In our example, you would go to “paswebapp” and “sql_analysis”. We will start by looking at “paswebapp”.
Go to the user account properties –> Attribute Editor tab –> and scroll down to the “servicePrincipalName” or SPN.
Review the SPN values.
In this example, the SPNs can be seen below for the “paswebapp” account. The “paswebapp” account was the application pool account used for the PAS application.
Repeat this for all of the accounts that you would like to review the SPN entries for (the other account is “sql_analysis” in our example).
Analytics is a Host Header or Host (A) Name Record in DNS for the PAS application instance.
“sql_analysis” is the domain user account used for the Analysis Services instance on the ReportMachine server.
First determine if delegation is needed (this will be discussed more in a future post). In our example (after completing the Generate SPNs process), you can go to the “Delegation” tab and review the output. In this case, you can see that Delegation does not exist (cell D8 below) and we must manually do the Delegation process.
Delegation Tab Example –> “Kerberos SPN Generation Setup Tool – Generate SPNs“
Let’s start the delegation process by going into Active Directory and finding the user account “paswebapp”. Following the arrows in our diagram above and working from front (the user) to back (data source), we find the application to application communication that takes place. In our example, the “paswebapp” user account delegates to the “sql_analysis” user account (front to back following the arrows). This application to application security is what we are interested in “Constraining”. Find the user “paswebapp” and complete the following process in Active Directory.
Go to Properties –> Delegation Tab. Select “Trust this user for delegation to specified services only” and then select “Use Kerberos only”.
Select Add, Users & Computers, and then add the user “sql_analysis”, Select All. Then select OK, OK, … until you get back to the “paswebapp” Properties window.
Select the Expanded check box and then OK. Notice that the SPNs that you added for the “sql_analysis” account should now show up in the “paswebapp” properties services section of the dialog box shown below.
Select OK to complete.
We have now completed the “Kerberos Constrained Delegation” process for our example.
Completed Kerberos Constrained Delegation Process for “paswebapp”.
Checking Delegation with ADSI
Just like we can check SPNs with ADSI Edit, we can check our Kerberos Constrained Delegation as well. The Kerberos Constrained Delegation attribute is called “msDS-AllowedToDelegateTo” attribute.
Start ADSI Edit and go to each of the domain user accounts to check the delegation attribute. In our example, you would go to “paswebapp”.
Go to the user account properties –> Attribute Editor tab –> and scroll down to the “msDS-AllowedToDelegateTo”.
Review the values. In this example, the SPNs that were “allowed to be delegated to” can be seen below for the “paswebapp” account. The “paswebapp” account was the application pool account used for the PAS application.
Basically we can see that the PAS application is Constrained, via Kerberos, to the Analysis Service instance on the “ReportMachine”. Remember that Delegation is directional. In other words there is a difference between the “paswebapp” user account delegating to the “sql_analysis” user account, and the “sql_analysis” user account delegating to the “paswebapp” user account.
Checking the msDS-AllowedToDelegateTo attribute on “paswebapp”.
For completeness, “sql_analysis” is shown even though the attribute is empty.
Checking your work with the ”Kerberos SPN Generation Setup Tool”.
After you have completed your constrained delegation, you can rerun the Generate SPNs process and then check out the output on the “Delegation” tab. You will now notice that the PAS application constrained delegation has been completed (see cell D8). Notice that the “Delegation Exists?*” (column D) has an “*”. The “*” basically tells you to check your delegation in Active Directory to make sure all of the attributes are correct. The above process walks you through how to do this.
Delegation Tab after the manual delegation is complete.
While this example is for the PAS application, it is a valid approach for other BI applications. Repeat this process for all of the necessary delegations until you complete your setup.
What if you add more configuration later and you have to delegate again?
Do the delegation again and check to see if the attributes are correct (the general process is shown above). If you add an additional SPN at a later time, you must re-delegate the affected user accounts so that the existing attributes get updated. You can also accomplish this by adding the new SPNs into the appropriate msDS-AllowedToDelegateTo attribute if needed or go through the delegation process again.
What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.