The last post describes the Delegation Process. While it is important to understand the Delegation Process, the idea was to provide a background for this post on how to use the Kerberos SPN Generation Setup Tool Beta to help you identify which delegations are needed or missing. This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools. This post will discuss the “Delegation Tab”. You can download the Kerberos SPN Generation Setup Tool Beta at FUTURESULTS, LLC.
It is assumed that you have completed the Generation SPNs process and the Main Menu / Navigation screen should look something like this the image below. Select “Delegation” to get to the Delegation tab.
Main Menu / Navigation – Delegation
For review purposes, we will use the ProClarity Analytics Server example and it’s corresponding ProClarity Delegation example.
“PAS Tab” entries are:
If we look at the “Delegation” tab, notice that the delegation needed does not exist (cell D8 below).
Delegation Tab Example (Prior to SPNs being Delegated).
You can follow the Delegation Process – PAS Example for the details of how to do Delegation. After the delegation is complete, the “Delegation” Tab should look like this.
Delegation Exists: (After SPNs were added and Delegation Process was completed)
Since there is a lot of detail on this page, I will break it up into three sections and discuss each separately.
Section 1: Proposed Application Server / Database Server Delegations
Based on the entries in the “Input Tabs” sections, Section 1 is completed for you. In this case, we have only entered information in for the PAS application tab. You can see that the “Delegation” tab knows about the service accounts that were entered between the database / SSAS account and the PAS application server account. In this case, the “Delegation” is also complete. Note that there is a “*” in the Delegation Exists column. This is to denote that if the delegation does exist, you will want to make sure all of the attributes are correct in Active Directory. The process for checking this has been detailed in a previous post (Delegation Process – PAS Example). You can add any notes you wish in the “Notes” column. Section 1 is basically calculated and completed for you. You may elect to do some checking on Delegations that exist.
Section 1: Expanded View
Section 2: Delegations Currently in the Domain (for listed accounts)
This section really documents the Kerberos Constrained Delegation. In other words, it shows you the SPNs that are constrained between the two service accounts that exist on two different machines. You can use the individual input tabs to find out the details for each BI product used. In this example, it shows the service accounts from Section 1 along with the SPNs that were generated by the tool for the Database / SSAS service account (sql_analysis). This is really the heart of what I was trying to accomplish with the tool.
If there are any service accounts listed in this section as “UNKNOWN”, it means that there is an existing delegation set up for the service account but you do not have the service account listed. You can solve this by putting the missing service account in the “Other Accounts” tab. When you rerun the “Generate SPNs” process, it will update the “UNKNOWN” account with the proper account. This may take several iterations if you have to guess at the missing account. It is important to have all of the accounts properly identified so that the tool can ensure that there are no “Duplicate SPNs”. It only does this check for accounts that are listed in the tool.
The Front/Middle vs. Middle/Back account is reference nomenclature based on the proximity of the account to the user (Front) or database (Back). In this case, you could say that the paswebapp account (accessed directly from the user’s browser) is the “Front” account. This account interacts with sql_analysis which is the service account for the database (the “Back” account). This nomenclature is typically used when thinking of a 3 tiered architecture where the “Front” tier is the web server, the “Middle” tier is the application server, and the “Back” tier is the database server. In some cases there may be only two tiers. The point here is that this nomenclature gives you some direction as to the delegation starting at the “Front” and working your way toward the “Back”. The actual designation of Front, Middle, Back is not that important.
Section 2: Expanded View
Section 3: Other Delegations Needed – Application Server / Application Server (http)
In a complex delegation, you may need to have a delegation between two applications that is not yet specified. In this case, you would need to specify the delegation between the applications. In our simple example, this section is blank. If you wanted to use this section, you would have to have the applications specified in the “Input Tabs”. You can only selection delegations like this if the applications are defined in the tool. The tool can then check for these delegations, etc. There is also a “Notes” section to denote any additional delegations. Note that you can only specify “http” delegations in this section. If you need to define a delegation to a database, this should be done in one of the application input sections.
Section 3: Expanded View
What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.