Kerberos SPN Generation Setup Tool – Other Accounts


The last post “Kerberos SPN Generation Setup Tool – MOSS 2007” reviewed how to enter information for Microsoft Office SharePoint Server (MOSS) 2007.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post covers how to enter information into the tool for Additional Accounts – the “OtherAccounts tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

What are Other Accounts?

The Kerberos SPN Generation Setup Tool essentially checks for duplicate SPNs.  It uses the same method as DHCheck.vbs.  There are several ways to check for duplicate SPNs (such as listing individual accounts or searching through every account in the entire forest).  If you have a large forest, searching through the entire user base takes a long time.  Because of this, the tool only checks for duplicate accounts that are listed in one of the input spreadsheets.  If you have a more complex setup, or if you just want to check some other accounts, the OtherAccounts tab is where to list these additional accounts.

Complex Setups – Reasons to use Other Accounts

There are many setup variations for the Microsoft BI stack.  Here are a couple of examples as to why you would use the “OtherAccounts” tab.  The reasons typically revolve around multiple instances of a technology type (i.e.: SSRS, SSAS, …), multiple web sites (i.e.: MOSS – Mysite, Portal, …), multiple data sources (SSRS, SSAS, …), or other Kerberos setup that you need to account for.

More than One Instance / Web Sites for a type of Technology (SSRS, SSAS, MOSS, …)

The tool supports one setup of each Technology type.  What if you had two SSRS 2008 instances to setup?  You would basically complete the first SPN generation process by filling out the SPN Generation Setup Tool workbook and generating SPNs, updating Active Directory, etc.  Once this process was complete, you would repeat the process for the SSRS 2008 section and update the appropriate Reporting Services – Service Account(s), machine names, etc.  You would then take the first account(s) and place them into the “OtherAccounts” tab.  The basic idea is to make sure that you have listed all of the accounts that you are using to set up Kerberos either in the specific sections for each type of technology setup or in the Other Accounts section.

Multiple Application Pools / Web Sites

In a previous post for MOSS setup, I mentioned that you might have multiple application pools (Portal, My Sites, WSS Sites, etc.) to worry about.  If this is true, it was assumed that each of these web sites will use a unique application pool and have unique urls (http://portal, http://mysite, etc.).  The service accounts may or may not be different.  Basically, each of these sites have their own port specified, host header, and individual setup.  This is accomplished by using multiple SPN Generation Setup Tool workbooks.  You basically fill out the MOSS section for each individual setup and then run through the entire SPN generation process for each workbook.

You would list the prior MOSS accounts in the “OtherAccounts” tab.  In this example, we would use “MySitesWebApp” and “WSSWebApp” to be the accounts that were used for the application pools above.  It is assumed that you have already completed workbooks for each of these two configurations and now you are completing the workbook for “MossWebApp” as in the previous example.  In this way, the SPN Generation Setup Tool will check for any duplicates SPNs listed across these accounts.  This process allows for each successive SPN generation to check for duplicate SPNs on prior application pool identities.  In other words, “MossWebApp” would be listed in the MOSS tab, and “MySitesWebApp” and “WSSWebApp” would be listed in the the “OtherAccounts” tab.

Multiple Data Sources or Applications

What if you had multiple data sources for a single SSRS 2008 instance?  Again, use multiple SPN Generation Setup Tool workbooks to enter the information one at a time.  Enter the first data source service account “sql_service” and complete the workbook and SPN process.  Once the first SPN generation process is complete, you can enter the second data source service account “sql_service2” and it’s associated data into the SSRS 2008 worksheet and enter the first data source service account “sql_service” into the “OtherAccounts” tab.  This allows the second SPN generation process to check for duplicate SPNs on both the “sql_service” and “sql_service2” accounts.

Other Kerberos Setup

You can really list any account (both user or machine) in the Other Accounts tab.  Again, the idea is to make sure that all accounts that deal with Kerberos are listed somewhere in the spreadsheet so that it can check for duplicate SPNs across all accounts used in setting up Kerberos.  You may want to list accounts that you have used from other product setups as well as prior installations.

OtherAccounts Tab Completed

The screen shot below shows an example of how to fill out the OtherAccounts tab.  This screen snapshot really just shows a sample entry.  I did use the accounts from this post for this example.

 Other Account Tab Entry

Messages

Unlike the other sections, there are no input messages or “traffic light”.  This is an optional section and not needed unless you have a more complex setup.  The account names entered must be valid in the domain or it will cause a warning message to appear when you “Generate SPNs”

SPNOutput and Delegation

Although I have not discussed these tabs yet, only accounts that are listed in the workbook will be shown in the Delegation tab.  In general, when SPNs are calculated and service accounts are associated, the account names may show up as “UNKNOWN” if the account is not listed somewhere in the workbook.  This is a good indicator that you haven’t listed all of the accounts that you need.  While this is not an error, it is suggested that you add the appropriate account(s) to the “OtherAccount” tab so that you can have complete documentation for your setup.

Machine accounts can be useful to see SPNs that are typically generated automatically.  I usually list all of the machines in the BI setup in the OtherAccounts tab under Machine Accounts column.  This helps me document all of the machines in the BI setup and can be useful in some troubleshooting scenarios.

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

Advertisements
This entry was posted in Kerberos, Microsoft BI, Microsoft BI - Security - Kerberos, Security, Setup and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Kerberos SPN Generation Setup Tool – Other Accounts

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s