Kerberos SPN Generation Setup Tool


This is the first installment for a series of blog posts that describe how to use the Kerberos SPN Generation Setup Tool Beta in terms of documenting and helping you plan and creates SPNs for Kerberos Constrained Delegation with Microsoft BI tools.  The following is the outline of this series.  I will update this post as I complete the individual segments.  You can download the Kerberos SPN Generation Setup Tool Beta at FUTURESULTS, LLC.

Rather than just complain about Microsoft not having an adequate Kerberos Setup Tool, I created one.  You can read my general series on Kerberos Constrained Delegation to get an idea of some of the setup items needed to successfully setup Kerberos Constrained Delegation.  The Kerberos SPN Generation Setup Tool Beta helps you plan and document your BI security setup.

The following shows a screen snapshot of the BI product SPNs that can be setup using the tool.  The goal of the tool is to help you generate unique SPNs needed for your setup.  It also helps you plan your delegations.  In general, the product allows you to export a batch file of unique SPNs that can be imported and ran on your Domain Controller.  The tool can be used to check for duplicate SPNs for select accounts and provide documentation for the future.  There is also an “Undo” file that can be used to remove the suggested SPNs should there be an issue.  There will be much more description throughout the remainder of this series.

Kerberos Setup Tool

Topics to explore are focused on how to set up SPNs and Kerberos Constrained Delegation in context of using the Kerberos SPN Generation Setup Tool Beta.

Overview

Input Tabs

SPN Generation – Kerberos SPN Generation Setup Tool – Generate SPNs (Updated 1/19/2010)

  • Generate SPNs
  • Export SPNs to Add
  • Export SPNs to Remove
  • Review SPN Information
  • Process of adding / removing SPNs from Domain Controller

Delegation

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

Advertisements
This entry was posted in Kerberos, Microsoft BI, Microsoft BI - Security - Kerberos, Security, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

20 Responses to Kerberos SPN Generation Setup Tool

  1. Pingback: 2010 in review | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool Updated – Now Works with Active Directory 2008 and 2008R2. | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos SPN Generation Setup Tool Overview | FUTURESULTS, LLC Blog

  4. Pingback: Kerberos SPN Generation Setup Tool – Generate SPNs | FUTURESULTS, LLC Blog

  5. Pingback: Kerberos SPN Generation Setup Tool – Delegation Tab | FUTURESULTS, LLC Blog

  6. Pingback: Kerberos SPN Generation Setup Tool – Delegation Process | FUTURESULTS, LLC Blog

  7. Pingback: Kerberos SPN Generation Setup Tool – Other Accounts | FUTURESULTS, LLC Blog

  8. Pingback: Kerberos SPN Generation Setup Tool – MOSS 2007 | FUTURESULTS, LLC Blog

  9. Pingback: Kerberos SPN Generation Setup Tool – PPS | FUTURESULTS, LLC Blog

  10. Pingback: Kerberos SPN Generation Setup Tool – PAS | FUTURESULTS, LLC Blog

  11. Pingback: Kerberos SPN Generation Setup Tool – SSAS 2008 | FUTURESULTS, LLC Blog

  12. Pingback: Kerberos SPN Generation Setup Tool – SSRS 2008 | FUTURESULTS, LLC Blog

  13. Pingback: Kerberos SPN Generation Setup Tool – Documentation, Instructions | FUTURESULTS, LLC Blog

  14. Pingback: Kerberos SPN Generation Setup Tool – Common Tab | FUTURESULTS, LLC Blog

  15. Pingback: Kerberos SPN Generation Setup Tool – SSRS 2005 | FUTURESULTS, LLC Blog

  16. mark blakey says:

    When I run this I get this error:

    Run-time error ‘-2147016646 (8007203a);

    Automation error
    The server is not operational.

  17. FUTURESULTS says:

    I’m sorry to hear that you have had an issue with the Kerberos SPN Generation Setup Tool. You are the first person that has reported this issue.

    In order to troubleshoot this issue, can you provide the following information for me:

    1. Email me a copy of the spreadsheet so I can review your entries.
    2. Approximately how many users are there in your Active Directory Domain?
    3. What version of Active Directory do you have (2003, 2008, …)? What functional level is it?
    4. Does the user account that you are using when running the tool have “Read” access to the entire Active Directory Domain?
    5. What version of Office are you using (Excel 2010, …)?
    6. What version of OS (Windows 7, …)?

  18. Erdöl BIRAMEN says:

    Hi, greaat utility but don’t you maintain it anymore? Aren’t there any updates planned for SQL Server 2012 and/or 2014?

    • FUTURESULTS says:

      Sorry, with claims and more setup choices, this makes the tool increasingly difficult to update. I also have changed jobs and I don’t have access to as many environments any more.

  19. TEST1 says:

    MIcrosoft now has standalone tool that does something similar called “Microsoft® Kerberos Configuration Manager for SQL Server®” If you google for that string it should come up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s