1 / 24

Introductions

Kerberos Authentication In Your BI Environment It’s Not Rocket Science (But Sometimes… It Feels Like It). Introductions. Colleen Barnitz Experience: Development and DBA work with SQL Server since version 6.5 Currently manage the development group at MVT Services. The Cook Book.

tmcintire
Download Presentation

Introductions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kerberos Authentication In Your BI EnvironmentIt’s Not Rocket Science (But Sometimes… It Feels Like It)

  2. Introductions Colleen Barnitz Experience: Development and DBA work with SQL Server since version 6.5 Currently manage the development group at MVT Services

  3. The Cook Book • Configure Kerberos Authentication for SharePoint 2010 Products • http://www.microsoft.com/en-us/download/details.aspx?id=23176 • http://bit.ly/MZ6evh • Microsoft Corporation • Published: July 2010 • Updated April 2012 • Author: Tom Wisnowski. Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, Pej Javaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, Prash Shirolkar, Norm Warren, Josh Zimmerman. (itspdocs@microsoft.com)

  4. Kerberos Kerberos is a network authentication protocol Name comes from… three-headed dog figure from Greek mythology

  5. Three Heads 1. Key Distribution Center (KDC), 2. the client user 3. the server with the desired service to access.

  6. Kerberos Ticket Exchange

  7. Pros for Kerberos • Solves the “Double Hop” - Delegation of client credentials • More secure than NTLM - AES encryption, mutual authentication, data privacy, etc. • Potentially Better Performance • Less traffic to domain controller compared to NTLM

  8. BI Environment SSAS; SQL Sharepoint Client SSRS

  9. Service Principal names (SPNs) • The name by which a client uniquely identifies an instance of a service. • You must register the SPN to be able to Delegate. • SETSPN - the command line tool to manage SPNs

  10. Delegation • Basic • can cross domain bounderies • Does not support Protocol transition • Constrained • Cannot cross domain boundaries • Transition non-Kerberos authentication protocols (NTLM to Kerb) • Only delegate to specified service – More Secure

  11. SPNs for SharePoint Server web applications SetSPN -S HTTP/Portal vmlab\svcportal10App SetSPN -S HTTP/Portal.vmlab.local vmlab\svcportal10App

  12. Delegation on the service acct

  13. How To Set Up Delegation • use the Active Directory Users and Computer snap-in. • Right-click the service account and open properties • Select tab for delegation (appears once the SPN has been registered) • On the delegation tab, select: Trust this user for delegation to specified services only, • then select : Use any authentication protocol

  14. Delegation Tab for SP Service Account

  15. Register SQL Server Service Principals Database engine SetSPN -S MSSQLSVC/MySQLCluster.vmlab.local:1433 vmlab\svcSQL SSAS SetSPN -S MSOLAPSvc.3/MySQLCluster.vmlab.local vmlab\svcSQLAS

  16. Register SSRS Service Principals SetSPN -S HTTP/FarmReports vmlab\svcSQLRS SetSPN -S HTTP/FarmReports.vmlab.local vmlab\svcSQLRS

  17. SSRS Delegations on service accounts

  18. Sharepoint Service Acct Delegation

  19. SSRS Service Acct Delegation • Add all the sql server, ssas instances that your reports need to get data from. • Service Types: MSSQLSVC, MSOLAPSvc.3

  20. Troubleshooting • Useful Tools: • Netmon – create the trace file • Wireshark – load the trace file and filter • Filter: Kerberos • KRB-ERROR

  21. Troubleshooting • KerbTray • KerbTray is a free utility included with the Windows Server 2000 Resource Kit Tool • installed on your client computer to view the Kerberos ticket cache. • Download and install from Windows 2000 Resource Kit Tool: Kerbtray.exe. Once you have it installed, perform the following actions: • Navigate to the web sites that use Kerberos Authentication. • Run KerbTray.exe. • View the Kerberos Ticket cache by right clicking on the kerb tray icon in the system tray and selecting List Tickets.

  22. Troubleshooting • Take your time testing after changes!

  23. Resources • Configure Kerberos Authentication for SharePoint 2010 Products • http://bit.ly/MZ6evh

  24. Thank You from PASSwww.sqlpass.org

More Related