configuring kerberos for microsoft sharepoint 2010 bi in 7 steps sql server 2012 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) PowerPoint Presentation
Download Presentation
Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)

Loading in 2 Seconds...

play fullscreen
1 / 37

Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012) - PowerPoint PPT Presentation


  • 274 Views
  • Uploaded on

DBI304. Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012). Chuck Heinzelman Senior Program Manager – BPD CX Microsoft Corporation. www.sqlcat.com. chuck.heinzelman @ microsoft.com. @ SQLBoyWonder. Chuck Heinzelman. Abstract.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)' - dea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
configuring kerberos for microsoft sharepoint 2010 bi in 7 steps sql server 2012

DBI304

Configuring Kerberos for Microsoft SharePoint 2010 BI in 7 Steps (SQL Server 2012)

Chuck Heinzelman

Senior Program Manager – BPD CX

Microsoft Corporation

slide2

www.sqlcat.com

chuck.heinzelman@

microsoft.com

@SQLBoyWonder

Chuck

Heinzelman

abstract
Abstract
  • A top call generator for SharePoint BI is the configuration of Kerberos to allow user credentials to be passed to back end data sources. With Microsoft SQL Server 2012, Reporting Services will be fully integrated with SharePoint as a service. Come learn how to configure your environment. Learn how to discover what SPNs need to be set, how to configure Constrained Delegation, and how to troubleshoot potential issues.
definitions
Definitions
  • Kerberos
    • Authentication Protocol developed at MIT
  • Delegation
    • Granting your authority to someone else
  • Impersonation
    • I can “be” someone else
  • Authentication
    • Verification that I am who I say I am
  • Authorization
    • Verification that I have the rights to do what I want to do
why kerberos
Why Kerberos?
  • Delegate user credentials to a back end data source (double-hop issue)
  • Service Applications that would leverage Kerberos:
    • PerformancePoint
    • Excel Services
    • Reporting Services (SQL Server 2012 change)
7 easy steps
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps1
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps2
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps3
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps4
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps5
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
7 easy steps6
7 Easy Steps!
  • Enable Kerberos on your SharePoint Web Application
  • Enable the Claims to Windows Token Service in SharePoint
  • Create an HTTP SPN for the account that is running Portal application Pool
  • Create a dummy SPN for the account that is running the service application
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
  • Configure Constrained Delegation for the Service Application account to Analysis Services
  • Configure Constrained Delegation for the Application Server machine
real world scenarios
Real-World Scenarios
  • Multiple Web Front Ends
  • Load Balanced URLs
  • Multiple Application Servers
  • Multiple Service Application Accounts
  • SQL Server Services
multiple web front ends load balanced urls
Multiple Web Front EndsLoad Balanced URLs
  • Set an HTTP SPN for Every URL
    • Each WFE (and FQDN)
    • Load Balancer URL
    • Don’t Forget Alternate Access Mappings
  • Remember to check for additional CNAME entries
multiple application servers multiple service application accounts
Multiple Application ServersMultiple Service Application Accounts
  • No service-specific SPN is required for the service applications
  • You will need to set up constrained delegation on the service account
    • You may need to set up a dummy SPN to enable the Delegation tab in Active Directory Users and Computers
  • Enable C2WTS on each server
sql server services
SQL Server Services
  • Clustered SQL Server
    • Set the SPN on the VNN
  • Non-Default Instance of Analysis Services
    • SQL Browser service needs to be running
    • An SPN is necessary for the service account for which the Browser service is running in the form of MSOLAPDisco.3
    • Standard MSOLAPSvc.3 SPN required as well
related content
Related Content
  • Breakout Sessions (session codes and titles)
    • OSP201 – Business Intelligence in Microsoft Office and SharePoint 2010
    • OSP232 – 36 Terabytes: How Microsoft IT Manages SharePoint in the Enterprise
    • DBI402 – Deploying and Managing a PowerPivot for SharePoint Infrastructure Using Microsoft SQL Server 2012
    • DBI301 – Building Self-Service BI Applications Using PowerPivot
    • OSP339 – Advanced Microsoft SharePoint 2010 Upgrade Troubleshooting
    • DBI332 – Running Reporting Services in SharePoint Integrated Mode: How and Why
    • DBI306 – Tips and Tricks: Effectively Manage Your SharePoint Farm with BI
    • DBI327 – How to Extend Your SharePoint BI Dashboard to ALL Devices
    • OSP431 – Security Design with Claims-Based Authentication
  • Find Me Later At…
    • SQL Server TLC Area – I’ll be there quite often!
track resources
Track Resources

Hands-On Labs

@sqlserver

@TechEd_NA

#msTechEd

SQL Server 2012 Eval Copy

Get Certified!

mva

  • Microsoft Virtual Academy
resources
Resources

Learning

TechNet

  • Connect. Share. Discuss.
  • Microsoft Certification & Training Resources

http://northamerica.msteched.com

www.microsoft.com/learning

  • Resources for IT Professionals
  • Resources for Developers
  • http://microsoft.com/technet

http://microsoft.com/msdn

ms tag
MS Tag

Scan the Tag

to evaluate this

session now on

myTechEd Mobile

slide28

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

breakout step 1
Breakout – Step 1
  • Enable Kerberos on your SharePoint Web Application
    • Central Administration | Application Management | Manage Web Applications | Authentication Providers
breakout step 2
Breakout – Step 2
  • Enable Claims to Windows Token Service in SharePoint
    • Central Administration | System Settings | Manage Services on Server | Select “Start” on the Claims to Windows Token Service
breakout step 3
Breakout – Step 3
  • Create an HTTP SPN for the account that is running the Portal application pool
    • Open an administrative command prompt as a user who is a Domain Admin (preferably from a Windows 2008R2 server)
    • Create HTTP SPN for all applicable URLs
      • SetSPN –S HTTP/<Server> Domain\<Service Account>
      • SetSPN –S HTTP/<Server>.<FQDN> Domain\<Service Account>
      • Repeat steps a and b for every URL that can be used to access that web application (should match your AAM definitions)
breakout step 4
Breakout – Step 4
  • Create a dummy SPN for the account that is running the service application (PerformancePoint, Excel Services & Reporting Services) * this is only necessary if the account running the service application is different than the HTTP service account
    • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)
    • Create 1 Dummy SPN per Service
      • SetSPN –S PPS/<Server> Domain\<Service Account>
      • SetSPN –S RS/<Server> Domain\<Service Account>
breakout step 5
Breakout – Step 5
  • Create an MSOLAPSvc.3 SPN for the service account running Analysis Services
    • Open an administrative command prompt as a user who is a Domain Admin (preferable from a Windows 2008R2 server)
    • Create MSOLAPSvc.3 SPNs
      • SetSPN –S MSOLAPSvc.3/<Server> Domain\<Service Account>
      • SetSPN –S MSOLAPSvc.3/<Server>.<FQDN> Domain\<Service Account>
breakout step 6
Breakout – Step 6
  • Configure Constrained Delegation for the Service Application account to Analysis Services
    • Log onto the Domain Controller and open Active Directory Users and Computers
    • Locate the Service Application Account and edit the properties
    • Find the Delegation Tab
      • Select the Option Trust this user for delegation to specified services only
      • Select Use any authentication protocol
      • Click on the Add button
      • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services
      • Highlight the service and select OK
breakout step 7
Breakout – Step 7
  • Configure Constrained Delegation from the Application Server machine
    • Log onto the Domain Controller and open Active Directory Users and Computers
    • Locate the computer account for the Application Server
    • Find the Delegation Tab
      • Select the Option Trust this user for delegation to specified services only
      • Select Use any authentication protocol
      • Click on the Add button
      • In the Add Services window select “Users or Computers” and Type in the name of the Service account that is running Analysis Services
      • Highlight the service and select OK