My post will cover Kerberos setup for a Small SharePoint 2010 farm using SQL Server Reporting Services 2012 (SSRS 2012) as an example.
High level requirements:
Step 2: Create SPNs for your Web Application Application Pool Account
Step 3: Create SPN for Reporting Services Service Application Application Pool Account
Step 4: Create SPNs for SQL Server Database Engine service account
Step 5: Configure delegation on Web Application Application Pool Account
Step 6: Configure delegation on Reporting Services Service Application Pool Account
Step 7: Configure Claims To Windows Token Service delegation
Step 8: Configure Claims To Windows Token Service delegation
--------------------------------------------------------------------------------------------------------------------------
Step 1: Enable Kerberos Authentication on your SharePoint Web Application
- Open Central Admin, select "Manage Web Application" under the "Manage Web Applications" section.
- Select your web application and click the Authentication Providers button in the Ribbon
- Select the default zone
- Change the IIS Authentication settings as per the screen shot below and save
- Start the Claims to Windows Token Service in Central Administration if it is not running!
Step 2: Create SPNs for you Web Application Application Pool Account
In this step we are going to create SPNs on the Application Pool account (identity) for the Web Application's host name.
- On your domain controller, open command prompt and use the commands below:
SetSPN -S http/gsp2010webf1.gdom.local gdom\svc_sp_ap
Note! All SharePoint Server web application, regardless of the port number, use the following SPN format:
- HTTP/<DNS HOST name>
- HTTP/<DNS FQDN>
In this step we create a dummy SPN for the SSRS Service Application's Applicatoin Pool account. This is required so that SharePoint can delegate authentication from the Web Application to the SSRS Service Application.
- On your domain controller, open command prompt and use the commands below:
Note! In this example I use sp/rs, but this can be anything as this is a dummy SPN.
Step 4: Create SPNs for SQL Server Database Engine service account
In this step we create SPNs on the SQL Database Engine service account (identity). This is required to setup contrained delegation for the SSRS Service Application to SQL Server.
- On your domain controller, open command prompt and use the commands below:
SetSPN -S MSSQLSvc/gsqlf1.gdom.local:1433 gdom\svc_sql_dbe
Step 5: Configure delegation on Web Application Application Pool Account
In this step we configure delegation on the Web Application Application Pool account. This account needs to be able to delegate to the SPN that we have created for the SSRS application pool in step 3.
- On your domain controller, open Active Directory Users and Computers
- Open your SharePoint App Pool account's properties
- Select "Trust this user for delgation to specified services only" (Constrained Delegation)
- Select "User any authentication protocol"
- Click add and search for the SSRS service account
- Select the SPN that was created for the account and add it.
Step 6: Configure delegation on Reporting Services Service Application Pool Account
In this step we configure delegation on the SharePoint SSRS Application Pool account. This account needs to be able to delegate to the SPN that we have created for the SQL Server database engine (DBE) service account in step 4.
- On your domain controller, open Active Directory Users and Computers
- Open your SSRS Application Pool account's properties
- Select the Delegation Tab
- Select "Trust this user for delgation to specified services only" (Constrained Delegation)
- Select "User any authentication protocol"
- Click add and search for the SQL DBE service account
- Select the SPN that was created for the account and add it.
Step 7: Configure Claims To Windows Token Service delegation
SharePoint internally uses claims authentication when "talking" to it's respective databases. The Claims to Windows Token Service (C2WTS) is reponsible for converting Claims to a Windows token so that we can talk to SQL.
By default, this account run as a Local System account. To setup delegation for your C2WTS you can either change this account to a domain service account and delegate to SQL from that account, or you can setup your delegation on the machine name that the C2TWS service is running on. In my example I've configured delegation on the machine name to reduce the admin overhead of managing another service account for SharePoint.
- On your domain controller, open Active Directory Users and Computers
- Under Computers, open your SharePoint server running the C2WTS
- Select the Delegation Tab
- Select "Trust this user for delgation to specified services only" (Constrained Delegation)
- Select "User any authentication protocol"
- Click add and search for the SQL DBE service account
- Select the SPN that was created for the account and add it.
Step 8: Grant SSRS Application Pool account access to Content Database
A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application.
Run the PowerShell commands below to give your SSRS account access to the Content DB:
$w = Get-SPWebApplication -Identity http://gsp2010webf1
$w.GrantAccessToProcessIdentity("gdom\svc_sql_ssrs")
Note! Change the above URL and service account as configured on your environment.
No comments:
Post a Comment