Kerberos for SQL Server
Download
Report
Transcript Kerberos for SQL Server
… the easy way!
Image © Wikimedia CC
Please visit our Gold Sponsor stands,
we couldn't do it without you…
MCTS in SQL Server and SharePoint
Over a decade of Microsoft solution development and
architecture
Lately focused on SQL Server 2012 BI in SharePoint
Integrated Mode
I like dogs, especially big ones
Focus on SharePoint + SQL Server
Why Kerberos
Service Principal Names
Delegation options
Claims & Kerberos
Testing &Troubleshooting
Live Demo!
More secure, Less DC load, interoperability...
Enables Delegation!
◦ Unified Security at data source level
◦ Data driven security
◦ Personalised reports
NTLM or
Kerberos
SP Farm
or DB server
Kerberos
Delegation
Data Source
NTLM or
Kerberos
1st “hop”
Any protocol
SP Farm
Impersonate
user
Data Source
2nd “hop”
Kerberos only!
Identify your data sources
Service Principle Names
Decide on your delegation
Constrained or not?
Set delegation type
Allow data sources to be delegated to
Easy, right?
1
Service Principal Name
◦ What (Service) and
◦ Where (Computer or “Principal”) to connect to
Identifies the target
◦ Not the delegating service
◦ Certainly not the client
◦ The Data Source Service!
1
Service Principal Name
<service class>/<NetBIOS>[:<port or instance>]
or/and
Host identity
<service class>/<FQDN>[:<port or instance>]
setspn.exe -S <SPN> <AccountName>
Service identity:
Service account as <domain\username>
or
Host Account if running as Local System
Domain
NetBIOS:
BI-SQL
FQDN:
Hades
.Local
SQL-DB
Port: 49753
Database
service class
Database service
account identity
Host server
SETSPN -S MSSQLSVC/BI-SQL:49753 HADES\SQL-DB
OR
BI-SQL.HADES.LOCAL
NetBIOS:
BI-SQL
FQDN:
Hades.
Local
Instance:
UDM
Analysis Services
Service class
SQL-SSAS
Domain
SSAS service
account identity
Host server
SETSPN -S MSOLAPSVC.3/BI-SQL:UDM HADES\SQL-SSAS
OR
BI-SQL.HADES.LOCAL
IIS server
SP-WFE
DNS “A”
record:
OLYMPUS
Port: 80
SharePoint WFE
FQDN:
Hades.
Local
SP-PORTAL
SharePoint Portal
Application Pool identity
Host server
SETSPN -S HTTP/OLYMPUS HADES\SP-PORTAL
OR
OLYMPUS.HADES.LOCAL
Now I can see Delegation tab!
?
FQDN:
Hades.
Local
Domain
SP-XLS-SVC
Delegating account
Arbitrary string
SETSPN -S DUMMYSPN HADES\SP-XLS-SVC
Non-existing service
1
Identifies the target
Stored against target’s identity
Instance name for Analysis Services
Arbitrary SPN to show delegation tab
Don’t forget discovery services for SQL2005
2
◦
Constrained
◦ Only if allowed
Basic (unconstrained)
To any Service
2
Basic
◦ Delegates to any service
◦ Cross-domain delegation
Constrained
◦ No protocol transition
◦ Any service can use
◦ Can precede constrained
◦ Most require
◦ More secure
◦ Only delegates if
allowed!
◦ Only within a domain
SSRS
SSRS
MSFT.com
contoso.MSFT.com
pintoso.MSFT.com
No
Trust is OK!
Client
NTLM
SharePoint
Farm
Kerberos
Data
Source
Constrained delegation
works!
MSFT.com
contoso.MSFT.com
Client
NTLM
or Basic
Kerberos
Must have
Two Way Trust
SharePoint
Farm
pintoso.MSFT.com
Basic
Kerberos
Data
Source
2
Use Basic for
◦ SSRS (SQL Reporting Services) to connect to another domain
◦ When security is not critical
Use Constrained for
◦ Any other case!
Delegating Account
NTLM or
Kerberos
SPN Account
SP Farm
Data Source
3
Add a dummy SPN to the Delegating account to bring
up delegation tab in ADUC:
Allows trust
for constrained
delegation
Enables protocol
transition
for SharePoint
Select allowed SPNs:
Use ADUC delegation tab
Locate SPN’s account
Click to select SPNs to add
4
SPN’s account
ADSIEdit (easier):
◦ Same string as in
SETSPN statement
PowerShell:
◦ Not for wimps
◦ Active Directory Module:
Set-ADObject
Get-ADObject
Set-KCD
CMD (document):
◦ ldifde
Set your SPNs (inc Dummy and Browser 2005)
Use “KerberosHelper.xslx” from www.data-united.co.uk
Decide: Basic or Constrained?
Set delegation type
Add Allowed SPNs (for constrained)
Test working, Sit back and relax!
Let me know if it doesn't work
www.data-united.co.uk
Claims to Windows Token Service (C2WTS)
◦ SharePoint protocol transition:
C2WTS
STS
NTLM
SharePoint
or
Web
Kerberos
Frontend
Claims
SharePoint
Application
Server
Windows
UPN
Token
Claim
?
Kerberos
Delegation!
Data
Source
Starts automatically
Depends on Cryptographic Service
◦ sc config c2wts depend= CryptSvc
Service Identity is trusted for delegation
◦ Local System by default (and should stay that way)
◦ If changed to Windows Identity, must be a local admin
Claims-aware services are allowedCaller s
◦ c2wtshost.exe.config
Use Rodney Viana's little tool c2WTSTest.exe
“NT Authority/Anonymous” is no more!
Profiler shows Your login
Test every service against every data source
SSRS
15 character limit on
Windows NetBIOS
Open Port 88 on Firewall
SPN for SQL 2005
browser/discovery services
Sensitive Client Account
Enable Kerberos logging (don’t forget about it!)
Registry hack http://support.microsoft.com/kb/262177
Check Kerberos errors in Event log on SP App server and client
ULS log (SP App server with Verbose)
Use Event log, Kerbtray and Kerberos helper tools to check
for common errors
Use Klist –purge to re-test Kerberos
Use dcdiag to check SPNs
After…
Sponsor Competition
Draws in the Exhibition
Hall 17:15
Community Events
SQL Saturday Edinburgh 7/8 June
www.sqlsaturday.com/202/
SQL Relay
17/27 June www.sqlrelay.co.uk
SQL Saturday Dublin
21/22 June www.sqlsaturday.com/229/
SQL Saturday Cambridge 27 September www.sqlsaturday.com/228/
UK User Groups
All the time www.sqlserverfaq.com
Please complete feedback
http://sqlbits.com/SQLBitsXIThursday
http://sqlbits.com/SQLBitsXIFriday
http://sqlbits.com/SQLBitsXISaturday
http://sqlbits.com/SQLBitsXI (General feedback)
We hope you had a great
conference day!
Keep checking
www.sqlbits.com for
slides, videos and news of
the next conference
#SQLBIT
S
Kerberos: authentication protocol
Principal – a computer in the Kerberos protocol, usually the
target
UPN: user principal name
FQDN: Fully Qualified Domain Name
WCF: Windows Communication Foundation (.NET)
C2WTS: WCF service granting windows token for a UPN claim
How the Kerberos Version 5 Authentication Protocol
Works
http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx
Overview of Kerberos authentication for Microsoft
SharePoint 2010 Products
http://technet.microsoft.com/en-us/library/gg502594.aspx
Kerberos Guide for SharePoint 2013
http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/
Kerberos Blog and Resources
www.data-united.co.uk
Kerberos using PowerShell
http://blog.msresource.net/2012/07/12/fim-service-principal-names-and-kerberos-delegation/
Troubleshooting C2WTS by Rodney Viana
http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-towindows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-whereto-start.aspx
Kerberos Professional Services
www.data-united.co.uk
Command Prompt
◦ List all Kerberos Tickets on the principal (a ticket must be present for the
URL, otherwise NTLM is used)
Klist
◦ Purge Kerberos Tickets (run on all principals to avoid reboot/wait)
Klist –purge
◦ List all msDS-AllowedToDelegateTo properties for a single account (only
computers with )
ldifde -f c:\temp\filename.txt -d "CN=SA_SVC_C2WTS,OU=Service
Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo
◦ List all msDS-AllowedToDelegateTo properties all accounts in an OU:
ldifde -f c:\temp\filename.txt -d "OU=Service Accounts,
DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo