Kerberos for SQL Server and SharePoint … the easy way 

About me SQL Server BI and SharePoint professional (MCSE, MCTS, etc.) Nearly two decades of working with data Lately focused on Microsoft BI solution design and architecture I like dogs, especially big ones, hence Kerberos Dmytro Andriychenko: Dmytro@data-united.co.uk +44 775 878 1262

DON’T PANIC What’s it going to be? Focus on SharePoint -> SQL Server delegation Why Kerberos Service Principal Names Delegation Claims & Kerberos Testing &Troubleshooting Live Demo! DON’T PANIC

Kerberos: why bother? More secure, Less DC load, interoperability... NTLM or Kerberos SP Farm or DB server Delegation Data Source More secure, Less DC load, interoperability... Enables Delegation! Unified Security at data source level Facilitates compliance with GDPR Facilitates security attestation Data driven security Facilitates personalised reports Enables to control security Windows at the data source level – once for all data consumers through various reporting technologies Having security governed at Data Source level allows fine grain security permissions – to object level in the database and down to cell level in the cube. Allows seamless personalisation without compromising security Easier development of personalized reports: you know exactly who the user is at the data source level.

Kerberos delegation 1st “hop” Any protocol 2nd “hop” Kerberos only! SP Farm NTLM or Kerberos Data Source Impersonate user 1st “hop” Any protocol 2nd “hop” Kerberos only! So when do we need Kerberos delegation... This diagram shows a classic double hop situation. Client authenticates to a SharePoint farm server and then accesses a document with an external data source connection. On refresh SharePoint attempts to connect to the external data source. Since the data source is not local to the farm, SharePoint must use some

This is all it takes: (after all but Kerberos is already working ) Identify your data source services Service Principle Names Configure delegation in AD Grant local privileges (for delegation) Ensure Claims to Windows transition (C2WTS) Install all the software with active directory service accounts Set SPNs including arbitrary SPNs for services requiring delegation to be configured (e.g. Excel Service). Don’t forget to add SPNs for SQL Browser Discovery Service when you establish a connection to a named instance of SQL Server 2005 Analysis Services or Database Services http://support.microsoft.com/kb/950599 (service class MSOLAPDisco and MSSQLBrowser) Configure constrained delegation for SP service Use ADUC (dsa.msc) delegation tab of the service identity to configure delegation type and add SPNs to delegate to for constrained delegation on 2008 functional level domains For pre-2008 domains use ADSIEdit to add target SPNs to msDS-AllowedToDelegateTo attribute of the service identity Use PowerShell in large-scale configurations or development environments Easy, right?

SPN: where is my service? 1 Service Principal Name What (Service) and Where (Computer or “Principal”) to connect to Identifies the target Not the delegating service Certainly not the client The Data Source Service! Service Principal Name, helps Kerberos to find the Service and the computer (Principal) Two SPNs can be recorded for the same service: one is mandatory, two is optional. The first resolves connections from within the same domain, the other serves clients from across domains. “Fake” or arbitrary SPNs are set up for non-existing services/accounts just to be able to display Delegation tab for a account in Active Directory User and Computers account properties. Only one SPN required within domain (NetBIOS) Computer FQDN for cross-domain Kerberos

So, how you gonna do it? 1 Service Principal Name <service class>/<NetBIOS>[:<port or instance>] or <service class>/<FQDN>[:<port or instance>] Host identity setspn.exe -S <SPN> <AccountName> Service identity: Service account as <domain\username> or Host Account if running as Local System Service class is a string that identifies the general class of service; for example, "SqlServer". There are well-known service class names, such as "www" for a Web service or "ldap" for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name. This string is not processed during the authentication, it is purely for information only (identifies what type of service it is). Computer name is a NetBIOS name of the computer that Runs the service or an A name of the DNS entry for the HTTP connection Port must be specified if not default, e.g. You do not need to specify the port for HTTP connections on port 80 or connections to default instances of SQL Server on port 1433 For Analysis Services instance MUST BE USED instead of the port number! This works well with dynamic port allocation. Mind the 15 character limit on Microsoft NetBIOS! Remember, it is all about the target!

SetSpn1: SQL server Database Engine Domain Name: Hades.Local FQDN: Hades .Local NetBIOS: BI-SQL Port: 49753 SQL-DB Database service account identity Host server Database service class Environment: FQDN: contoso.msft.com Service name: MSSQLSVC SQL Server Service Account: SQLSVR-SVC SQL Server host A-Name (or cluster resource group name in case of clustered instance): SQLSVR SQL Server instance port (only needed if not running on default port 1433): 64352 Mandatory: SETSPN -S MSSQLSVC/SQLSVR:64352 contoso\SA_BI_SQLSVR Additional, for cross-domain authentication: SETSPN -S MSSQLSVC/P_BI_SQLSVR.contoso.msft.com:64352 contoso\SA_BI_SQLSVR SETSPN -S MSSQLSVC/BI-SQL:49753 HADES\SQL-DB OR BI-SQL.HADES.LOCAL

I want it easy! 1 Let your domain admin install your SQL Server Use Active DirectoryManaged Service Accounts Use Kerberos Configuration Manager : Environment: FQDN: contoso.msft.com Service name: MSOLAPSvc.3 SQL Server Service Account: SA_BI_SQLUDM SQL Server host A-Name (or cluster resource group name in case of clustered instance): P_BI_SQLAS_UDM SQL Server instance Name (only needed if not running on default port 2383): UDM Mandatory: SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM:UDM contoso\SA_BI_SQLSVR Additional, for cross-domain authentication: SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM.contoso.msft.com:UDM contoso\SA_BI_SQLSVR If you are using a named instance of Analysis Services, note that you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly Discovery Service: An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 database http://support.microsoft.com/kb/950599 MSOLAPDisco.3/serverHostName

? SetSpn5: Arbitrary SPN 1 Where is that Delegation tab?! Domain Name: Hades.Local ? FQDN: Hades. Local SP-XLS-SVC Domain Delegating account Arbitrary string SETSPN -S DUMMY/SPN HADES\SP-XLS-SVC Non-existing service

? SetSPN for HTTP Required to authenticate using Kerberos to WFE 1 Required to authenticate using Kerberos to WFE Different in IIS 6 and IIS7 Kernel Mode Authentication ?

1 SetSpn3: SharePoint Portal Site IIS 6 or IIS 7 non-kernel mode (default) Domain Name: Hades.Local FQDN: Hades. Local IIS server SP-WFE SP-PORTAL DNS “A” record: OLYMPUS Port: 80 SharePoint Portal Application Pool identity SharePoint WFE Purpose: Kerberos authentication to the SharePoint web front end (WFE). This is not necessary for the success of the delegation, but is best practice from security perspective. Environment: FQDN: contoso.msft.com Service name: http IIS Application Pool Identity: SA_BI_SP_APP DNS Forward Lookup Zone A-Name : CONTOSOBI Mandatory: SETSPN -S http/CONTOSOBI contoso\SA_BI_SP_APP Additional, for cross-domain authentication: SETSPN -S http/CONTOSOBI.contoso.msft.com contoso\SA_BI_SP_APP Site Name SETSPN -S HTTP/OLYMPUS HADES\SP-PORTAL OR OLYMPUS.HADES.LOCAL

Kernel-Mode authentication 1 IIS 7 Default Done by HTTP.sys under Local System SPNs are set only for the IIS computer Easier, faster: best practice Application Pool identity is not normally used … unless useAppPoolCredentials="true" in applicationhost.config

SetSpn4: SharePoint Portal Site: IIS 7 kernel mode 1 SetSpn4: SharePoint Portal Site: IIS 7 kernel mode Domain Name: Hades.Local FQDN: Hades. Local IIS server SP-WFE SP-PORTAL DNS “A” record: OLYMPUS Port: 80 IIS Host SharePoint Portal Application Pool identity SharePoint WFE Purpose: Kerberos authentication to the SharePoint web front end (WFE). This is not necessary for the success of the delegation, but is best practice from security perspective. Environment: FQDN: contoso.msft.com Service name: http IIS Application Pool Identity: SA_BI_SP_APP DNS Forward Lookup Zone A-Name : CONTOSOBI Mandatory: SETSPN -S http/CONTOSOBI contoso\SA_BI_SP_APP Additional, for cross-domain authentication: SETSPN -S http/CONTOSOBI.contoso.msft.com contoso\SA_BI_SP_APP Site Name SETSPN -S HTTP/OLYMPUS HADES\SP-WFE AND OLYMPUS.HADES.LOCAL

SPN: lessons learned Identifies the target 1 Identifies the target Stored against target’s identity Instance name for Analysis Services (instead of port) Don’t use App Pool Identity in Kernel Mode Arbitrary SPN to show delegation tab Identifies the target, the service to connect to Registered against the identity of that service as a Service Principal Name attribute of the account in AD Use Instance name instead of the port number for named instances of Analysis Services Set up arbitrary SPNs to bring up Delegation tab to configure delegating service account

Delegation Delegating Account SPN Account NTLM or Kerberos 2 SP Farm Data Source NTLM or Kerberos So when do we need Kerberos delegation... This diagram shows a classic double hop situation. Client authenticates to a SharePoint farm server and then accesses a document with an external data source connection. On refresh SharePoint attempts to connect to the external data source. Since the data source is not local to the farm, SharePoint must use some

Configure Delegation: Active Directory (AD) 2 Configure Delegation: Active Directory (AD) Add a dummy SPN to the Delegating account to bring up delegation tab in AD Users & Computers (ADUC): Allow trust for constrained delegation Enable protocol transition for SharePoint Use “Active Directory Users and Computers” to set “Trust for delegation to specified services only” with “Any authentication protocol” to allows protocol transition. This must be configured for the service account used for the IIS application pool of the delegating service. If it is running as Local System, the computer name must be used instead.

Add “Allowed Services” in ADUC 2 Add “Allowed Services” in ADUC Select allowed SPNs: Use ADUC delegation tab Locate SPN’s account Click to select SPNs to add There are two things I personally find confusing about these. First of all, you need to look up SPNs using the service account you have registered SPNs for, not the host where the service is running. Secondly, once you have located your SPNs using the service account in Add Services dialogue box, you need to click on the SPNs to select the ones you want to add (or click “Select All”) and only then click Ok. Otherwise it adds nothing. SPN’s account

Other ways of Adding Allowed services 2 ADSIEdit (easier): Edit attribute “msDS-AllowedToDelegateTo” Same string as in SETSPN statement PowerShell: Active Directory Module: Get/Set-ADObject, Set-KCD Requires AD Feature installed System.DirectoryServices – ready! CMD (document/verify only): ldifde

Configure Delegation: local privileges 3 For windows AD service accounts (not Local System), use secpol.msc to set Act as operating system Impersonate a client after authentication Log On as a Service  Delegating account needs permissions to the databases in SharePoint web applications: $w = Get-SPWebApplication -Identity http://SP2016 $w.GrantAccessToProcessIdentity("AD\svc-sp-ssrs") Allow Kerberos Authentication (Negotiate): SharePoint Site Address Delegating Service Identity

.. and don’t just blame Kerberos 4 .. and don’t just blame Kerberos Claims to Windows Token Service (C2WTS) SharePoint protocol transition: NTLM or Kerberos SharePoint Web Frontend SharePoint Application Server Data Source STS Claims C2WTS Windows Token UPN Claim ? Initial authentication can be NTLM or Kerberos, Kerberos is preferable, but NTLM can be used by a client in another domain with no trust across domains. Authenticated user is issued a claims token used to authenticate within SharePoint to all claims –aware services C2WTS extracts UPN from that token to issue a windows token for that user to the service. The SharePoint service, such as Excel Services then uses that Windows Token to delegate user credentials to the data source service using Kerberos protocol. Kerberos Delegation!

C2WTS checklist 4 To test, use Rodney Viana's tool c2WTSTest.exe Starts automatically (default) Depends on Cryptographic Service sc config c2wts depend= CryptSvc Service Identity is trusted for delegation Local System by default (and should stay that way) If changed to Windows Identity, must be a local admin and have additional local policy rights: Act as operating system Impersonate a client after authentication Log On as a Service Delegating services are allowedCallers c2wtshost.exe.config To test, use Rodney Viana's tool c2WTSTest.exe Kerberos often gets the blame when it is in fact C2WTS that is not working SSRS 2012 is now claims aware – no need to install SQL Server SSRS component on WFE in n-tier architecture: huge saving! It is possible to change C2WTS back to local system if it fails to work with AD identity – but remember to tell SharePoint first: Get-SPServiceInstance | Where {$_.TypeName.StartsWith(“Claims”)} | ForEach-Object {$_.Service.ProcessIdentity.CurrentIdentityType = 0; $_.Service.ProcessIdentity.Update(); $_.Service.ProcessIdentity.Deploy()}

Let us know if it doesn't work  So, What Do I Do Again? Set your SPNs (inc arbitrary and Browser 2005) Use Microsoft Kerberos Configuration Manager Configure Delegation in Active Directory Grant Local Privileges (Delegating service) Claims to Windows Token Service Test working, Sit back and relax! Let us know if it doesn't work  Install all the software with active directory service accounts Set SPNs including arbitrary SPNs for services requiring delegation to be configured (e.g. Excel Service). Don’t forget to add SPNs for SQL Browser Discovery Service when you establish a connection to a named instance of SQL Server 2005 Analysis Services or Database Services http://support.microsoft.com/kb/950599 (service class MSOLAPDisco and MSSQLBrowser) Configure constrained delegation for SP service Use ADUC (dsa.msc) delegation tab of the service identity to configure delegation type and add SPNs to delegate to for constrained delegation on 2008 functional level domains For pre-2008 domains use ADSIEdit to add target SPNs to msDS-AllowedToDelegateTo attribute of the service identity Use PowerShell in large-scale configurations or development environments

Testing Kerberos “NT Authority/Anonymous” is no more! Profiler shows Your login (SSAS) Test every service against every data source SSRS Klist output on the client/app server must have a ticket for the target URL/computer Data Source must see the user account of the user, not a “NT Authority/Anonymous“, stored credentials or service identity: SSAS, SSRS and Secure store provide alternative means of tackling double-hop

Gotcha! 15 character limit on Windows NetBIOS Open Port 88 on Firewall SPN for SQL 2005 browser/discovery services IIS 7 Kernel mode Sensitive Client Account If the server name exceeds 15 character limit, configuring Kerberos becomes a real pain. Please consider being less verbose. Please remember to configure Service Principal Names for SQL Browser Service and/or Analysis services discovery service for SQL Server 2005 Make sure “Account is sensitive and cannot be delegated” option for the user account whose credentials are to be delegated is not checked, otherwise delegation is not possible.

Troubleshooting Kerberos Enable Kerberos logging (don’t forget about it!) Registry hack http://support.microsoft.com/kb/262177: no reboot required! Check Kerberos errors in Event log on SP App server and client Microsoft® Kerberos Configuration Manager Generate & Test SPNs & delegation settings Microsoft Message Analyser (fka Net Monitor) or WireShark Filter Kerberos packets (KerberosV5) and look at the actual SPNs requested ULS log (SP App server with Verbose) for CtWTS Event log, Kerbtray, dcdiag and Kerberos helper: check errors Switch verbose logging for the SharePoint service and look out for critical and unexpected events Use Klist –purge on all principals to avoid rebooting the servers (helps if you are domain admin and there is only one DC) ANOTHER SLIDE? Diagnostics: dcdiag /s:dc2.fabrikam.com /v /c > dcdiag.txt dcdiag /test:checksecurityerror http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Demo time!  

Office Online Server (fka OWA): Demo setup SQLServer2016 Host Name: OLAP Tabular instance: default SharePoint Server: SP2016 Cube instance name: DIM DW DB: default SSRS2016 Svc-sp-ssrs Office Online Server (fka OWA): OOS Domain Name: AD.DataUnited.co.uk Hypervisor: Hyper-V Excel Services Svc-sp-xls

Demo SPN setup Cube: SETSPN -S MSOLAPSVC.3/OLAP:DIM AD\svcSQL Domain Name: AD.DataUnited.co.uk FQDN: AD.DataUnited.co.uk NetBIOS: OLAP Tabular instance: default svcSQL DB Port: 1433 (default) Cube instance name: DIM Domain One account for all services Host server Analysis Services Service class Environment: FQDN: contoso.msft.com Service name: MSOLAPSvc.3 SQL Server Service Account: SA_BI_SQLUDM SQL Server host A-Name (or cluster resource group name in case of clustered instance): P_BI_SQLAS_UDM SQL Server instance Name (only needed if not running on default port 2383): UDM Mandatory: SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM:UDM contoso\SA_BI_SQLSVR Additional, for cross-domain authentication: SETSPN -S MSOLAPSvc.3/P_BI_SQLASUDM.contoso.msft.com:UDM contoso\SA_BI_SQLSVR If you are using a named instance of Analysis Services, note that you cannot specify a port after the colon. If you do, it is interpreted as part of the hostname or domain name. Instead, you must use the actual instance name for all functionality to work correctly Discovery Service: An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005 database http://support.microsoft.com/kb/950599 MSOLAPDisco.3/serverHostName Cube: SETSPN -S MSOLAPSVC.3/OLAP:DIM AD\svcSQL Tabular:SETSPN -S MSOLAPSVC.3/OLAP AD\svcSQL DW DB: SETSPN -S MSSQLSVC/OLAP AD\svcSQL

Glossary Kerberos: authentication protocol Principal – a computer in the Kerberos protocol, usually the target UPN: user principal name FQDN: Fully Qualified Domain Name WCF: Windows Communication Foundation (.NET) C2WTS: WCF service granting windows token for a UPN claim

Links: getting started Kerberos Guide for SharePoint 2013 http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ Kerberos for SSRS in SharePoint Integrated mode https://blogs.technet.microsoft.com/sharepoint_-_inside_the_lines/2013/05/28/sharepoint-2013-with-ssrs-2012-and-constrained- delegation/ Setting up Excel Services in OOS 2016 including C2WTS and Kerberos https://whitepages.unlimitedviz.com/2016/01/adding-excel-services-capabilities-to-a-sharepoint-2016-farm/ How the Kerberos Version 5 Authentication Protocol Works http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx Overview of Kerberos authentication for Microsoft SharePoint 2010 Products http://technet.microsoft.com/en-us/library/gg502594.aspx Kerberos Blog and Resources www.data-united.co.uk

Links: serious business Kerberos using PowerShell http://blog.msresource.net/2012/07/12/fim-service-principal-names-and-kerberos-delegation/ Troubleshooting C2WTS by Rodney Viana http://blogs.msdn.com/b/rodneyviana/archive/2011/07/19/troubleshooting-claims-to-windows-nt-token-service- c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where-to-start.aspx Kerberos Professional Services www.data-united.co.uk

Scripting tips: Command Prompt List all Kerberos Tickets on the principal (a ticket must be present for the URL, otherwise NTLM is used) Klist Purge Kerberos Tickets (run on all principals to avoid reboot/wait) Klist –purge List all msDS-AllowedToDelegateTo properties for a single account (only computers with ) ldifde -f c:\temp\filename.txt -d "CN=SA_SVC_C2WTS,OU=Service Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo List all msDS-AllowedToDelegateTo properties all accounts in an OU: ldifde -f c:\temp\filename.txt -d "OU=Service Accounts, DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo

Delegation options Basic (unconstrained) Constrained 2 Basic (unconstrained) To any service and across domains Constrained Only if allowed and within a domain Basic (unconstrained) Only some services can use (e.g. SSRS) Delegation is not restricted (no need to specify a set of SPNs for the delegating service) Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services) Constrained Any SharePoint Service app can use and some require (Excel, Performance Point, etc)! More secure (delegation is restricted) Cannot be followed by basic in protocol transition

Constrained or not (basic)? 2   SSRS Constrained Any service can use Most require More secure Only delegates if allowed! Only within a domain Basic (uncostrained) Delegates to any service Cross-domain delegation No protocol transition Can precede constrained  SSRS  Basic (unconstrained) Only some services can use (e.g. SSRS) Delegation is not restricted (no need to specify a set of SPNs for the delegating service) Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services) Constrained Any SharePoint Service app can use and some require (Excel, Performance Point, etc)! More secure (delegation is restricted) Cannot be followed by basic in protocol transition Constrained

... speaking of domain boundaries 2 MSFT.com Domain boundary contoso.MSFT.com sintoso.MSFT.com No Trust is OK! Client Data Source SharePoint Farm NTLM Kerberos Constrained delegation works!

Trust is a must: 2 MSFT.com contoso.MSFT.com sintoso.MSFT.com Must have Two Way Trust Client SharePoint Farm Data Source NTLM or Basic Kerberos Basic Kerberos ONLY

So, which one then? Use Basic for Use Constrained for 2 Use Basic for SSRS (SQL Reporting Services) to connect to another domain When security is not that critical Use Constrained for Any other case! Basic (unconstrained) Only some services can use (e.g. SSRS) Delegation is not restricted (no need to specify a set of SPNs for the delegating service) Allows cross-domain Kerberos authentication for some services (e.g. Reporting Services) Constrained Any SharePoint Service app can use and some require (Excel, Performance Point, etc)! More secure (delegation is restricted) Cannot be followed by basic in protocol transition