… the easy way! Image © Wikimedia CC

Please visit our Gold Sponsor stands, we couldn't do it without you…

 MCTS in SQL Server and SharePoint  Over a decade of Microsoft solution development and architecture  Lately focused on SQL Server 2012 BI in SharePoint Integrated Mode  I like dogs, especially big ones

 Focus on SharePoint + SQL Server  Why Kerberos  Service Principal Names  Delegation options  Claims & Kerberos  Testing &Troubleshooting  Live Demo!

 More secure, Less DC load, interoperability...  Enables Delegation! ◦ Unified Security at data source level ◦ Data driven security ◦ Personalised reports NTLM or Kerberos SP Farm or DB server Kerberos Delegation Data Source

NTLM or Kerberos SP Farm Data Source 1st “hop” Any protocol 2 nd “hop” Kerberos only! Impersonate user

Identify your data sources  Service Principle Names Decide on your delegation  Constrained or not? Set delegation type Allow data sources to be delegated to Easy, right?

 Service Principal Name ◦ What (Service) and ◦ Where (Computer or “Principal”) to connect to  Identifies the target ◦ Not the delegating service ◦ Certainly not the client ◦ The Data Source Service! 1

 Service Principal Name  <service class>/ [:<port or instance>] or/and  <service class>/ [:<port or instance>] setspn.exe -S Service identity:  Service account as or  Host Account if running as Local System Host identity 1

NetBIOS: BI-SQL FQDN: Hades.Local Port: SQL-DB Domain Database service account identity SETSPN -S MSSQLSVC/BI-SQL:49753 HADES\SQL-DB BI-SQL.HADES.LOCAL Database service class Host server OR

SETSPN -S MSOLAPSVC.3/BI-SQL:UDM HADES\SQL-SSAS NetBIOS: BI-SQL FQDN: Hades. Local SQL-SSAS Domain SSAS service account identity Analysis Services Service class Host server OR Instance: UDM BI-SQL.HADES.LOCAL

IIS server SP-WFE FQDN: Hades. Local SP-PORTAL SharePoint Portal Application Pool identity SharePoint WFE Host server OR OLYMPUS.HADES.LOCAL SETSPN -S HTTP/OLYMPUS HADES\SP-PORTAL DNS “A” record: OLYMPUS Port: 80

 Now I can see Delegation tab! SETSPN -S DUMMYSPN HADES\SP-XLS-SVC ? FQDN: Hades. Local SP-XLS-SVC DomainDelegating account Arbitrary string Non-existing service

 Identifies the target  Stored against target’s identity  Instance name for Analysis Services  Arbitrary SPN to show delegation tab  Don’t forget discovery services for SQL2005 1

 Basic (unconstrained) ◦ To any Service  Constrained ◦ Only if allowed 2

2  SSRS SSRS   Basic ◦ Delegates to any service ◦ Cross-domain delegation ◦ No protocol transition ◦ Can precede constrained  Constrained ◦ Any service can use ◦ Most require ◦ More secure ◦ Only delegates if allowed! ◦ Only within a domain

Client SharePoint Farm Kerberos Data Source NTLM No Trust is OK! MSFT.com pintoso.MSFT.com contoso.MSFT.com Constrained delegation works!

Client SharePoint Farm Basic Kerberos Data Source NTLM or Basic Kerberos Must have Two Way Trust MSFT.com pintoso.MSFT.com contoso.MSFT.com

 Use Basic for ◦ SSRS (SQL Reporting Services) to connect to another domain ◦ When security is not critical  Use Constrained for ◦ Any other case! 2

NTLM or Kerberos SP Farm Data Source Delegating Account SPN Account

 Add a dummy SPN to the Delegating account to bring up delegation tab in ADUC:  Allows trust for constrained delegation  Enables protocol transition for SharePoint 3

 Select allowed SPNs:  Use ADUC delegation tab  Locate SPN’s account  Click to select SPNs to add SPN’s account 4

 ADSIEdit (easier): ◦ Same string as in SETSPN statement  PowerShell: ◦ Not for wimps ◦ Active Directory Module:  Set-ADObject  Get-ADObject  Set-KCD  CMD (document): ◦ ldifde

Set your SPNs (inc Dummy and Browser 2005)  Use “KerberosHelper.xslx” from Decide: Basic or Constrained? Set delegation type Add Allowed SPNs (for constrained) Test working, Sit back and relax! Let me know if it doesn't work

 Claims to Windows Token Service (C2WTS) ◦ SharePoint protocol transition: Kerberos Delegation! NTLM or Kerberos SharePoint Web Frontend SharePoint Application Server Data Source STS Claims C2WTS ? UPN Claim Windows Token

 Starts automatically  Depends on Cryptographic Service ◦ sc config c2wts depend= CryptSvc  Service Identity is trusted for delegation ◦ Local System by default (and should stay that way) ◦ If changed to Windows Identity, must be a local admin  Claims-aware services are allowedCaller s ◦ c2wtshost.exe.config  Use Rodney Viana's little tool c2WTSTest.exeRodney Viana's

 “NT Authority/Anonymous” is no more!  Profiler shows Your login  Test every service against every data source SSRS

 15 character limit on Windows NetBIOS  Open Port 88 on Firewall  SPN for SQL 2005 browser/discovery services  Sensitive Client Account

 Enable Kerberos logging (don’t forget about it!)  Registry hack  Check Kerberos errors in Event log on SP App server and client  ULS log (SP App server with Verbose)  Use Event log, Kerbtray and Kerberos helper tools to check for common errors  Use Klist –purge to re-test Kerberos  Use dcdiag to check SPNs



Sponsor Competition Draws in the Exhibition Hall 17:15 After …

Community Events SQL Saturday Edinburgh7/8 Junewww.sqlsaturday.com/202/ SQL Relay17/27 Junewww.sqlrelay.co.uk SQL Saturday Dublin21/22 Junewww.sqlsaturday.com/229/ SQL Saturday Cambridge27 Septemberwww.sqlsaturday.com/228/ UK User GroupsAll the timewww.sqlserverfaq.com

 Please complete feedback     (General feedback)

We hope you had a great conference day! Keep checking for slides, videos and news of the next conference # SQLBIT S

 Kerberos: authentication protocol  Principal – a computer in the Kerberos protocol, usually the target  UPN: user principal name  FQDN: Fully Qualified Domain Name  WCF: Windows Communication Foundation (.NET)  C2WTS: WCF service granting windows token for a UPN claim

 How the Kerberos Version 5 Authentication Protocol Works  Overview of Kerberos authentication for Microsoft SharePoint 2010 Products  Kerberos Guide for SharePoint  Kerberos Blog and Resources

 Kerberos using PowerShell  Troubleshooting C2WTS by Rodney Viana windows-nt-token-service-c2wts-in-sharepoint-2010-may-be-difficult-if-you-don-t-know-where- to-start.aspx  Kerberos Professional Services

 Command Prompt ◦ List all Kerberos Tickets on the principal (a ticket must be present for the URL, otherwise NTLM is used)  Klist ◦ Purge Kerberos Tickets (run on all principals to avoid reboot/wait)  Klist –purge ◦ List all msDS-AllowedToDelegateTo properties for a single account (only computers with )  ldifde -f c:\temp\filename.txt -d "CN=SA_SVC_C2WTS,OU=Service Accounts,DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo ◦ List all msDS-AllowedToDelegateTo properties all accounts in an OU:  ldifde -f c:\temp\filename.txt -d "OU=Service Accounts, DC=contoso,DC=msft,DC=com" -l msDS-AllowedToDelegateTo