Fabian Williams SharePoint Blog

Solving problems with SharePoint day and night

How To: Configure and Consume Kerberos for use in SQL Server 2008 R2 and SharePoint 2010 Part 2

 

Part 1: – How To: Configure and Consume Kerberos for use in SQL Server 2008 R2 and SharePoint 2010 Part1

Part 2: – Configuring Service Applications, Sites, and Verifying our Work

Part 3: – Test out Using Web Parts and Communicating Securely across Web Applications with Kerberos

 

Synopsis

In Part 1 we covered the installation of SQL, creating SPN’s for SQL, creating and configuring Service Accounts for SharePoint and the requite SPNs for SharePoint Service Applications and Web Applications.  In this Part 2 we will pick up from there an build out the following

  • Create, Configure Search Service Application
  • Create Kerberos Authentication Web Applications for
    • Intranet Site – Portal
    • Team Site – Teams
    • My Site – My
  • Create Site Collections for all three

Part 5: How to Make it Work

NEXT I WILL START CREATING SERVICE APPLICATIONS

MY FIRST ONE WILL BE SEARCH SO WHEN I CREATE MY SITES, THEY CAN ALREADY BE SQUARED AWAY FOR CRAWLING AND SEARCHING

So, right now my Service Applications is Naked.. lets get Search done first so when we create or Web Apps they will be added to the Content Source of the Search Service Applicaitons.

clip_image001

Screen clipping taken: 8/14/2010 11:29 AM

clip_image002

Screen clipping taken: 8/14/2010 11:39 AM

clip_image003

Screen clipping taken: 8/14/2010 11:49 AM

clip_image004

Screen clipping taken: 8/14/2010 11:51 AM

Now I will create my Web Apps for

  1. Portal
  1. Teams
  1. My

Right now the only Site is the Admin Site

clip_image005

Screen clipping taken: 8/14/2010 12:01 PM

We begin by creating a new Web App for our Portal

clip_image006

Screen clipping taken: 8/14/2010 12:03 PM

Change the Auth Provider to Kerberos

clip_image007

Screen clipping taken: 8/14/2010 12:04 PM

Create a new App Pool with the Managed Account that we have and already created the SPN for

Name your Content DB appropriately

clip_image008

Screen clipping taken: 8/14/2010 12:05 PM

Accept the other Defaults

clip_image009

Screen clipping taken: 8/14/2010 12:06 PM

Once you click OK you will get prompted about the use of Kerberos

clip_image010

Screen clipping taken: 8/14/2010 12:06 PM

clip_image011

Screen clipping taken: 8/14/2010 12:09 PM

Comfirmation is provided

clip_image012

Screen clipping taken: 8/14/2010 12:10 PM

Verify Auth Provider

clip_image013

Screen clipping taken: 8/14/2010 12:11 PM

Click Default

clip_image014

Screen clipping taken: 8/14/2010 12:14 PM

clip_image015

Screen clipping taken: 8/14/2010 12:14 PM

Now lets create a Site collection

clip_image016

Screen clipping taken: 8/14/2010 12:18 PM

clip_image017

Screen clipping taken: 8/14/2010 12:20 PM

clip_image018

Screen clipping taken: 8/14/2010 12:48 PM

And if all goes well

clip_image019

Screen clipping taken: 8/14/2010 1:22 PM

Let us now verify that Kerberos is what was used to get us to this point

We will use a variety of techniques

FIRST THRU IIS

clip_image020

Screen clipping taken: 8/14/2010 1:27 PM

clip_image021

Screen clipping taken: 8/14/2010 1:31 PM

clip_image022

Screen clipping taken: 8/14/2010 1:32 PM

clip_image023

Screen clipping taken: 8/14/2010 1:39 PM

You can also run Klist on the WFE

clip_image024

Screen clipping taken: 8/14/2010 1:56 PM

This is also what we have as far as Databases created so far based on our configs

clip_image025

Screen clipping taken: 8/14/2010 1:57 PM

clip_image001[4]

Screen clipping taken: 8/14/2010 2:07 PM

clip_image002[4]

Screen clipping taken: 8/14/2010 2:07 PM

clip_image003[4]

Screen clipping taken: 8/14/2010 2:08 PM

clip_image004[4]

Screen clipping taken: 8/14/2010 2:09 PM

DO THE SAME FOR the MySite

Then we should have the following Web Apps Created

clip_image005[4]

Screen clipping taken: 8/14/2010 2:18 PM

clip_image006[4]

Screen clipping taken: 8/14/2010 2:37 PM

clip_image007[4]

Screen clipping taken: 8/14/2010 6:01 PM

On the MySite turn on Self Service Site Creation

clip_image008[4]

Screen clipping taken: 8/14/2010 6:05 PM

August 15, 2010 Posted by | IIS, Kerberos, SharePoint 2010, SharePoint 2010 RTM, SharePoint How-To | 1 Comment

How To: Configure and Consume Kerberos for use in SQL Server 2008 R2 and SharePoint 2010 Part1

NB. In an effort to make this page load better I am breaking this Blog up into Parts, this is Part 1

Part 2: – Configuring Service Applications, Sites, and Verifying our Work

Part 3: – Configuring and Executing Search, Using Web Parts and Communicating Securely across Web Applications with Kerberos

Synopsis:

I felt a compelling need to write this blog post because with the advent of SharePoint 2010, a whole new world opens up for access to information. With that comes the challenge of managing access and security.  An area that I spend most of my time is in Business Connectivity Services (BCS) and one of the challenges that I personally face is with the “Double Hop”; whereby, I have a desktop client that is using a Web Front End (WFE) via SharePoint to connect to an SharePoint Server in an Application Server Role to in-turn retrieve and consume information from a Line of Business (LOB) back-end database, Kerberos mitigates that problem through its protocol handling and service delegation. Secondly, I have clients who’s desktop environment is heterogeneous in that they have a mixture of Windows XP [yes still XP], Macs running Safari, with a need to avoid login prompts for authentication.

My colleagues out there constantly here me asking for an ‘Authoritative’ document/guidance when it comes to standing up SharePoint 2010 Features.  After looking out there for something like that as it relates to getting Kerberos, i found quite a bit of information but nothing really end to end. I think that is because depending on your need, you may start in one area and end up in the next.  In this document my approach is:

  • A Brand New SharePoint 2010 Installation that will use Kerberos for the Authentication everything being x64
    • Active Directory built on Windows Server 2008 R2
    • SQL Server is 2008 R2

In my quest I pulled information from the following sites and fellow SharePoint mates

  1. There is a really good article that Kathryn Birstein turned me on to when I met her at SharePoint Saturday in New York a few weeks ago. It is truly the Holy Grail for Kerberos – found here — Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=196600) (7.3 MB)
  2. For Registering a Service Principal Name for SQL Server I got a great piece of article here — http://msdn.microsoft.com/en-us/library/ms191153.aspx
  3. In terms of How to Implement Kerberos Constrained Delegation with SQL Server 2008 see this — http://technet.microsoft.com/en-us/library/ee191523(SQL.100).aspx
  4. Now, if you are going to be creating sites and you want them to be crawled, it suits you best to have your Search Service Application already configured before you create that Web Application; for that I checked out Bill Baer’s Twitter Handle: williamsbaer blog — http://blogs.technet.com/b/wbaer/archive/2009/11/23/step-by-step-provisioning-the-search-service-application.aspx
  5. Another good article that covers a good portion of SharePoint 2010 using Kerberos is here http://technet.microsoft.com/en-us/library/ee806870.aspx and it gives a good Scenario based example
  6. I also have a few Blog Post at https://fabiangwilliams.wordpress.com and my new SharePoint 2010 FPWeb Hosted Site http://www.sharepointfabian.com/blog which outlines how to Install and Configure SharePoint 2010, in light of that I take leaps over those items already covered and hope that you will use those blogs as a source of reference.The one thing I want to emphasize and it is a good segway into item number 6 is that I now DO NOT use the Farm Configuration Wizard (FCW) to create my service applications after a SharePoint 2010 Install; Spencer Harbar Twitter handle @harbars constantly preaches that unless you are doing a POC or a Demo Environment.. DO NOT USE IT… so I now dont. 
  7. The last two articles are from Spencer Harbar, in my opinion, one of the most Solid SharePoint gurus out there, I used his blogs for guidance not only in this example but for setting up User Profile Service which I also bring into this blog post — SharePoint 2010 and Kerberos and Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization

So how are we going to work this and make it flow?

  • Create the Service Accounts we need for SQL and SharePoint
  • I used a GPO that my work colleague and MVP Aaron Tiensivu twitter handle @atiensivu to restrict NTLM traffic to servers so that if Kerberos wasnt successful then audits and errors would be thrown, I will call this out later on
  • Tackle Installing SQL Server 2008 R2 and getting Kerberos Working there first—why
    • we need Service Principal Names (SPN) set for the MSSQLSvc under the Service Account SQL Server is running under if we intend to secure our communications with SQL Server with Kerberos
    • I went further by limiting the Network Transport (Protocol Name) to TCP and Named Pipes because I know in in SQL Server 2008 / Windows Server 2008 enhancements have been made for Named Pipes and typically I use TCP for communications anyway
    • I tested this by logging onto the SharePoint box and using the SQL Management Studio to connect back to the SQL Box, run a query to see what the Network Transport is and also the Authentication Scheme
  • Install SharePoint 2010 bits and set the Authentication to Negotiate(Kerberos) – Configure for Kerberos thereafter
    • Create the Managed Service Accounts for the Web Applications and other Service Applications
    • Set the SPN’s for the Web Application Service Accounts for the Portal, Team, and MySites
    • Create the Web Applications, Site Collections, and validate that Kerberos is the method used for connectivity
  • More Test and Verifications

My Envrionment (Lab) – VMWare  on my Lenovo T61p [dual core single proc with 8 GB RAM]

  • DC Box
    • Windows 2008 r2 x64 Ent
    • Active Directory in 2008 mode
    • SQL 2008 r2
    • ArgoSoft Mail Server
    • 1 GB Ram Allocated
  • SharePoint Box (Application Role)
    • Windows 2008 r2 x64 Ent
    • SharePoint with all Service Enables
    • 3 GB Ram Allocated
  • SharePoint Box (Web Server Role)
    • Windows 2008 r2 x64 Standard
    • WFE Role Only (so I can really test kerberos from another box other than the app box)
    • 1GB Ram Allocated
  • Guest System
    • Windows 7 x86
    • 1 GB Ram Allocated

Yes… this is pushing it to the limit, in fact my CPU is pegged constantly and my memory is tapped. But I dont run with the big dogs out there with SSD’s and 16 GB RAM, not yet.. 🙂

Part 1: SQL Server Squaring Away

After Installing SQL Server 2008 R2, the fist step I do is manage the Protocols under which SQL Server will run, this time because I am focusing on Kerberos I am only enabling TCP and Named Pipes for the reason I mentioned above.  I also enabled a GPO to restrict and/or audit NTLM traffic between the servers as seen below

image

As seen below the service that SQL Service runs under is ADOTOBLAB\SqlSvc and this is what we will create a SPN for

clip_image001

Screen clipping taken: 8/14/2010 3:27 AM

clip_image002

Screen clipping taken: 8/14/2010 3:26 AM

Below is where we create the SPN for the MSSQLSvc under the service account; it is also best practice to do both the FQDN and the NetBIOS names when doing SPN. I used the command line tool for one and the ADSI Edit tool for the second.

clip_image003

Screen clipping taken: 8/14/2010 12:06 AM

Below we also use the tool to validate the entries made.

clip_image004

Screen clipping taken: 8/14/2010 3:25 AM

Part 2: Installation and Configuration of SharePoint 2010 (Accelerated)

Installation of the bits for SharePoint 2010 comes next, I just want to call out the differnces that you will do if you DO NOT use NTLM, see my other blogs for details on installation of SharePoint

clip_image001[6]

Screen clipping taken: 8/14/2010 2:27 AM

Here is your last chance to back out 🙂 — nah — so all this dialog box is telling you is that you need to make arrangements with the Domain Admins if you do not have the access to set up SPN’s for your Service Accounts that you will be using in the creation of Service Applications and Web Applications.

clip_image002[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image003[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image004[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image005

Screen clipping taken: 8/14/2010 2:39 AM

Above is verification that you are using Negotiate(Kerberos) as the Authentication Provider in this Installation of SharePoint 2010

Part 3: Validate that Kerberos is working

FROM THE SHAREPOINT MACHINE AND USING SQL MANAGEMENT STUDIO I RUN THE BELOW TO TEST. THE KEY HERE IS THAT YOU ARE USING WINDOWS AUTH AND LOGGED IN AS THE SHAREPOINT INSTALL ACCOUNT

clip_image001[8]

FROM THE SQL BOX I CHECK THE EVENT LOG AND VERIFY

clip_image002[8]

 

Part 4 – Configure Accounts (Service Accounts, Managed Service Accounts) and Service Principal Names (SPN)

First Register Managed Service Accounts

clip_image001[10]

Screen clipping taken: 8/14/2010 10:15 AM

For User Profile Service and Search and just to Kick off Provisioning of UPS you will need to have Local Admin Righs set on a few accoutns

clip_image002[10]

Screen clipping taken: 8/14/2010 10:17 AM

Make sure that the UPS account also has Replicate Changes and Create Child Objects in AD

Next I am going to create A Records for my Sites (Team, Intranet and MySite )

clip_image003[8]

Screen clipping taken: 8/14/2010 10:30 AM

At this time I set SPN’ for the Service Accounts to be used for the Portal Site, Team Site and MySite. Again ensure that you do both NetBIOS and FQDN for SPNs

clip_image004[8]

Screen clipping taken: 8/14/2010 10:40 AM

clip_image005[6]

Screen clipping taken: 8/14/2010 10:40 AM

When Setting SPN’s ensure that you do both NetBIOS and FQDN

clip_image006

Screen clipping taken: 8/14/2010 10:42 AM

clip_image007

Screen clipping taken: 8/14/2010 10:43 AM

We do the same for :

  1. Teams
  2. My

However Teams and MY will be on port 4444 and 5555 respectively so we will do two entries because of a known issue with setting SPNS for SharePoint

clip_image008

Screen clipping taken: 8/14/2010 10:50 AM

clip_image009

Screen clipping taken: 8/14/2010 10:51 AM

clip_image012

Screen clipping taken: 8/14/2010 11:12 AM

Do the same thing for Service Account for the Team Site (svcAppPoolSites)

NEXT – Part 2

August 15, 2010 Posted by | Kerberos, SharePoint 2010, SharePoint 2010 RTM, SharePoint General, SharePoint How-To, SQL Server | 3 Comments