Fabian Williams SharePoint Blog

Solving problems with SharePoint day and night

How To: Configure and Consume Kerberos for use in SQL Server 2008 R2 and SharePoint 2010 Part1


NB. In an effort to make this page load better I am breaking this Blog up into Parts, this is Part 1

Part 2: – Configuring Service Applications, Sites, and Verifying our Work

Part 3: – Configuring and Executing Search, Using Web Parts and Communicating Securely across Web Applications with Kerberos

Synopsis:

I felt a compelling need to write this blog post because with the advent of SharePoint 2010, a whole new world opens up for access to information. With that comes the challenge of managing access and security.  An area that I spend most of my time is in Business Connectivity Services (BCS) and one of the challenges that I personally face is with the “Double Hop”; whereby, I have a desktop client that is using a Web Front End (WFE) via SharePoint to connect to an SharePoint Server in an Application Server Role to in-turn retrieve and consume information from a Line of Business (LOB) back-end database, Kerberos mitigates that problem through its protocol handling and service delegation. Secondly, I have clients who’s desktop environment is heterogeneous in that they have a mixture of Windows XP [yes still XP], Macs running Safari, with a need to avoid login prompts for authentication.

My colleagues out there constantly here me asking for an ‘Authoritative’ document/guidance when it comes to standing up SharePoint 2010 Features.  After looking out there for something like that as it relates to getting Kerberos, i found quite a bit of information but nothing really end to end. I think that is because depending on your need, you may start in one area and end up in the next.  In this document my approach is:

  • A Brand New SharePoint 2010 Installation that will use Kerberos for the Authentication everything being x64
    • Active Directory built on Windows Server 2008 R2
    • SQL Server is 2008 R2

In my quest I pulled information from the following sites and fellow SharePoint mates

  1. There is a really good article that Kathryn Birstein turned me on to when I met her at SharePoint Saturday in New York a few weeks ago. It is truly the Holy Grail for Kerberos – found here — Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products and Technologies (http://go.microsoft.com/fwlink/?LinkId=196600) (7.3 MB)
  2. For Registering a Service Principal Name for SQL Server I got a great piece of article here — http://msdn.microsoft.com/en-us/library/ms191153.aspx
  3. In terms of How to Implement Kerberos Constrained Delegation with SQL Server 2008 see this — http://technet.microsoft.com/en-us/library/ee191523(SQL.100).aspx
  4. Now, if you are going to be creating sites and you want them to be crawled, it suits you best to have your Search Service Application already configured before you create that Web Application; for that I checked out Bill Baer’s Twitter Handle: williamsbaer blog — http://blogs.technet.com/b/wbaer/archive/2009/11/23/step-by-step-provisioning-the-search-service-application.aspx
  5. Another good article that covers a good portion of SharePoint 2010 using Kerberos is here http://technet.microsoft.com/en-us/library/ee806870.aspx and it gives a good Scenario based example
  6. I also have a few Blog Post at https://fabiangwilliams.wordpress.com and my new SharePoint 2010 FPWeb Hosted Site http://www.sharepointfabian.com/blog which outlines how to Install and Configure SharePoint 2010, in light of that I take leaps over those items already covered and hope that you will use those blogs as a source of reference.The one thing I want to emphasize and it is a good segway into item number 6 is that I now DO NOT use the Farm Configuration Wizard (FCW) to create my service applications after a SharePoint 2010 Install; Spencer Harbar Twitter handle @harbars constantly preaches that unless you are doing a POC or a Demo Environment.. DO NOT USE IT… so I now dont. 
  7. The last two articles are from Spencer Harbar, in my opinion, one of the most Solid SharePoint gurus out there, I used his blogs for guidance not only in this example but for setting up User Profile Service which I also bring into this blog post — SharePoint 2010 and Kerberos and Rational Guide to implementing SharePoint Server 2010 User Profile Synchronization

So how are we going to work this and make it flow?

  • Create the Service Accounts we need for SQL and SharePoint
  • I used a GPO that my work colleague and MVP Aaron Tiensivu twitter handle @atiensivu to restrict NTLM traffic to servers so that if Kerberos wasnt successful then audits and errors would be thrown, I will call this out later on
  • Tackle Installing SQL Server 2008 R2 and getting Kerberos Working there first—why
    • we need Service Principal Names (SPN) set for the MSSQLSvc under the Service Account SQL Server is running under if we intend to secure our communications with SQL Server with Kerberos
    • I went further by limiting the Network Transport (Protocol Name) to TCP and Named Pipes because I know in in SQL Server 2008 / Windows Server 2008 enhancements have been made for Named Pipes and typically I use TCP for communications anyway
    • I tested this by logging onto the SharePoint box and using the SQL Management Studio to connect back to the SQL Box, run a query to see what the Network Transport is and also the Authentication Scheme
  • Install SharePoint 2010 bits and set the Authentication to Negotiate(Kerberos) – Configure for Kerberos thereafter
    • Create the Managed Service Accounts for the Web Applications and other Service Applications
    • Set the SPN’s for the Web Application Service Accounts for the Portal, Team, and MySites
    • Create the Web Applications, Site Collections, and validate that Kerberos is the method used for connectivity
  • More Test and Verifications

My Envrionment (Lab) – VMWare  on my Lenovo T61p [dual core single proc with 8 GB RAM]

  • DC Box
    • Windows 2008 r2 x64 Ent
    • Active Directory in 2008 mode
    • SQL 2008 r2
    • ArgoSoft Mail Server
    • 1 GB Ram Allocated
  • SharePoint Box (Application Role)
    • Windows 2008 r2 x64 Ent
    • SharePoint with all Service Enables
    • 3 GB Ram Allocated
  • SharePoint Box (Web Server Role)
    • Windows 2008 r2 x64 Standard
    • WFE Role Only (so I can really test kerberos from another box other than the app box)
    • 1GB Ram Allocated
  • Guest System
    • Windows 7 x86
    • 1 GB Ram Allocated

Yes… this is pushing it to the limit, in fact my CPU is pegged constantly and my memory is tapped. But I dont run with the big dogs out there with SSD’s and 16 GB RAM, not yet.. 🙂

Part 1: SQL Server Squaring Away

After Installing SQL Server 2008 R2, the fist step I do is manage the Protocols under which SQL Server will run, this time because I am focusing on Kerberos I am only enabling TCP and Named Pipes for the reason I mentioned above.  I also enabled a GPO to restrict and/or audit NTLM traffic between the servers as seen below

image

As seen below the service that SQL Service runs under is ADOTOBLAB\SqlSvc and this is what we will create a SPN for

clip_image001

Screen clipping taken: 8/14/2010 3:27 AM

clip_image002

Screen clipping taken: 8/14/2010 3:26 AM

Below is where we create the SPN for the MSSQLSvc under the service account; it is also best practice to do both the FQDN and the NetBIOS names when doing SPN. I used the command line tool for one and the ADSI Edit tool for the second.

clip_image003

Screen clipping taken: 8/14/2010 12:06 AM

Below we also use the tool to validate the entries made.

clip_image004

Screen clipping taken: 8/14/2010 3:25 AM

Part 2: Installation and Configuration of SharePoint 2010 (Accelerated)

Installation of the bits for SharePoint 2010 comes next, I just want to call out the differnces that you will do if you DO NOT use NTLM, see my other blogs for details on installation of SharePoint

clip_image001[6]

Screen clipping taken: 8/14/2010 2:27 AM

Here is your last chance to back out 🙂 — nah — so all this dialog box is telling you is that you need to make arrangements with the Domain Admins if you do not have the access to set up SPN’s for your Service Accounts that you will be using in the creation of Service Applications and Web Applications.

clip_image002[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image003[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image004[6]

Screen clipping taken: 8/14/2010 2:30 AM

clip_image005

Screen clipping taken: 8/14/2010 2:39 AM

Above is verification that you are using Negotiate(Kerberos) as the Authentication Provider in this Installation of SharePoint 2010

Part 3: Validate that Kerberos is working

FROM THE SHAREPOINT MACHINE AND USING SQL MANAGEMENT STUDIO I RUN THE BELOW TO TEST. THE KEY HERE IS THAT YOU ARE USING WINDOWS AUTH AND LOGGED IN AS THE SHAREPOINT INSTALL ACCOUNT

clip_image001[8]

FROM THE SQL BOX I CHECK THE EVENT LOG AND VERIFY

clip_image002[8]

 

Part 4 – Configure Accounts (Service Accounts, Managed Service Accounts) and Service Principal Names (SPN)

First Register Managed Service Accounts

clip_image001[10]

Screen clipping taken: 8/14/2010 10:15 AM

For User Profile Service and Search and just to Kick off Provisioning of UPS you will need to have Local Admin Righs set on a few accoutns

clip_image002[10]

Screen clipping taken: 8/14/2010 10:17 AM

Make sure that the UPS account also has Replicate Changes and Create Child Objects in AD

Next I am going to create A Records for my Sites (Team, Intranet and MySite )

clip_image003[8]

Screen clipping taken: 8/14/2010 10:30 AM

At this time I set SPN’ for the Service Accounts to be used for the Portal Site, Team Site and MySite. Again ensure that you do both NetBIOS and FQDN for SPNs

clip_image004[8]

Screen clipping taken: 8/14/2010 10:40 AM

clip_image005[6]

Screen clipping taken: 8/14/2010 10:40 AM

When Setting SPN’s ensure that you do both NetBIOS and FQDN

clip_image006

Screen clipping taken: 8/14/2010 10:42 AM

clip_image007

Screen clipping taken: 8/14/2010 10:43 AM

We do the same for :

  1. Teams
  2. My

However Teams and MY will be on port 4444 and 5555 respectively so we will do two entries because of a known issue with setting SPNS for SharePoint

clip_image008

Screen clipping taken: 8/14/2010 10:50 AM

clip_image009

Screen clipping taken: 8/14/2010 10:51 AM

clip_image012

Screen clipping taken: 8/14/2010 11:12 AM

Do the same thing for Service Account for the Team Site (svcAppPoolSites)

NEXT – Part 2

Advertisements

August 15, 2010 - Posted by | Kerberos, SharePoint 2010, SharePoint 2010 RTM, SharePoint General, SharePoint How-To, SQL Server

3 Comments »

  1. […] This post was mentioned on Twitter by Fabian Williams and Hire SharePoint Dev, Adotob LLC. Adotob LLC said: @fabianwilliams did Part 1 of a 3 Part Blog on Consuming #Kerberos in #SQL 2008 R2 & #SharePoint 2010 Soup 2Nuts http://bit.ly/byIxYu RT Plz […]

    Pingback by Tweets that mention How To: Configure and Consume Kerberos for use in SQL Server 2008 R2 and SharePoint 2010 Part1 « Fabian Williams Blog -- Topsy.com | August 15, 2010 | Reply

  2. Great post and compilation of Kerberos as it relates to SharePoint 2010 information Fabian! Really liked the GPO tie-in.

    Comment by Bert | September 9, 2010 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: