configure kerberos authentication for sharepoint 2010 products

247

Upload: dukkipati19

Post on 08-Nov-2014

57 views

Category:

Documents


2 download

TRANSCRIPT

Configure Kerberos Authentication for SharePoint 2010 ProductsTom Wisnowski

Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, PejJavaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, PrashShirolkar, Norm Warren, Josh Zimmerman

Summary: This document covers the concepts of identity in SharePoint 2010 products, how Kerberos authentication plays a critical role in authentication and delegation in business intelligence scenarios, and the situations where Kerberos authentication should be leveraged or may be required in solution designs. It also covers how to configure Kerberos authentication end-to-end within your environment, including scenarios which use various service applications in SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration. Category: Guide Applies to: SharePoint 2010 Source: White paper (link to source content) E-book publication date: May 2012 220 pages

Copyright 2012 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the authors views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.

TableofContentsConfigureKerberosAuthenticationforSharePoint2010Products..........................1 Configure Kerberos authentication for SharePoint 2010 Products...........................7 Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.....8 Who should read these articles about Kerberos authentication?..........................9 Identity scenarios in SharePoint 2010 Products....................................................11 Claims primer.............................................................................................................. 19 Kerberos protocol primer........................................................................................... 20 Benefits of the Kerberos protocol............................................................................. 20 Kerberos delegation, constrained delegation, and protocol transition ................21 Kerberos authentication changes in Windows 2008R2 and Windows 7............22 Kerberos configuration changes in SharePoint 2010 Products...........................23 Considerations when you are upgrading from Office SharePoint Server 2007 23 Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)................................................................................................................ 24 Environment and farm topology................................................................................ 24 Web Application specification................................................................................... 27 SQL aliasing................................................................................................................ 29 SharePoint Server Services and service accounts...............................................30 C2WTS Service Identity............................................................................................. 31

Tips for working through the scenarios...................................................................31 Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)............................................................................................................................. 33 Configuration checklist............................................................................................... 34 Step-by-step configuration instructions...................................................................35 Kerberos authentication for SQL OLTP (SharePoint Server 2010)........................81 Configuration checklist............................................................................................... 82 Scenario environment details .................................................................................... 83 Step-by-step configuration instructions...................................................................83 Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)............................................................................................................................. 89 Configuration checklist............................................................................................... 89 Step-by-step configuration instructions...................................................................90 Identity delegation for SQL Server Reporting Services (SharePoint Server 2010) .......................................................................................................................................94 Scenario dependencies............................................................................................. 94 Configuration checklist............................................................................................... 95 Scenario environment details .................................................................................... 96 Cross-domain Kerberos delegation......................................................................... 96 Step-by-step configuration instructions...................................................................97 SSL configuration for Reporting Services.............................................................122 Identity delegation for Excel Services (SharePoint Server 2010).........................124 Scenario dependencies........................................................................................... 1244

Configuration checklist............................................................................................. 124 Step-by-step configuration instructions.................................................................127 Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010) .....................................................................................................................................151 Scenarios requiring Kerberos authentication.......................................................152 Scenario dependencies........................................................................................... 153 Configuration instructions........................................................................................ 154 Identity delegation for Visio Services (SharePoint Server 2010)..........................155 Scenario dependencies........................................................................................... 155 Configuration checklist............................................................................................. 155 Scenario environment details .................................................................................. 157 Step-by-step configuration instructions.................................................................158 Identity delegation for PerformancePoint Services (SharePoint Server 2010) ...183 Scenario dependencies........................................................................................... 183 Configuration checklist............................................................................................. 183 Scenario environment details .................................................................................. 185 Step-by-step Configuration instructions................................................................187 Identity delegation for Business Connectivity Services (SharePoint Server 2010) .....................................................................................................................................213 Scenario dependencies........................................................................................... 213 Configuration checklist............................................................................................. 214 Scenario Environment Details................................................................................ 215

Step-by-step configuration instructions.................................................................216 Kerberos configuration known issues (SharePoint Server 2010).........................238 Kerberos authentication and non-default ports....................................................238 Kerberos authentication and DNS CNAMEs........................................................239 Kerberos authentication and Kernel Mode Authentication.................................240 Kerberos authentication and session-based authentication..............................241 Kerberos authentication and duplicate/missing SPN issues..............................242 Kerberos Max Token Size....................................................................................... 243 Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista ..................................................................................................................................243 How to reset the Claims to Windows Token Service account (SharePoint Server 2010)........................................................................................................................... 245 Solution ....................................................................................................................... 245

6

Configure Kerberos authentication for SharePoint 2010 Products

Configure Kerberos authentication for SharePoint 2010 ProductsPublished:July15,2010

Thisdocumentgivesyouinformationthatwillhelpyouunderstandtheconceptsof identityinMicrosoftSharePoint2010Products,howKerberosauthenticationplaysa veryimportantroleinauthenticationanddelegationscenarios,andthesituations whereKerberosauthenticationshouldbeusedormayberequiredinsolutiondesigns. Scenariosincludebusinessintelligenceimplementationswhichsecureaccesstoexternal datasourcessuchasSQLServer. ThedocumentalsoshowshowtoconfigureKerberosauthenticationendtoendwithin yourenvironment,includingscenariosthatusevariousserviceapplicationsinMicrosoft SharePointServer.Additionaltoolsandresourcesaredescribedtohelpyoutestand validateKerberosconfiguration.The"StepbyStepConfiguration"sectionsofthis documentcoverthefollowingscenariosforSharePointServer2010. ThesameinformationaboutConfiguringKerberosauthenticationforSharePoint2010 ProductsisavailableisalsoavailableasasetofarticleshereintheTechNetLibrary.It beginshere:Overview of Kerberos authentication for Microsoft SharePoint 2010 Products.7

Scenario1:CoreConfiguration Scenario2:KerberosAuthenticationforSQLOLTP Scenario3:IdentityDelegationforSQLAnalysisServices Scenario4:IdentityDelegationforSQLReportingServices Scenario5:IdentityDelegationforExcelServices Scenario6:IdentityDelegationforPowerPivotforSharePoint Scenario7:IdentityDelegationforVisioServices Scenario8:IdentityDelegationforPerformancePointServices Scenario9:IdentityDelegationforBusinessConnectivityServices

Configure Kerberos Authentication for SharePoint 2010 Products

Overview of Kerberos authentication for Microsoft SharePoint 2010 ProductsPublished:December2,2010

MicrosoftSharePoint2010Productsintroducesignificantimprovementsinhowidentity ismanagedintheplatform.Itisveryimporttounderstandhowthesechangesaffect solutiondesignandplatformconfigurationtoenablescenariosthatrequireuseridentity tobedelegatedtointegratedsystems.TheKerberosversion5protocolplaysakeyrole inenablingdelegationandsometimesmayberequiredinthesescenarios. Thissetofarticlesgivesyouinformationthathelpsyoudothefollowing: UnderstandtheconceptsofidentityinSharePoint2010Products LearnhowKerberosauthenticationplaysaveryimportantroleinauthentication anddelegationscenarios IdentifythesituationswhereKerberosauthenticationshouldbeleveragedormay berequiredinsolutiondesigns ConfigureKerberosauthenticationendtoendwithinyourenvironment,including scenariosthatusevariousserviceapplicationsinSharePointServer TestandvalidatethatKerberosauthenticationisconfiguredcorrectlyandworking asexpected FindadditionaltoolsandresourcestohelpyouconfigureKerberosauthenticationin yourenvironment

Thissetofarticlesisdividedintwomajorsections: ThisoverviewofKerberosauthenticationinSharePoint2010Products Thisarticlecontainsconceptualinformationabouthowtomanageidentityin SharePoint2010Products,theKerberosprotocol,andhowKerberosauthentication playsakeyroleinSharePoint2010solutions. Step-by-step configuration

ThisgroupofarticlesdiscussesthestepsthatarerequiredtoconfigureKerberos authenticationanddelegationinvariousSharePointsolutionscenarios.8

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

Who should read these articles about Kerberos authentication?IdentityanddelegationinSharePoint2010Productsisabroadtopic,withmanyfacets anddepthsofunderstanding.Thissetofarticlesaddressesthetopicfromboth conceptualandtechnicallevelsandiswrittentoaddresstheneedsofvarious audiences:

Beginning to end"TellmeeverythingthereistoknowaboutIdentityandKerberosauthenticationin SharePoint2010Products" IfyouareonlystartingoutandlearningaboutSharePoint2010Products,Kerberos authentication,andclaimsauthentication,youwillwanttothereadthefirstsectionof thisdocument.Itcoversthebasicconceptsofidentityanddelegationandoffersprimers aboutClaimsandKerberosauthentication.Besuretofollowthelinkstoexternal articlesandadditionalinformationtobuildasolidfoundationofknowledgebefore continuingontothestepbystepconfigurationarticles.

Upgrading from Office SharePoint Server 2007"Tellmewhatischangedfrom2007andwhatIshouldprepareforinupgradingto2010" IfyouhaveanexistingMicrosoftOfficeSharePointServer2007environmentalready configuredtouseKerberosauthenticationandKerberosdelegation,youshouldreadthe followingarticles: Identity scenarios in SharePoint 2010 Products Claims primer Kerberos authentication changes in Windows 2008 R2 and Windows 7 Kerberos configuration changes in SharePoint 2010 Products Considerations when you are upgrading from Office SharePoint Server 2007

Ifyouhaveadditionalquestionsabouthowtoconfigurationdelegationforaparticular featureorscenario,readthestepbystepconfigurationarticles,especiallythe configurationchecklists.Thiswillhelpyouensurethatyourenvironmentisconfigured correctlyafterupgrade.9

Configure Kerberos Authentication for SharePoint 2010 Products

Step-by-step walkthrough"IwantdetailedstepbystepinstructionsonhowtoconfigureKerberosdelegationin SharePointServerandapplicableSharePointServerserviceapplications" ThestepbystepconfigurationarticlescoverseveralSharePoint2010Products scenarioswhichcanbeconfiguredtouseKerberosdelegation.Eachscenarioiscovered indetail,includingaconfigurationchecklistandstepbystepinstructionstohelpyou successfullyconfigureKerberosauthenticationinyourenvironment.Thescenarios coveredincludethefollowing: Scenario1:Core Configuration Scenario2:Kerberos Authentication for SQL OLTP Scenario3:Kerberos Authentication for SQL Analysis Services Scenario4:Identity Delegation for SQL Reporting Services Scenario5:Identity Delegation for Excel Services Scenario6:Identity Delegation for PowerPivot for SharePoint 2010 Scenario7:Identity Delegation for Visio Services Scenario8:Identity Delegation for Performance Point Services Scenario9:Identity Delegation for Business Connectivity Services

Besuretothoroughlyreviewthefirstcoreconfigurationscenario,becauseitisa prerequisiteforallthescenariosthatfollow.

10

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

Note: Thescenariosinclude"SetSPN"commandsthatyoumaychoosetocopyfromthis documentandpasteinaCommandPromptwindow.Thesecommandsincludehyphen characters.MicrosoftWordhasanAutoFormatfeaturethattendstoconverthyphensto dashcharacters.IfyouhavethisfeatureturnedoninWordandthendoacopyand pasteoperation,thecommandswillnotworkcorrectly.Changethedashestohyphens tofixthiserror.ToturnoffthisAutoFormatfeatureinWord,selectOptionsfromthe Filemenu,clicktheProofingtab,andthenopentheAutoCorrectdialogbox.

Existing SharePoint 2010 Product environments"IhaveanexistingSharePoint2010ProductenvironmentandIcannotseemtoget Kerberosauthenticationworking.HowdoIvalidateanddebugmyconfiguration?" TheStep-by-step configurationarticlescontainseveralcheckliststohelptriageyour environmentinvariousscenarios.PayspecialattentionstoScenario1,Core configuration,whichcoversbasictoolsandtechniquestotriageKerberosconfiguration.

Identity scenarios in SharePoint 2010 ProductsWhenlearningaboutidentityinthecontextofauthenticationinSharePoint2010 Products,youcanconceptuallylookathowtheplatformhandlesidentityinthreekey scenarios:Incomingauthentication,inter/intrafarmauthenticationandoutgoing authentication.

11

Configure Kerberos Authentication for SharePoint 2010 Products

Incoming IdentityTheincomingauthenticationscenariorepresentsthemeansinwhichaclientpresents itsidentitytotheplatform,orinotherwordsauthenticateswiththewebapplicationor webservice.SharePointServerwillusetheclient'sidentitytoauthorizetheclientto accessSharePointServersecuredresourcessuchaswebpages,documents,andsoon. SharePoint2010Productssupporttwomodesinwhichaclientcanauthenticatewith theplatform:ClassicmodeandClaimsmode.

Classic modeClassicmodeallowsthetypicalInternetInformationServices(IIS)authentication methodsthatyoumayalreadybefamiliarwithfrompreviousversionsofSharePoint Server.WhenaSharePointServer2010WebApplicationisconfiguredtouseclassic mode,youhavetheoptionofusingthefollowingIISauthenticationmethods: IntegratedWindowsauthentication IntegratedWindowsauthenticationenablesWindowsclientstoseamlesslyauthenticate withSharePointServerwithouthavingtomanuallyprovidecredentials(user name/password).UsersaccessingSharePointServerfromInternetExplorerwill authenticatebyusingthecredentialsthattheInternetExplorerprocessisrunning underbydefaultthecredentialsthattheuserusedtologontothedesktop.Services orapplicationsthataccessSharePointServerinWindowsintegratedmodeattemptto authenticatebyusingthecredentialsoftherunningthread,which,bydefault,isthe identityoftheprocess.12

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

NTLM NTLANManager(NTLM)isthedefaultprotocoltypewhenIntegratedWindows authenticationisselected.Thisprotocoltakesadvantageofathreepartchallenge responsesequencetoauthenticateclients.FormoreinformationaboutNTLM,see Microsoft NTLM(http://go.microsoft.com/fwlink/?LinkId=196643). Pros: Itiseasytoconfigureandtypicallyrequiresnoadditional infrastructure/environmentconfigurationtofunction Itworkswhentheclientisnotpartofthedomain,orisnotinadomaintrustedby thedomainthatSharePointServerresidesin

Cons: ItrequiresSharePointServertocontactthedomaincontrollereverytimethata clientauthenticationresponseneedsvalidation,increasingtraffictothedomain controllers. Itdoesnotallowdelegationofclientcredentialstobackendsystems,otherwise knownasthedoublehoprule.Itisaproprietaryprotocol. Itisaproprietaryprotocol. Itdoesnotsupportserverauthentication. ItisconsideredlesssecurethanKerberosauthentication

Kerberosprotocol TheKerberosprotocolisamoresecureprotocolthatsupportsticketingauthentication. AKerberosauthenticationservergrantsaticketinresponsetoaclientcomputer authenticationrequest,iftherequestcontainsvalidusercredentialsandavalidService PrincipalName(SPN).Theclientcomputerthenusesthetickettoaccessnetwork resources.ToenableKerberosauthentication,theclientandservercomputersmust haveatrustedconnectiontothedomainKeyDistributionCenter(KDC).TheKDC distributessharedsecretkeystoenableencryption.Theclientandservercomputers mustalsobeabletoaccessActiveDirectorydirectoryservices.ForActiveDirectory,the forestrootdomainisthecenterofKerberosauthenticationreferrals.Formore informationabouttheKerberosprotocol,seeHow the Kerberos Version 5 Authentication Protocol Works(http://go.microsoft.com/fwlink/?LinkId=196644)and Microsoft Kerberos.(http://go.microsoft.com/fwlink/?LinkId=196645)13

Configure Kerberos Authentication for SharePoint 2010 Products

Pros: MostsecureIntegratedWindowsauthenticationprotocol Allowsdelegationofclientcredentials Supportsmutualauthenticationofclientsandservers Produceslesstraffictodomaincontrollers Openprotocolsupportedbymanyplatformsandvendors

Cons: Requiresadditionalconfigurationofinfrastructureandenvironmenttofunction correctly RequiresclientshaveconnectivitytotheKDC(ActiveDirectorydomaincontrollerin Windowsenvironments)overTCP/UDPport88(Kerberos),andTCP/UDPport464 (KerberosChangePasswordWindows)

Othermethods InadditiontoNTLMandKerberosauthentication,SharePointServersupportsother kindsofIISauthenticationsuchasbasic,digest,andcertificatebasedauthentication, whicharenotcoveredinthisdocument.Formoreinformationabouthowthese protocolsfunction,seeAuthentication Methods Supported in IIS 6.0 (IIS 6.0) (http://go.microsoft.com/fwlink/?LinkId=196646).

Claims-based authenticationSupportforclaimsauthenticationisanewfeatureinSharePoint2010Productsandis builtonWindowsIdentityFoundation(WIF).Inaclaimsmodel,SharePointServer acceptsoneormoreclaimsaboutanauthenticatingclienttoidentifyandauthorizethe client.TheclaimscomeintheformofSAMLtokensandarefactsabouttheclientstated byatrustedauthority.Forexample,aclaimcouldstate,"Bobisamemberofthe EnterpriseAdminsgroupforthedomainContoso.com."Ifthisclaimcamefroma providertrustedbySharePointServer,theplatformcouldusethisinformationto authenticateBobandtoauthorizehimtoaccessSharePointServerresources.Formore informationaboutclaimsauthentication,seeA Guide to Claims-based Identity and Access Control(http://go.microsoft.com/fwlink/?LinkID=187911). ThekindofclaimsthatSharePoint2010Productssupportforincomingauthentication areWindowsClaims,formsbasedauthenticationClaims,andSAMLClaims.14

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

WindowsClaims IntheWindowsclaimsmodesignin,SharePointServerauthenticatestheclientusing standardIntegratedWindowsauthentication(NTLM/Kerberos),andthentranslatesthe resultingWindowsIdentityintoaClaimsIdentity. FormsbasedauthenticationClaims InFormsbasedauthenticationclaimsmode,SharePointServerredirectstheclienttoa logonpagethathoststhestandardASP.NETlogoncontrols.Thepageauthenticatesthe clientbyusingASP.NETmembershipandroleproviders,similartohowformsbased authenticationfunctionedinOfficeSharePointServer2007.Aftertheidentityobject thatrepresentstheuseriscreated,SharePointServerthentranslatesthisidentityintoa claimsidentityobject. SAMLClaims InSAMLClaimsmode,SharePointServeracceptsSAMLtokensfromatrustedexternal SecurityTokenProvider(STS).Whentheuserattemptstologon,seecommentis directedtoanexternalclaimsprovider(forexample,WindowsLiveIDclaimsprovider) whichauthenticatestheuserandproducesaSAMLtoken.SharePointServeraccepts andprocessesthistoken,augmentingtheclaimsandcreatingaclaimsidentityobject fortheuser. FormoreinformationaboutclaimsbasedauthenticationinSharePoint2010Products, seeSharePoint Claims-Based Identity.

Note about incoming claims authentication and the Claims to Windows Token Service (C2WTS)SomeserviceapplicationsrequirethatyouusetheWindowsIdentityFoundation(WIF) ClaimstoWindowsTokenService(C2WTS)totranslateclaimswithinthefarmto Windowscredentialsforoutboundauthentication.Itisimportanttounderstandthat C2WTSonlyfunctionsiftheincomingauthenticationmethodiseitherclassicmodeor Windowsclaims.Ifclaimsisconfigured,theC2WTSrequiresonlyWindowsclaims;the webapplicationcannotusemultipleformsofclaimsonthewebapplication,otherwise theC2WTSwillnotfunction.

Identity within a SharePoint 2010 Products environmentSharePoint2010Productsenvironmentsuseclaimsauthenticationforintraandinter farmcommunicationswithmostSharePointserviceapplicationsandSharePoint15

Configure Kerberos Authentication for SharePoint 2010 Products

integratedproductsregardlessoftheincomingauthenticationmechanismused.This meansthatevenwhereclassicauthenticationisusedtoauthenticatewithaparticular webapplication,SharePointProductsconverttheincomingidentityintoaclaims identitytoauthenticatewithSharePointServiceApplicationsandproductsthatare claimsaware.Bystandardizingontheclaimsmodelforintra/interfarm communications,theplatformcanabstractitselffromtheincomingprotocolsthatare used. Note: SomeproductsintegratedwithSharePointServer,suchasSQLServerReporting Services,arenotclaimsawareanddonottakeadvantageoftheintrafarmclaims authenticationarchitecture.SharePointServermayalsorelyonclassicKerberos delegationandclaimsinotherscenarios,forexamplewhentheRSSviewerwebpartis configuredtoconsumeanauthenticatedfeed.Refertoeachproductorservice application'sdocumentationtodeterminewhetheritcansupportclaimsbased authenticationandidentitydelegation.

Outbound identityOutboundidentityinSharePoint2010Productsrepresentsthescenarioswhereservices withinthefarmhavetoauthenticatewithexternallineofbusinesssystemsand services.Dependingonthescenario,authenticationcanbeperformedinoneoftwo basicconceptualmodels:

Trusted subsystemInthetrustedsubsystem,thefrontendserviceauthenticatesandauthorizestheclient, andthenauthenticateswithadditionalbackendserviceswithoutpassingtheclient identitytothebackendsystem.Thebackendsystemtruststhefrontendservicetodo authenticationandauthorizationonitsbehalf.Themostcommonwaytoimplement thismodelistousesharedserviceaccounttoauthenticatewiththeexternalsystem:

16

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

InSharePointServer,thismodelcanbeimplementedinvariousways: UsingtheIISapplicationpoolidentityusuallyachievedbyrunningcodeinthe webapplicationthatelevatespermissionswhilemakingacalltoanexternalsystem. OthermethodssuchasusingRevertToSelfcanalsousetheapplicationpool's identitytoauthenticatewithexternalsystems. Usingaserviceaccounttypicallyachievedbystoringapplicationcredentialsinthe SecureStorethenusingthosecredentialstoauthenticatewithanexternalsystem. Othermethodsincludestoringtheserviceaccountcredentialsinotherwayssuchas embeddedconnectionstrings. AnonymousAuthenticationthisiswheretheexternalsystemrequiresno authentication.ThereforethefrontendSharePointServerservicedoesnothaveto passanyidentitytothebackendsystem.

DelegationIntheDelegationmodel,thefrontendservicefirstauthenticatestheclient,andthen usestheclient'sidentitytoauthenticatewithanotherbackendsystemthatperformsits ownauthenticationandauthorization:

17

Configure Kerberos Authentication for SharePoint 2010 Products

InSharePoint2010Products,thismodelcanbeimplementedinvariousways: KerberosdelegationIftheclientauthenticateswiththefrontendservicebyusing Kerberosauthentication,Kerberosdelegationcanbeusedtopasstheclient's identitytothebackendsystem. Claimsclaimsauthenticationallowstheclient'sclaimstobepassedbetween servicesaslongasthereistrustbetweenthetwoservicesandbothareclaims aware.

Note: Currently,mostoftheserviceapplicationsthatareincludedwithSharePointServerdo notallowforoutboundclaimsauthentication,butoutboundclaimsisaplatform capabilitythatwillbetakenadvantageofinthefuture.Further,manyofthemost commonlineofbusinesssystemstodaydonotsupportincomingclaimsauthentication, whichmeansthatusingoutboundclaimsauthenticationmaynotbepossibleorwill requireadditionaldevelopmenttoworkcorrectly.

Delegation across domain and forest boundariesThescenariosinthissetofarticlesaboutKerberosauthenticationrequirethatthe SharePointServerserviceandexternaldatasourcesresideinthesameWindows domain,whichisrequiredforKerberosconstraineddelegation.TheKerberosprotocol supportstwokindsofdelegation,basic(unconstrained)andconstrained.BasicKerberos delegationcancrossdomainboundariesinasingleforest,butcannotcrossaforest18

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

boundaryregardlessoftrustrelationship.Kerberosconstraineddelegationcannotcross domainorforestboundariesinanyscenario. SomeSharePointServerservicescanbeconfiguredtousebasicKerberosdelegation, butotherservicesrequirethatyouuseconstraineddelegation.Anyservicethatrelies ontheClaimstoWindowstokenservice(C2WTS)mustuseKerberosconstrained delegationtoallowtheC2WTStouseKerberosprotocoltransitiontotranslateclaims intoWindowscredentials. ThefollowingserviceapplicationsandproductsrequiretheC2WTSandKerberos constraineddelegation: ExcelServices PerformancePointServices VisioServices

Thefollowingserviceapplicationsandproductsarenotaffectedbytheserequirements, andthereforecanusebasicdelegation,ifitisrequired: BusinessDataConnectivityserviceandMicrosoftBusinessConnectivityServices InfoPathFormsServices AccessServices MicrosoftSQLServerReportingServices(SSRS) MicrosoftProjectServer2010

Thefollowingserviceapplicationdoesnotallowdelegationofclientcredentialsand thereforeisnotaffectedbytheserequirements: MicrosoftSQLServerPowerPivotforMicrosoftSharePoint

Claims primerForanintroductiontoClaimsconceptsandClaimsbaseauthentication,seeAn Introduction to Claims(http://go.microsoft.com/fwlink/?LinkId=196648)andSharePoint Claims-Based Identity(http://go.microsoft.com/fwlink/?LinkID=196647).

19

Configure Kerberos Authentication for SharePoint 2010 Products

Kerberos protocol primerForaconceptualoverviewoftheKerberosprotocol,seeMicrosoft Kerberos (Windows) (http://go.microsoft.com/fwlink/?LinkID=196645),Kerberos Explained (http://go.microsoft.com/fwlink/?LinkId=196649),andAsk the Directory Services Team: Kerberos for the Busy Admin(http://go.microsoft.com/fwlink/?LinkId=196650).

Benefits of the Kerberos protocolBeforeexaminingthedetailsofhowoneconfiguresSharePointServer(oranyweb application)tousetheKerberosprotocol,let'stalkabouttheKerberosprotocol generallyandwhyyoumightwanttouseit. TypicallytherearethreemainreasonstousetheKerberosprotocol: 1. DelegationofclientcredentialsTheKerberosprotocolallowsaclient'sidentityto beimpersonatedbyaservicetoallowtheimpersonatingservicetopassthat identitytoothernetworkservicesontheclient'sbehalf.NTLMdoesnotallowthis delegation.(ThislimitationNTLMiscalledthe"doublehoprule").Claims authentication,likeKerberosauthentication,canbeusedtodelegateclient credentialsbutrequiresthebackendapplicationtobeclaimsaware. 2. SecurityFeaturessuchasAESencryption,mutualauthentication,supportfordata integrityanddataprivacy,justtonameafew,maketheKerberosprotocolmore securethanitsNTLMcounterpart. 3. PotentiallybetterperformanceKerberosauthenticationrequireslesstrafficto thedomaincontrollerscomparedwithNTLM(dependingonPACverification,see

Microsoft Open Specification Support Team Blog: Understanding Microsoft Kerberos PAC Validation).IfPACverificationisdisabledornotneeded,theservicethat authenticatestheclientdoesnothavetomakeanRPCcalltotheDC(see:You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003).

Kerberosauthenticationalsorequireslesstrafficbetweenclientandserver comparedwithNTLM.Clientscanauthenticatewithwebserversintwo request/responsesvs.thetypicalthreeleghandshakewithNTLM.However,this improvementistypicallynotnoticedonlowlatencynetworksonapertransaction basis,butcantypicallybenoticedinoverallsystemthroughput.Rememberthat manyenvironmentalfactorscanaffectauthenticationperformance;therefore KerberosauthenticationandNTLMshouldbeperformancetestedinyourown environmentbeforeyoudeterminewhetheronemethodperformsbetterthanthe other.

20

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

ThisisanincompletelistoftheadvantagesofusingtheKerberosprotocol.Thereare otherreasonslikemutualauthentication,crossplatforminteroperability,andtransitive crossdomaintrust,tonameafew.However,inmostcasesonetypicallyfinds delegationandsecuritytobetheprimarydriversinadoptionoftheKerberosprotocol.

Kerberos delegation, constrained delegation, and protocol transitionTheKerberosversion5protocolontheWindowsplatformsupportstwokindsofidentity delegation:basic(unconstrained)delegationandconstraineddelegation:

Type Advantages Disadvantages

Basic delegation

Cancrossdomainboundariesina singleforest Requireslessconfigurationthan constraineddelegation.

Doesnotsupportprotocol transition Secure.Ifthefrontendservice iscompromised,clientidentity canbedelegatedtoany serviceintheforestthat acceptsKerberos authentication.

Constrained delegation CantransitionnonKerberos incomingauthenticationprotocol toKerberos(example:NTLMto Kerberos,ClaimstoKerberos) Moresecure.Identitiescanonly bedelegatedtospecifiedservice. Cannotcrossdomain boundaries Requiresadditionalsetup configuration

Kerberosenabledservicescandelegateidentitymultipletimesacrossmultipleservices andmultiplehops.Asanidentitytravelsfromservicetoservice,thedelegationmethod canchangefromBasictoConstrainedbutnotinreverse.Thisisanimportantdesign detailtounderstand:ifabackendservicerequiresBasicdelegation(forexampleto21

Configure Kerberos Authentication for SharePoint 2010 Products

delegateacrossadomainboundary),allservicesinfrontofthebackendservicemust usebasicdelegation.Ifanyfrontendserviceusesconstraineddelegation,thebackend servicecannotchangetheconstrainedtokenintoanunconstrainedtokentocrossa domainboundary. ProtocoltransitionallowsaKerberosenabledauthenticatingservice(frontendservice) toconvertanonKerberosidentityintoaKerberosidentitythatcanbedelegatedto otherKerberosenabledservices(backendservice).Protocoltransitionrequires Kerberosconstraineddelegationandthereforeprotocoltransitionedidentitiescannot crossdomainboundaries.Dependingontheuserrightsofthefrontendservice,the Kerberosticketreturnedbyprotocoltransitioncanbeanidentificationtokenoran impersonationtoken.Formoreinformationaboutconstraineddelegationandprotocol transition,seethefollowingarticles: Kerberos Protocol Transition and Constrained Delegation

(http://technet.microsoft.com/enus/library/cc739587(WS.10).aspx)Protocol Transition with Constrained Delegation Technical Supplement

(http://msdn.microsoft.com/enus/library/ff650469.aspx)Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop Scenarios(http://support.microsoft.com/kb/2005838)

Asageneralbestpractice,ifKerberosdelegationisrequired,oneshoulduse constraineddelegation,ifitispossible.Ifdelegationacrossdomainboundariesis required,thenallservicesinthedelegationpathmustusebasicdelegation.

Kerberos authentication changes in Windows 2008R2 and Windows 7WindowsServer2008R2andWindows7introducenewfeaturestoKerberos authentication.Foranoverviewofthechanges,seeChanges in Kerberos Authentication (http://go.microsoft.com/fwlink/?LinkId=196655)andKerberos Enhancements(http://go.microsoft.com/fwlink/?LinkId=196656).Inaddition,youshould makeyourselffamiliarwithIIS7.0KernelModeauthentication(Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings, (http://go.microsoft.com/fwlink/?LinkId=196657))eventhoughitisnotsupportedin SharePointServerfarms.

22

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products

Kerberos configuration changes in SharePoint 2010 ProductsMostofthebasicconceptsofconfiguringKerberosauthenticationinSharePoint2010 Productshavenotchanged.Youstillhavetoconfigureserviceprincipalnamesandyou stillhavetoconfiguredelegationsettingsoncomputerandserviceaccounts.However thereareseveralchangesthatyoushouldbeawareof: ConstrainedDelegationrequiredforserviceswhichusetheClaimstoWindows TokenService.Constraineddelegationisrequiredtoallowprotocoltransitionto convertclaimstoWindowstokens. ServiceApplicationsInOfficeSharePointServer2007,theSSPservicesrequired specialSPNsandserverregistrychangestoenabledelegation.InSharePoint2010 Products,serviceapplicationsuseclaimsauthenticationandtheClaimstoWindows Tokenservice,sothesechangesarenolongerneeded. WindowsIdentityFoundation(WIF)theWIFClaimstoWindowsTokenService (C2WTS)isanewserviceleveragedbySharePoint2010Productstoconvertclaims toWindowstokensfordelegationscenarios.

Considerations when you are upgrading from Office SharePoint Server 2007IfyouareupgradinganOfficeSharePointServer2007farmtoSharePointServer2010, thereareseveralthingsyoushouldconsiderasyoucompletetheupgrade: IfwebapplicationsarechangingURLs,makesurethatyouupdatetheService PrincipleNamestoreflecttheDNSnames. DeletetheSSPserviceprincipalnames,becausetheyarenolongerneededin SharePointServer2010. StarttheClaimstoWindowsTokenServiceontheserversthatarerunningservice applicationsthatrequiredelegation(forexample,ExcelServices,VisioGraphics Service). ConfigureKerberosconstraineddelegationwith"useanyauthenticationprotocol" toallowKerberosconstraineddelegationwiththeC2WTS. EnsureKernelmodeauthenticationisdisabledinIIS.

23

Configure Kerberos Authentication for SharePoint 2010 Products

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)Published:December2,2010

Inthescenarioarticlesthatfollow,webuildoutaSharePointServer2010environment todemonstratehowtoconfiguredelegationinanumberofcommonscenariosyou mightencounterintheenterprise.Thewalkthroughsassumeyouarebuildingouta scaledoutSharePointfarmsimilartowhatisdescribedinthefollowingsection. Note: Someoftheconfigurationstepsmaychange,ormaynotworkincertainfarm topologies.Forinstance,asingleserverinstalldoesnotsupporttheWindowsIdentity FoundationC2WTSservicessoclaimstowindowstokendelegationscenariosarenot possiblewiththisfarmconfiguration.

Environment and farm topologyThefollowingdiagramillustratesthefarmtopologyusedwhenconfiguringthescenarios inthesectionsbelow.Thefarmtopologyisloadbalancedandscaledoutbetween multipletierstodemonstratehowidentitydelegationwouldworkinmultiserver,multi hopscenarios.

24

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

Note: Thefarmconfigurationinthedemonstrationsisnotmeanttobeareference architectureoranexampleofhowtodesignatopologyforproductionenvironments. Forexample,thedemotopologyrunsallSharePointServer2010serviceapplicationson asingleserverwhichcreatesasinglepointoffailurefortheseservices.Formore informationonhowtodesignandbuildaproductionSharePointServerenvironment, seeSharePoint Server 2010 Physical and Logical ArchitectureandTopologies for SharePoint Server 2010.

25

Configure Kerberos Authentication for SharePoint 2010 Products

Note: ThescenariowalkthroughsassumethatallcomputersthatarerunningSharePoint Serverandthedatasourcesusedinthescenariobelowresideinasingledomain.An explanationandwalkthroughofmultidomain/multiforestconfigurationisnotcovered inthisdocument.

Environment specificationAllcomputersinthedemonstrationenvironmentarevirtualizedrunningonWindows Server2008R2HyperV.ThecomputersarejoinedtoasingleWindowsdomain, vmlab.local,runninginWindowsServer2008ForestandDomainfunctionlevels. ClientComputer Windows7Professional,64bit

SharePointServerfrontendWebs WindowsServer2008R2Enterprise,64bit Services: WebApplicationService LoadbalancedwithWindowsNLB

SharePointServerApplicationServer WindowsServer2008R2Enterprise,64bit MicrosoftSharePointServer2010(RTM) Services: WIFClaimstoWindowsTokenService ManagedMetadataService SharePointIndex SharePointQuery ExcelServices VisioGraphicsService26

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

BusinessConnectivityServices PerformancePointServices

SQLServices WindowsSever2008R2Enterprise,64bit MicrosoftSQLServer2008R2Enterprise,64bit Active/PassiveConfiguration SQLServerServices: SQLDataEngine SQLServerAnalysisServices SQLAgent SQLBrowser

SQLReportingServer WindowsServer2008R2Enterprise,64bit(RTM) MicrosoftSQL2008R2Enterprise,64bit(RTM) MicrosoftSharePointServer2010(RTM) WindowsNLB,Loadbalanced ReportingServicesSharePointintegrationmode ReportingServices,scaledoutmode

Web Application specificationThescenariosinthewalkthroughreferenceasetofSharePointServer2010web applicationsyouwillconfigureinScenario1.Thefollowingwebapplicationsareload balancedusingWindowsNLBacrossthetwoSharePointServerwebfrontendsinthe demonstrationenvironment: http://sp10CATheCentralAdministrationwebapplicationforthefarm.Scenario1 willnotwalkthroughtheconfigurationofthiswebapplication.27

Configure Kerberos Authentication for SharePoint 2010 Products

http://portalandhttps://portalWebapplicationwithdemonstrationpublishing portal.Itisusedtodemonstratehowtoconfiguredelegationforwebapplications runningonstandardports(HTTP80,HTTPS443) http://teams:5555Webapplicationwithdemonstrationteamsite.Itisusedto demonstratehowtoconfiguredelegationforwebapplicationsrunningonnon standardports,inthisexampleport5555.

28

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

SSL configurationSomeofthewalkthroughscenarioswilluseSSLtodemonstratehowtoconfigure delegationwithHTTPS.Itisassumedthatthecertificatesbeingusedcomefroma trustedrootcertificateauthority,eitherinternalorpublic,oryouhaveconfiguredall computerstotrustthecertificatesbeingused.Thedocumentwillnotcoverhowto properlyconfigurecertificatetrustnorwillitprovideguidanceaboutdebuggingissues relatedtoSSLcertificateinstallation.Itishighlyrecommendedtoreviewthesetopics andtestyourSSLconfigurationbeforeconfiguringKerberosconstraineddelegationwith SSLprotectedservices.Formoreinformationsee: Active Directory Certificate Services Overview (http://go.microsoft.com/fwlink/?LinkId=196660) Active Directory Certificate Services Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=196661)Configuring Server Certificates in IIS 7 (http://go.microsoft.com/fwlink/?LinkId=196662) How to Set Up SSL on IIS 7: Configuring Security : Installing and Configuring IIS 7 : The Official Microsoft IIS Site(http://go.microsoft.com/fwlink/?LinkID=193447) Add a Binding to a Site (IIS 7)(http://go.microsoft.com/fwlink/?LinkId=196663) Configure a Host Header for a Web Site (IIS 7) (http://go.microsoft.com/fwlink/?LinkId=196664)(HowtouseSSLwithhost headers) Create a Self-Signed Server Certificate in IIS 7

(http://go.microsoft.com/fwlink/?LinkId=196665)

Load balancingLoadbalancingontheSharePointServerfrontendWebsandSQLServerReporting ServicesserverswasimplementedbyusingWindowsServer2008NetworkLoad Balancing(NLB).HowtoconfigureNLBandNLBbestpracticesarenotcoveredinthis document.FormoreinformationonNLB,refertoOverview of Network Load Balancing.

SQL aliasingThefarmwasbuiltusingaSQLclientaliastoconnecttotheSQLcluster.Thisistypically abestpracticeandwasdonetodemonstratehowKerberosauthenticationisconfigured29

Configure Kerberos Authentication for SharePoint 2010 Products

whenSQLaliasingisused.Scenario2assumestheenvironmentisconfiguredinthis manner,butitisnotrequiredtouseSQLaliasestocompleteanyofthescenariosbelow. FormoreinformationonhowtoconfigureSQLaliasesseeHow to: Create a Server Alias for Use by a Client (SQL Server Configuration Manager).

SharePoint Server Services and service accountsThescenariosbelowimplementaleastprivilegemodelwhereeachserviceinthe SharePointfarmleveragesaseparate,distinctActiveDirectoryaccountforitsservice identity.Usingaleastprivilegemodelhasadvantagesanddisadvantages: Advantages: Theadministratorcancontrolthepermissionsofeachserviceinafinegrained wayThisincludesdomainpermissions,localpermissionsandprivileges,delegation rightsandothersettings. BetterauditingandtraceabilityByensuringeachserviceleveragesitsown identity,anadministratorcantracknetworkandsystemactivitybacktothespecific servicebasedontheidentitycapturedinauditfiles.Forexample,ifaserveraudit logshowslogonactivityforaparticularaccount,theaccountcouldbeusedtotrace theactivitytoaparticularservice. BettersecurityByleveragingseparateaccountsforeachservice,anadministrator assuresthatifoneaccountiscompromiseditpotentiallylimitsthedamagedueto thesecurityissuebecauseonlytheservicethatisusingthecompromisedaccountis affected.Notethatifanyaccountbecomescompromised,aholisticsecurity assessmentoftheentireenvironmentshouldbeperformedtodeterminethemost appropriateactiontoaddressthesecurityissue.

Disadvantages: IncreasedaccountmanagementcomplexityHavingmoreserviceaccounts translatestomoreActiveDirectoryconfigurationandmorepasswordmanagement policiestoenforce.

30

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

AdditionalconfigurationAsseeninthestepbystepguidebelow,oncea SharePointServeradministratormakesthedecisiontoleveragealeastprivilege model,thereareadditionalstepssheorhemustperformtoconfigurethe environmentcorrectly. IncreasedadministrationcomplexityTheprobabilityofmisconfigurationincreases asthecomplexityoftheenvironmentincreases.Whenyouleveragemultiple accounts,thereisachancethatcertainserviceswillbemisconfigured,whichcan leadtofunctionalityissuesandtriageneededtocorrecttheissues.

BeawarethatusingseparateserviceaccountsisnotarequirementofSharePointServer butageneralrecommendationforproductionenvironments.Thestepsintherestof thispaperoutlinehowtoconfigureSharePointServerwhenyouareusingseparate accounts;someofthesestepsmaynotapplywhenyouareusingsharedaccounts.

C2WTS Service IdentityThestepsbelowassumealeastprivilegesecuritymodelandleveragediscreteservice accountsforeachSharePointServerservice.TheC2WTSisconfiguredtouseaseparate ActiveDirectoryaccountinsteadofthedefaultlocalsystemaccounttofollowthis designtenant.Whenyouuseadistinctaccount,theindividualdelegationrightsgranted totheC2WTScanbemanagedseparatelyfromotherservicesontheserverthatarealso usingthelocalsystemaccount.Notethatthisisnotaproductrequirement,buta recommendedpractice.

Tips for working through the scenariosThescenariosbelowwalkthroughvariousactivitiesneededtoconfigureKerberos delegationacrossdifferentfunctionsoftheSharePointServerplatform.Asyougo througheachsection: Allthescenariosassumeyouhaveyourwebapplicationsconfiguredforincomingclassic authentication(Kerberos).Somescenariosbelowrequireclassicauthenticationandwill notfunctionasdocumentedwithincomingclaimsauthentication. GettheSharePointServerservicesworkingfirstwithoutdelegationtoensurethe serviceapplicationsareconfiguredcorrectlybeforemovingontomorechallenging configurationswithdelegation.31

Configure Kerberos Authentication for SharePoint 2010 Products

Trytopayspecialattentiontoeachstepandavoidskippinganysteps Workthroughscenario1andspendtimeusingthedebuggingtoolsmentionedin thescenarioastheycanbeusedinotherscenariostotriageconfigurationissues. Remembertoworkthroughscenario2.YoullneedacomputerrunningSQLServer thatisconfiguredtoacceptKerberosauthenticationandwillrequirethetest databasethatyousetupinthisscenarioforsomeofthelaterscenarios. AlwaysdoublecheckSPNconfigurationineachscenariobyusingSetSPNXand SetSPNQ.Seetheappendixformoreinformation. AlwaysbesuretochecktheservereventlogsandULSlogswhenattemptingto debugaconfigurationissue.Therearetypicallygoodpointersintheselogswhich canquicklypointouttheissuesyouareencountering. TurnupdiagnosticloggingforSharePointFoundation>ClaimsAuthenticationand anyserviceapplicationsthatyouareattemptingtotriageifissuesoccur. Rememberthateachscenariomaybeaffectedbyserviceapplicationcaching.Ifyou makeconfigurationchangesbutdonotseechangesinplatformbehavior,try restartingtheservicesapplicationpoolorwindowsservice.Ifthishasnoeffect, sometimesasystemrebootwillhelp. RememberthatKerberosticketsarecachedoncerequested.Ifyouareusingatool likeNetMontoviewTGTandTGSrequests,youmayneedtoemptytheticketcache ifyoudontseetherequesttrafficyouexpect.Scenario1,Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)explainshowtodothis withtheKLISTandKerbTrayutilities. RemembertorunNetMonwithAdministrativeprivilegestocaptureKerberos traffic. ForadvanceddebuggingscenariosyoumaywanttoturnonWIFtracingforthe ClaimstoWindowsTokenServiceandWCFtracingfortheSharePointService Applications(WCFservices).See: WIF Tracing How to: Enable Tracing Configuring Tracing

32

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)Published:December2,2010

InthefirstscenarioyouwillconfiguretwoSharePointServer2010webapplicationsto usetheKerberosprotocolforauthenticatingincomingclientrequests.For demonstrationpurposes,onewebapplicationwillbeconfiguredtousestandardports (80/443)andtheotherwilluseanondefaultport(5555).Thisscenariowillbethebasis ofallthefollowingscenarioswhichassumetheactivitiesbelowhavebeencompleted. Important: ItisarequirementtoconfigureyourwebapplicationswithclassicWindows authenticationusingKerberosauthenticationtoensurethatthescenariosworkas expected.WindowsClaimsauthenticationcanbeusedinsomescenariosbutmaynot producetheresultsdetailedinthescenariosbelow. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)

Inthisscenarioyoudothefollowingthings: ConfiguretwowebapplicationswithdefaultzonesthatusetheKerberosprotocol forauthentication Createtwotestsitecollections,oneineachwebapplication VerifytheIISconfigurationofthewebapplication33

Configure Kerberos Authentication for SharePoint 2010 Products

Verifythatclientscanauthenticatewiththewebapplicationandensurethatthe Kerberosprotocolisusedforauthentication ConfiguretheRSSViewerwebparttodisplayRSSfeedsinalocalandremoteweb application Crawleachwebapplicationandtestsearchingcontentineachtestsitecollection

Configuration checklistAreaofConfiguration Description

DNS ActiveDirectory

RegisteraDNSARecordforthewebapplicationsnetworked loadedbalanced(NLB)virtualIP(VIP) CreateaserviceaccountsforthewebapplicationsIIS applicationpool RegisterServicePrincipalNames(SPN)fortheweb applicationsontheserviceaccountcreatedfortheweb applicationsIISapplicationpool ConfigureKerberosconstraineddelegationforservice accounts

SharePointWebApp CreateSharePointServermanagedaccounts CreatetheSharePointSearchServiceApplication CreatetheSharePointwebapplications IIS ValidatethatKerberosauthenticationisEnabled VerifyKernelmodeauthenticationisdisabled InstallcertificatesforSSL Windows7Client EnsurewebapplicationURLsareintheintranetzone,ora zoneconfiguredtoautomaticallyauthenticatewith integratedWindowsauthentication OpenfirewallportstoallowHTTPtrafficinondefaultand34

Firewall

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)AreaofConfiguration Description

Configuration

nondefaultports EnsureclientscanconnecttoKerberosPortsontheActive Directory

TestBrowser Authentication

Verifyauthenticationworkscorrectlyinthebrowser VerifyLogoninformationonthewebserverssecurityevent log UsethirdpartytoolstoconfirmKerberosauthenticationis configuredcorrectly

TestSharePoint Verifybrowseraccessfromtheindexserver(s) ServerSearchIndex Uploadsamplecontentandperformacrawl andQuery Testsearch TestWFEDelegation ConfigureRSSFeedsourcesoneachsitecollection AddRSSviewwebpartstothehomepageofeachsite collection

Step-by-step configuration instructionsConfigure DNSConfigureDNSforthewebapplicationsinyourenvironment.Inthisexamplewehave2 webapplications,http://portalandhttp://teams:5555,whichbothresolvetothesame NLBVIP(192.168.24.140/24) ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records.

SharePoint Server Web appshttp://portalConfigureanewDNSARecordfortheportalwebapplication.Inthis examplewehaveahost"portal"configuredtoresolvetotheloadbalancedVIP.35

Configure Kerberos Authentication for SharePoint 2010 Products

http://teams:5555ConfigureanewDNSARecordforthefortheteam'sweb application

36

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Note: ItisimportanttoensuretheDNSentriesareARecordsandnotCNAMEaliasesfor Kerberosauthenticationtoworksuccessfullyinenvironmentswithmorethanoneweb applicationrunningwithhostheadersandseparatededicatedserviceaccounts.See Kerberos configuration known issues (SharePoint Server 2010)foranexplanationofthe knownissuewithusingCNAMEwithKerberosenabledwebapplications.

Configure Active DirectoryNextyouwillconfiguretheActiveDirectoryaccountsforthewebapplicationsinyour environment.Asabestpracticeyoushouldconfigureeachwebapplicationtoruninits ownIISapplicationpoolwithitsownsecuritycontext(applicationpoolidentity).

SharePoint Service Application Service AccountsInourexamplewehavetwoSharePointServerwebapplicationsrunningintwo separateIISapplicationpoolsrunningwiththeirownapplicationpoolidentities.

WebApplication(defaultzone) IIS AppPoolIdentity

http://portal http://teams:5555

vmlab\svcPortal10App vmlab\svcTeams10App

Service Principal Names (SPNs)Foreachserviceaccount,configureasetofserviceprincipalnamesthatmaptotheDNS hostnamesassignedtoeachwebapplication. UseSetSPN,acommandlinetoolinWindowsServer2008,toconfigureanewservice principalname.ForafullexplanationofhowtouseSetSPN,seeSetspn.Tolearnabout SetSPNimprovementsinWindowsServer2008,seeCare, Share and Grow! : New features in SETSPN.EXE on Windows Server 2008.37

Configure Kerberos Authentication for SharePoint 2010 Products

AllSharePointServerwebapplications,regardlessofportnumber,usethefollowing SPNformat: HTTP/ HTTP/

Example: HTTP/portal HTTP/portal.vmlab.local

ForWebapplicationsrunningonnondefaultports(portsotherthan80/443)register additionalSPNswithportnumber: HTTP/: HTTP/:

Example: Note: SeetheappendixforanexplanationofwhyitisrecommendedtoconfigureSPNswith andwithoutportnumberforHTTPservicesrunningonnondefaultports(80,443). TechnicallythecorrectwaytorefertoaHTTPservicethatrunsonanondefaultportis toincludetheportnumberintheSPNbutbecauseofknownissuesdescribedinthe appendixweneedtoconfigureSPNswithoutportaswell.NotethattheSPNswithout portfortheteamswebapplicationdoesnotmeanserviceswillbeaccessedusingthe defaultports(80,443)inourexample. Inourexampleweconfiguredthefollowingserviceprincipalnamesforthetwo accountswecreatedinthepreviousstep: HTTP/teams:5555 HTTP/teams.vmlab.local:5555

38

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)DNSHost IISAppPoolIdentity ServicePrincipalNames

Portal.vmlab.local

vmlab\svcPortal10App

HTTP/portal HTTP/portal.vmlab.local

Teams.vmlab.local

vmlab\svcTeams10App

HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555

Tocreatetheserviceprincipalnamesthefollowingcommandswereexecuted:SetSPNSHTTP/Portalvmlab\svcportal10App SetSPNSHTTP/Portal.vmlab.localvmlab\svcportal10App SetSPNSHTTP/Teamsvmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.localvmlab\svcTeams10App SetSPNSHTTP/Teams:5555vmlab\svcTeams10App SetSPNSHTTP/Teams.vmlab.local:5555vmlab\svcTeams10App

Important: DonotconfigureserviceprincipalnameswithHTTPSevenifthewebapplicationuses SSL. Inourexampleweusedanewcommandlineswitch,S,introducedinWindowsServer 2008thatchecksfortheexistenceoftheSPNbeforecreatingtheSPNontheaccount.If theSPNalreadyexists,thenewSPNisnotcreatedandyouseeanerrormessage.

39

Configure Kerberos Authentication for SharePoint 2010 Products

IfduplicateSPNsarefound,youhavetoresolvetheissuebyeitherusingadifferentDNS nameforthewebapplication,therebychangingtheSPN,orbyremovingtheexisting SPNfromtheaccountitwasdiscoveredon. Important: BeforedeletinganexistingSPN,besureitisnolongerneeded,otherwiseyoumaybreak Kerberosauthenticationforanotherapplicationinyourenvironment.

Service Principal Names and SSLItiscommontoconfuseKerberosServicePrincipalNameswithURLsforhttpweb applicationsbecausetheSPNandURIformatsareverysimilarinsyntax,butits importanttounderstandthattheyaretwoveryseparateanduniquethings.Kerberos serviceprincipalnamesareusedtoidentifyaservice,andwhenthatserviceisanhttp application,theserviceschemeis"HTTP"regardlessiftheserviceisaccesswithSSLor not.Thismeansthatevenifyouaccessthewebapplicationusing"https://someapp"you donot,andshouldnot,configureaserviceprincipalnamewithHTTPS,forexample "HTTPS/someapp".

Configure Kerberos constrained delegation for computers and service accountsDependingonthescenario,somefunctionalityinSharePointServer2010mayrequire constraineddelegationtofunctionproperly.Forexample,iftheRSSviewerwebpartis configuredtodisplayaRSSfeedfromanauthenticatedsourceitwillrequiredelegation toconsumethesourcefeed.Inothersituationsitmayberequiredtoconfigure constraineddelegationtoallowserviceapplications(suchasExcelServices)todelegate theclientsidentitytobackendsystems. InthisscenariowewillconfigureKerberosconstraineddelegationtoallowtheRSSview webparttoreadasecuredlocalRSSfeedandsecuredremoteRSSfeedfromaremote40

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

webapplication.InlaterscenarioswewillconfigureKerberosconstraineddelegationfor otherSharePointServer2010serviceapplications. Thefollowingdiagramconceptuallydescribeswhatwillbeconfiguredinthisscenario:

Wehavetwowebapplications,eachwiththeirownsitecollectionwithasitepage hosingtwoRSSviewerwebparts.Thewebapplicationseachhaveasingledefaultzone configuredtouseKerberosauthenticationsoallfeedscomingfromthesewebsiteswill requireauthentication.IneachsiteoneRSSviewerwillbeconfiguredtoreadalocalRSS feedfromalistandtheotherwillbeconfiguredtoreadanauthenticationfeedinthe remotesite. Toaccomplishthis,Kerberosconstraineddelegationwillbeconfiguredtoallow delegationbetweentheIISapplicationpoolserviceaccounts.Thefollowingdiagram conceptuallydescribestheconstraineddelegationpathsneeded:

41

Configure Kerberos Authentication for SharePoint 2010 Products

RememberthatweidentifythewebapplicationbyservicenameusingtheService PrincipalName(SPN)assignedtotheidentityoftheIISapplicationpool.Theservice accountsprocessingrequestsmustbeallowedtodelegatetheclientidentitytothe designatedservices.Alltogetherwehavethefollowingconstraineddelegationpathsto configure:

PrincipalType PrincipalName DelegatesToService

User

svcPortal10App

HTTP/Portal HTTP/Portal.vmlab.local HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555

42

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)PrincipalType PrincipalName DelegatesToService

User

svcTeams10App

HTTP/Portal HTTP/Portal.vmlab.local HTTP/Teams HTTP/Teams.vmlab.local HTTP/Teams:5555 HTTP/Teams.vmlab.local:5555

Note: Itmayseemredundanttoconfiguredelegationfromaservicetoitself,suchasthe portalserviceaccountdelegatingtotheportalserviceapplication,butthisisrequiredin scenarioswhereyouhavemultipleserversrunningtheservice.Thisistoaddressthe scenariowhereoneservermayneedtodelegatetoanotherserverrunningthesame service;forinstanceaWFEprocessingarequestwithaRSSviewerwhichusesthelocal webapplicationasthedatasource.Dependingonfarmtopologyandconfiguration thereisapossibilitythattheRSSrequestmaybeservicedbyadifferentserverwhich wouldrequiredelegationtoworkcorrectly. ToconfiguredelegationyoucanusetheActiveDirectoryUsersandComputersnapin. Rightclickeachserviceaccountandopenthepropertiesdialog.Inthedialogyouwill seeatabfordelegation(notethatthistabonlyappearsiftheobjecthasanSPN assignedtoit;computershaveanSPNbydefault).Onthedelegationtab,selectTrust thisuserfordelegationtospecifiedservicesonly,thenselectUseanyauthentication protocol.

43

Configure Kerberos Authentication for SharePoint 2010 Products

ClicktheAddbuttontoaddtheservicestheuser(serviceaccount)willbeallowedto delegateto.ToselectaSPN,youwilllookuptheobjecttheSPNisappliedto.Inour instance,wearetryingtodelegatetoaHTTPservicewhichmeanswesearchforthe serviceaccountoftheIISapplicationpoolthattheSPNwasassignedtointheprevious step.

44

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

OntheSelectUsersorComputersdialogbox,clickUsersandComputers,searchforthe IISapplicationpoolserviceaccounts(inourexamplevmlab\svcPortal10Appand vmlab\svcTeams10AppandthenclickOK:

Youwillthenbepromptedtoselecttheservicesassignedtotheobjectsbyservice principalname.

45

Configure Kerberos Authentication for SharePoint 2010 Products

OntheAddServicesdialogbox,clickSelectAllthenclickOK.Notethatwhenyoureturn tothedelegationdialogyoudonotactuallyseealltheSPNsselected.ToseeallSPNs, checktheExpandedcheckboxinthelowerlefthandcorner.

46

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Performthesestepsforeachserviceaccountinyourenvironmentthatrequires delegation.Inourexamplethisistheserviceaccountslist

Configure SharePoint ServerOnceActiveDirectoryandDNSareconfigured,itstimetocreatethewebapplicationin yourSharePointServer2010Farm.Thispaperassumesthattheinstallationof47

Configure Kerberos Authentication for SharePoint 2010 Products

SharePointServeriscompleteatthispointandthefarmtopologyandsupporting infrastructure,forinstanceloadbalancing,isconfigured.Formoreinformationabout howtoinstallandconfigureyourSharePointfarm,see:Deployment for SharePoint Server 2010.

Configure managed service accountsBeforecreatingyourwebapplications,configuretheservicesaccountscreatedinthe previousstepsasmanagedserviceaccountsinSharePointServer.Doingsoaheadof timewillallowyoutoskipthisstepwhencreatingthewebapplicationsthemselves. Toconfigureamanagedaccount 1. InSharePointCentralAdministration,clickSecurity.

2. UnderGeneralSecurityclickConfiguremanagedaccounts:

3. ClickRegisterManagedAccountandcreateamanagedaccountforeachservice account.Inthisexamplewecreatedfivemanagedserviceaccounts:Account Purpose

VMLAB\svcSP10Search VMLAB\svcSearchAdmin

SharePointSearchServiceAccount SharePointSearchAdministrationServiceAccount48

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)Account Purpose

VMLAB\svcSearchQuery VMLAB\svcPortal10App VMLAB\svcTeams10App Note:

SharePointSearchQueryServiceAccount PortalWebAppIISApplicationPoolAccount TeamsWebAppIISApplicationPoolAccount

ManagedaccountsinSharePointServer2010arenotthesameasmanaged serviceaccountsinWindowsServer2008R2ActiveDirectory.

Create the SharePoint Server Search Service ApplicationInthisexamplewewillconfiguretheSharePointServerSearchServiceApplicationto ensurethenewlycreatewebapplicationcanbecrawledandsearchedupon successfully.CreateanewSharePointServerSearchWebApplicationandplacethe Search,QueryandAdministrationServicesontheapplicationserver,inourexample vmSP10App01.ForadetailedexplanationonhowtoconfiguretheSearchService Application,seeStep-by-Step: Provisioning the Search Service Application. Note: TheplacementofallSearchServicesonasingleapplicationserverisfordemonstration purposesonly.AcompletediscussionaboutSharePointServer2010SearchTopology optionsandbestpracticesisoutofscopeforthisdocument.

Create the Web ApplicationBrowsetoCentralAdministrationandnavigatetoManageWebApplicationsinthe ApplicationManagementsection.Inthetoolbar,selectNewandcreateyourweb application.Ensurethatthefollowingisconfigured: SelectClassicModeAuthentication. Configuretheportandhostheaderforeachwebapplication.49

Configure Kerberos Authentication for SharePoint 2010 Products

SelectNegotiateastheAuthenticationProvider. Underapplicationpool,selectCreatenewapplicationpoolandselectthemanaged accountcreatedinthepreviousstep.

Inthisexample,twowebapplicationswerecreatedwiththefollowingsettings:

Setting http://PortalWebApplication http://TeamsWebApplication

Authentication ClassicMode IISWebSite

ClassicMode

Name:SharePointPortal80 Name:SharePointTeams5555 Port:80 HostHeader:Portal Port:80 HostHeader:Teams AuthProvider:Negotiate AllowAnonymous:No UseSecureSocketLayer:No http://Teams:5555

Security Configuration

AuthProvider:Negotiate AllowAnonymous:No UseSecureSocketLayer:No

PublicURL

http://Portal:80

ApplicationPoolName:SharePointPortal80 Name:SharePointTeams5555 SecurityAccount: vmlab\svcPortal10App Whencreatingthenewwebapplicationyouarealsocreateanewzone,thedefault zone,configuredtousetheWindowsauthenticationprovider.Youcanseetheprovider anditssettingsforthezoneinwebapplicationmanagementbyfirstselectingtheweb application,thenclickingAuthenticationProvidersinthetoolbar.Theauthentication providersdialogboxlistsallthezonesfortheselectedwebapplicationalongwiththe authenticationproviderforeachzone.Byselectingthezone,youwillseethe authenticationoptionsforthatzone. SecurityAccount: vmlab\svcTeams10App

50

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Theauthenticationprovidersdialogwilllistallthezonesfortheselectedweb applicationalongwiththeauthenticationproviderforeachzone:

Byselectingthezone,youwillseetheauthenticationoptionsforthatzone:

51

Configure Kerberos Authentication for SharePoint 2010 Products

IfyoumisconfiguredtheWindowssettingsandselectedNTLMwhentheweb applicationwascreated,youcanusetheeditauthenticationdialogforthezoneto switchthezonefromNTLMtoNegotiate.Ifclassicmodewasnotselectedasthe authenticationmode,youmusteithercreateanewzonebyextendingtheweb applicationtoanewIISwebsiteordeleteandrecreatethewebapplication.52

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Create site collectionsTotestwhetherauthenticationisworkingcorrectly,youwillneedtocreateatleastone sitecollectionineachwebapplication.Thecreationandconfigurationofthesite collectionwillnotaffectKerberosfunctionality,sofollowexistingguidanceonhowto createasitecollectioninCreate a site collection (SharePoint Foundation 2010). Forthisexample,twositecollectionswereconfigured:

WebApplication SiteCollectionPath SiteCollectionTemplate

http://portal http://teams:5555

/ /

PublishingPortal TeamSite

Create alternate access mappingsTheportalwebapplicationwillbeconfiguredtouseHTTPSaswellasHTTPto demonstratehowdelegationworkswithSSLprotectedservices.ToconfigureSSL,the portalwebapplicationwillneedasecondSharePointServeralternateaccessmapping (AAM)fortheHTTPSendpoint. Toconfigurealternateaccessmappings 1. InCentralAdministration,clickApplicationManagement. 2. UnderWebApplicationsclickconfigurealternateaccessmappings.

53

Configure Kerberos Authentication for SharePoint 2010 Products

3. IntheSelectAlternateAccessMappingCollectiondropdown,selecttheChange AlternateAccessMappingCollection.

4. Selecttheportalwebapplication.

5. ClickEditPublicUrlsinthetoptoolbar.

6. Inafreezone,addthehttpsURLforthewebapplication.ThisURLwillbethename ontheSSLcertificateyouwillcreateinthenextsteps.

7. ClickSave. YoushouldnowseetheHTTPSURLinthezonelistforthewebapplication.

54

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

IIS configurationInstall SSL certificatesYouwillneedtoconfigureanSSLcertificateoneachSharePointServerhostingtheweb applicationserviceforeachwebapplicationthatusesSSL.Again,thetopicofhowto configureanSSLcertificateandcertificatetrustisoutofscopeforthisdocument.See theSSLConfigurationsectioninthisdocumentforreferencestomaterialabout configuringSSLcertificatesinIIS.

Verify that Kerberos authentication is enabledToverifythatKerberosauthenticationisenabledonthewebsite 1. OpenIISmanager. 2. SelecttheIISwebsitetoverify. 3. InFeaturesView,underIIS,doubleclickAuthentication.

55

Configure Kerberos Authentication for SharePoint 2010 Products

4. SelectWindowsAuthenticationwhichshouldbeenabled.

5. OntherighthandsideunderActions,selectProviders.VerifyNegotiateisatthetop ofthelist.

56

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Verify that Kernel mode authentication is disabledKernelmodeauthenticationisnotsupportedinSharePointServer2010.Bydefault,all SharePointServerWebApplicationsshouldhaveKernelModeAuthenticationdisabled bydefaultontheircorrespondingIISwebsites.Eveninsituationswheretheweb applicationwasconfiguredonanexistingIISwebsite,SharePointServerdisableskernel modeauthenticationasitprovisionsanewwebapplicationontheexistingIISsite. Toverifythatkernelmodeauthenticationisdisabled 1. OpenIISmanager. 2. SelecttheIISwebsitetoverify. 3. InFeaturesView,underIIS,doubleclickAuthentication. 4. SelectWindowsAuthentication,whichshouldbeenabled. 5. ClickAdvancedSettings. 6. VerifybothEAPandKernelModeAuthenticationaredisabled.

57

Configure Kerberos Authentication for SharePoint 2010 Products

Configure the firewallBeforetestingauthentication,ensureclientscanaccesstheSharePointServerweb applicationsontheconfiguredHTTPports.Inaddition,ensureclientscanauthenticate withActiveDirectoryandrequestKerberosticketsfromtheKDCoverthestandard Kerberosports.

Open firewall ports to allow HTTP traffic in on default and non-default portsTypicallyyouhavetoconfigurethefirewalloneachfrontendWebtoallowincoming requestsoverportsTCP80andTCP443.OpenWindowsFirewallwithAdvanced SecurityandbrowsetothefollowingInboundRules:

WorldWideWebServices(HTTPTrafficIn) WorldWideWebServices(HTTPSTrafficIn)

58

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Makesuretheappropriateportsareopeninyourenvironment.Inourexample,we accessSharePointServeroverHTTP(port80),sothisrulewasenabled. Inaddition,wehavetoopenthenondefaultportusedinourexample(TCP5555).If youhavewebsitesrunningonnondefaultports,youalsohavetoconfigurecustom rulestoallowHTTPtrafficonthoseports.

Ensure that clients can connect to Kerberos ports on the Active Directory roleTouseKerberosauthentication,clientswillhavetorequestticketgrantingtickets(TGT) andservicetickets(ST)fromtheKeyDistributionCenter(KDC)overUDPorTCPport88. Bydefault,whenyouinstalltheActiveDirectoryRoleinWindowsServer2008andlater, therolewillconfigurethefollowingincomingrulestoallowthiscommunicationby default:

KerberosKeyDistributionCenterPCR(TCPIn) KerberosKeyDistributionCenterPCR(UDPIn) KerberosKeyDistributionCenter(TCPIn) KerberosKeyDistributionCenter(UDPIn)

Inyourenvironmentensuretheserulesareenabledandthatclientscanconnecttothe KDC(domaincontroller)overport88.

Test browser authenticationAfterconfiguringActiveDirectory,DNSandSharePointServeryoucannowtestwhether Kerberosauthenticationisconfiguredcorrectlybybrowsingtoyourwebapplications. Whentestinginthebrowser,ensurethefollowingconditionsaremet: 1. ThetestuserisloggedintoaWindowsXP,Vista,orWindows7computerjoinedto thedomainthatSharePointServerisinstalledin,orisloggedintoadomaintrusted bytheSharePointServerdomain.59

Configure Kerberos Authentication for SharePoint 2010 Products

2. ThetestuserisusingInternetExplorer7.0orlater(InternetExplorer6.0isno longersupportedinSharePointServer2010;seePlan browser support (SharePoint Server 2010)). 3. IntegratedWindowsauthenticationisenabledinthebrowser.UnderInternet OptionsintheAdvancedtab,makesureEnableIntegratedWindows Authentication*isenabledintheSecuritysection:

4. Localintranetisconfiguredtoautomaticallylogonclients.UnderInternetexplorer option,intheSecuritytab,selectLocalIntranetandclicktheCustomlevelbutton. ScrolldownandmakesurethatAutomaticlogononlyinIntranetzoneisselected.

60

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

ScrolldownandmakesureAutomaticlogononlyinIntranetzoneisselected:

61

Configure Kerberos Authentication for SharePoint 2010 Products

Note: ItispossibletoconfigureautomaticlogononotherzonesbutthetopicofIEsecurity zonesbestpracticesitoutsidethescopeofthispaper.Forthisdemonstrationthe intranetzonewillbeusedforalltests. 5. EnsurethatAutomaticallydetectintranetnetworkisselectedinInternetoptions >Security>IntranetZone>Sites.

62

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

6. IfyouareusingfullyqualifieddomainnamestoaccesstheSharePointServerweb applications,ensurethattheFQDNsareincludedintheintranetzone,either explicitlyorbywildcardinclusion(forexample,*.vmlab.local).

63

Configure Kerberos Authentication for SharePoint 2010 Products

TheeasiestwaytodetermineifKerberosauthenticationisbeingusedisbylogginginto atestworkstationandnavigatingtothewebsiteinquestion.Iftheuserisntprompted forcredentialsandthesiteisrenderedcorrectly,youcanassumeIntegratedWindows authenticationisworking.Thenextstepistodetermineifthenegotiateprotocolwas usedtonegotiateKerberosauthenticationastheauthenticationproviderforthe request.Thiscanbedoneinthefollowingways:

Front-end Web security logsIfKerberosauthenticationisworkingcorrectlyyouwillseeLogoneventsinthesecurity eventlogsonthefrontendwebswitheventID=4624.

64

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

InthegeneralinformationfortheseeventsyoushouldseethesecurityIDbeinglogged ontothecomputerandtheLogonProcessused,whichshouldbeKerberos.

KListKListisacommandlineutilityincludedinthedefaultinstallationofWindowsServer 2008andWindowsServer2008R2whichcanbeusedtolistandpurgeKerberostickets65

Configure Kerberos Authentication for SharePoint 2010 Products

onagivencomputer.TorunKLIST,openacommandpromptinWindowsServer2008 andtypeKlist.

Ifyouwanttopurgetheticketcache,runKlistwiththeoptionalpurgeparameter:Klist purge

KerbTrayKerbTrayisafreeutilityincludedwiththeWindowsServer2000ResourceKitToolthat canbeinstalledonyourclientcomputertoviewtheKerberosticketcache.Download andinstallfromWindows 2000 Resource Kit Tool: Kerbtray.exe.Onceyouhaveit installed,performthefollowingactions: 1. NavigatetothewebsitesthatuseKerberosAuthentication. 2. RunKerbTray.exe. 3. ViewtheKerberosTicketcachebyrightclickingonthekerbtrayiconinthesystem trayandselectingListTickets.

66

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

4. Validatetheserviceticketsforthewebapplicationsyouauthenticatedareinthelist ofcachedtickets.Inourexamplewenavigatedtothefollowingwebsiteswhich havethefollowingSPNsregistered: WebSiteURL SPN

http://portal

HTTP/Portal.vmlab.local

http://teams:5555 HTTP/Teams.vmlab.local

67

Configure Kerberos Authentication for SharePoint 2010 Products

68

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

FiddlerFiddlerisafreeHTTPtrafficanalyzerthatcanbedownloadedfromthefollowing location:http://www.fiddlertool.com/.Infiddleryouwillseetheclientandserver negotiateKerberosauthenticationandyouwillbeabletoseetheclientsendthe KerberosServiceTicketstotheserverintheHTTPheadersofeachrequest.Tovalidate thatKerberosauthenticationisworkingcorrectlyusingfiddlerperformthefollowing actions: 1. DownloadandinstallFiddler(www.fiddlertool.com)ontheclientcomputer. 2. Logoutofthedesktopandlogbackintoflushanycachedconnectionstotheweb serverandforcethebrowsertonegotiateKerberosauthenticationandperformthe authenticationhandshake. 3. StartFiddler. 4. OpenInternetExplorerandbrowsetothewebapplication(http://portalinour example). YoushouldseetherequestsandresponsestotheSharePointServerfrontendwebin Fiddler.

ThefirstHTTP401isthebrowserattempttodotheGETrequestwithoutauthentication.

69

Configure Kerberos Authentication for SharePoint 2010 Products

Inresponse,theserversendsbackan"HTTP401unauthorized"andinthisresponse indicateswhatauthenticationmethodsitsupports:

Inthenextrequest,theclientresendsthepreviousrequest,butthistimesendsthe serviceticketforthewebapplicationintheheadersoftherequest:

70

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

IfyouselecttheAuthviewwithintheFiddlerinspectorwindowyouwillalsoseethe KerberosticketintherequestandtheKerberosresponse:

71

Configure Kerberos Authentication for SharePoint 2010 Products

Ifauthenticatedsuccessfully,theserverwillsendbacktherequestedresource.

NetMon 3.4NetMon3.4isafreenetworkpacketanalyzerfromMicrosoftthatcanbedownloaded fromtheMicrosoftDownloadCenter:Microsoft Network Monitor 3.4. InNetMonyouseeallTCPrequestandresponsestotheKDCandtheSharePointServer webservers,givingyouacompleteviewoftrafficthatmakesupacomplete authenticationrequest.TovalidatethatKerberosauthenticationisworkingbyusing netmon,performthefollowingactions:72

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

1. DownloadandinstallNetMon3.4(Microsoft Network Monitor 3.4). 2. LogoutoftheclientthenlogbackintoflushtheKerberosticketcache.Optionally youcanuseKerbTraytopurgetheticketcachebyrightclickingonKerbTrayand selectingPurgeTickets. 3. StartNetMoninadministratormode.RightclicktheNetMonshortcut,andselect RunasAdministrator. 4. Startanewcaptureontheinterfacesthatconnecttotheactivedirectorycontroller inyourenvironmentandthewebfrontends. 5. Openinternetexplorerandbrowsetothewebapplication. 6. Afterthewebsiterenders,stopthecaptureandaddadisplayfiltertoshowthe framesforKerberosauthenticationandHTTPtraffic.

7. IntheframeswindowyoushouldseebothHTTPandKerberosV5traffic.

73

Configure Kerberos Authentication for SharePoint 2010 Products

a. Thefirsttwoframesaretheoriginalrequest/responsewheretheclient andservernegotiatetheuseofKerberosforauthentication b. ThefollowingKerberosV5framesaretheclientrequestsforTicket GrantingTicketfortheVMLAL.LocalRealmandtheKerberosservice ticketsfortheSPNHTTP/portal.VMLAB.local c. FinallythelastHTTPframesaretheclientusingtheserviceticketsto authenticatewiththewebserverandtheserversuccessfully authenticatingtheclientandreturningtheresponse

Test Kerberos Authentication over SSLToclearlydemonstratetheSPNsrequestedwhenaclientaccessesanSSLprotected resource,youcanuseatoollikeNetmontocapturethetrafficbetweenclientand serverandexaminetheKerberosserviceticketrequests. 1. Eitherlogoutandthenreloginintotheclientcomputer,orclearallcachedKerberos ticketsbyusingKerbTray. 2. StartanewNetMoncaptureontheclientcomputer.BesuretostartNetMonwith administratorpermissions. 3. BrowsetothewebapplicationbyusingSSL(inthisexample,https://portal.) 4. StoptheNetMoncaptureandexaminetheKerberosV5traffic.Forinstructionson howtofilterthecapturedisplay,seetheinstructionsintheNetMon 3.4sectionof thisarticle. 5. LookfortheTGSrequesttheclientsends.IntherequestyouwillseetheSPN requestedinthe"Sname"parameter.

74

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Notethatthe"Sname"isHTTP/portal.vmlab.localandnotHTTPS/portal.vmlab.local.

Test SharePoint Server Search Index and QueryVerify browser access from the index server(s)Beforerunningacrawl,ensurethattheindexservercanaccessthewebapplications andauthenticatesuccessfully.Logintotheindexserverandopenthetestsite collectionsinthebrowser.Ifthesitesrendersuccessfullyandnoauthenticationdialogs appear,proceedtothenextstep.Ifanyissuesoccurwhileaccessingthesitesinthe browsers,gobackoverthepreviousstepstoensureallconfigurationactionswere performedcorrectly.

Upload sample content and perform a crawlIneachsitecollectionuploada"seed"document(onethatiseasilyidentifiablein search)toadocumentlibraryinthesitecollection.Forinstance,createatextdocument containingthewords"alpha,beta,delta"andsaveittoadocumentlibraryineachsite collection. Next,browsetoSharePointCentralAdministrationandstartafullcrawlontheLocal SharePointSitescontentsource(whichshouldcontainthetwotestsitecollectionsby default).75

Configure Kerberos Authentication for SharePoint 2010 Products

Test searchIfindexingcompletedsuccessfully,youshouldseesearchableitemsinyourindexandno errorsinthecrawllog.

76

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Note:IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperforminga crawlontheprofilestorebesuretoconfiguretheappropriatepermissionsontheUPA toallowthecontentaccessaccounttoaccessprofiledata.Ifyouhavenotconfigured theUPApermissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawler couldnotaccesstheprofileservicebecauseitreceivedanHTTP401whentryingto accesstheservice.The401returnedisnotduetoKerberos,butinsteadisduetothe contentaccessaccountnothavingpermissionstoreadprofiledata. Note: IfyouhaveconfiguredtheUserProfileApplication(UPA)andareperformingacrawlon theprofilestore,besuretoconfiguretheappropriatepermissionsontheUPAtoallow thecontentaccessaccounttoaccessprofiledata.IfyouhavenotconfiguredtheUPA permissionsyouwillreceiveerrorsinthecrawlslogsindicatingthecrawlercouldnot accesstheprofileservicebecauseitreceivedanHTTP401whentryingtoaccessthe service.The401returnedisnotduetoKerberos,butinsteadisduetothecontent accessaccountnothavingpermissionstoreadprofiledata. Next,browsetoeachsitecollectionandperformasearchfortheseeddocument.Each sitecollectionssearchqueryshouldreturntheseeddocumentuploaded.

77

Configure Kerberos Authentication for SharePoint 2010 Products

Test front-end Web delegationAsalaststepinthisscenario,youusetheRSSviewerwebpartoneachsitecollectionto ensurethatdelegationisworkingbothlocallyandremotely.

Configure RSS feed sources on each site collectionFortheportalapplicationyouhavetoenableRSSfeedsontheSiteCollection.Toturn onRSSfeedsfollowtheinstructionsinManage RSS FeedsonOffice.com. OnceRSSfeedsareenabled,createanewcustomlistandaddalistitemfortesting purposes.NavigatetotheListtoolbarmenuandclickRSSFeedtoviewtheRSSfeed. CopythefeedURLtouseitinthefollowingsteps.

78

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)

Performthisstepforeachsitecollection.

Add RSS view web parts to the home page of each site collectionOntheportalapplicationyoullneedtoenabletheSharePointEnterpriseFeaturessite collectionfeaturetousetheRSSviewerwebpart.OnceenabledaddtwoRSSviewer webpartstothehomepage.Forthefirstwebpart,configurethefeedURLtopointat thelocalRSSfeedyoucreatedinthepreviousstep.Forthesecondwebpart,configure thefeedURLtopointattheremotefeedURL.Whencompleted,youshouldseeboth webpartssuccessfullyrenderingcontentfromthelocalandremoteRSSfeeds.

79

Configure Kerberos Authentication for SharePoint 2010 Products

80

Kerberos authentication for SQL OLTP (SharePoint Server 2010)

Kerberos authentication for SQL OLTP (SharePoint Server 2010)Published:December2,2010

InthisscenariowewalkthroughtheprocessofconfiguringKerberosauthenticationfor theSQLServerclusterinoursampleenvironment.Oncethatprocessiscomplete,we validatethatSharePointServerservicesareauthenticatedwiththeclusterbyusingthe Kerberosprotocol. Inthisscenario,youdothefollowingthings: ConfigureanexistingSQLServer2008R2clustertouseKerberosauthentication VerifythattheclientcanauthenticatewiththeclusterbyusingKerberos authentication Createatestdatabaseandsampledatatobeusedinlaterscenarios

81

Configure Kerberos Authentication for SharePoint 2010 Products

Note: ItisnotrequiredtouseKerberosauthenticationforSQLServerforcoreSharePoint Serverdataservices(forexample,connectionstoplatformdatabases).Thesample environmenthasasoleSQLServerclusterthathostsadditionalsampledatabasesused inlaterscenarios.Fordelegationtoworkcorrectlyinthesescenarios,theSQLServer clustermustacceptKerberosauthenticatedconnection. Note: IfyouareinstallingonWindowsServer2008,youmayneedtoinstallthefollowing hotfixforKerberosauthentication:A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used(http://support.microsoft.com/kb/969083)

Configuration checklistAreaofconfiguration Description

ConfigureDNS ConfigureActive Directory VerifySQLServer Kerberosconfiguration

CreateDNS(A)hostrecordsfortheSQLServerclusterIP CreateServicePrincipalNames(SPNs)fortheSQLServer service UseSQLServerManagementStudiotoquerySQLconnection metadatatoensuretheKerberosauthenticationprotocolis used

82

Kerberos authentication for SQL OLTP (SharePoint Server 2010)

Scenario environment detailsSQLDatabaseEngineIdentity Vmlab\svcSQL SQL vmSQL2k8r201 DefaultInstance Port:1433

LocalSQLClientAlias: SPFarmSQL

DNS(A): MySQLCluster.vmlab.local ClusterIP: 192.168.8.135

vmSQL2k8r202

SharePoint

SQLCluster

ThisscenariodemonstratesaSharePointServerfarmconfiguredtouseaSQLaliasfora connectiontoaSQLServerclusterthatisconfiguredtouseKerberosauthentication.

Step-by-step configuration instructionsConfigure DNSConfigureDNSfortheSQLServerclusterinyourenvironment.Inthisexamplewehave oneSQLServercluster,MySqlCluster.vmlab.local,runningonport1433atclusterIP 192.168.8.135/4.TheclusterisActive/PassivewiththeSQLServerdatabaseengine runningonthedefaultinstanceofthefirstnode. ForgeneralinformationabouthowtoconfigureDNS,seeManaging DNS Records. Inthisexample,weconfiguredaDNS(A)recordfortheSQLServercluster.

83

Configure Kerberos Authentication for SharePoint 2010 Products

Note: Technically,becauseSQLServerSPNsincludeaninstancename(ifyouareusingthe secondnamedinstanceonthesamecomputer),youcanregistertheDNShostforthe clusterasaCNAMEaliasandavoidtheCNAMEissuedescribedinAppendixA,Kerberos configuration known issues (SharePoint Server 2010).However,ifyouchoosetouse CNAMEs,youhavetoregisteranSPNusingtheDNS(A)recordhostnametheCNAME aliases.

Configure Active DirectoryForSQLServertoauthenticateclientsusingKerberosauthentication,youhaveto registeraserviceprincipalname(SPN)ontheserviceaccountthatisrunningSQLServer. ServiceprincipalnamesfortheSQLServerdatabaseengineusethefollowingformatfor configurationsthatareusingthedefaultinstanceandnotaSQLServernamedinstance:84

Kerberos authentication for SQL OLTP (SharePoint Server 2010)

MSSQLSvc/:port FormoreinformationaboutregisteringSPNsforSQLServer2008,seeRegistering a Service Principal Name. Inourexample,weconfiguredtheSQLServerSPNontheSQLServerdatabaseengine serviceaccount(vmlab\svcSQL)withthefollowingSetSPNcommand:SetSPNSMSSQLSVC/MySQLCluster.vmlab.local:1433vmlab\svcSQL

SQL Server named instancesIfyouuseSQLServernamedinstancesinsteadofthedefaultinstance,youhaveto registerSPNsspecifictotheSQLServerinstanceandfortheSQLServerbrowserservice. SeethefollowingarticlesformoreinformationaboutconfiguringKerberos authenticationfornamesinstances: Registering a Service Principal Name An SPN for the SQL Server Browser service is required when you establish a connection to a named instance of SQL Server 2005 Analysis Services or of SQL Server 2005

SQL aliasesAsabestpractice,whenbuildingyourfarmyoushouldconsiderusingSQLaliasesfor connectionstoyourSQLServercomputer.IfyouchoosetouseSQLaliases,theKerberos SPNformatforthoseconnectionsdoesnotchange.Youcontinuetousetheregistered DNShostname(Arecord)intheSPNforSQLServer.Forexample,ifyouregisteranalias "SPFARMSQL"for"MySQLCluster.vmlab.local"theSPNwhenyouareconnectingto SPFarmSQLremains"MSSQLSVC/MySQLCluster.vmlab.local:1433".

Verify SQL Server Kerberos configurationWhenDNSandServicePrincipalNamesareconfigured,youcanrebootthecomputers thatarerunningSharePointServerandverifythatSharePointServerservicesnow authenticatewithSQLServerbyusingKerberosauthentication. Toverifytheclusterconfiguration 1. RebootthecomputersthatarerunningSharePointServerThisactionrestartsall servicesandforcesthemtoreconnectandreauthenticatebyusingKerberos authentication.85

Configure Kerberos Authentication for SharePoint 2010 Products

2. OpenSQLServerManagementStudioandrunthefollowingquery:Select s.session_id, s.login_name, s.host_name, c.auth_scheme from sys.dm_exec_connections c innerjoin sys.dm_exec_sessions s on c.session_id = s.session_id

Thequeryreturnsmetadataabouteachsessionandconnection.Thesessiondata helpsidentifytheconnectionsource,andthesessioninformationrevealsthe authenticationschemefortheconnection. 3. VerifythattheSharePointServerservicesareauthenticatingbyusingKerberos authentication:

4. .IfKerberosauthenticationisconfiguredcorrectly,youseeKerberosinthe auth_schemecolumnofthequeryresults.86

Kerberos authentication for SQL OLTP (SharePoint Server 2010)

Create a test SQL Server database and test tableTotestdelegationacrossthevariousSharePointServerserviceapplicationscoveredin thescenariosinthisdocument,youhavetoconfigureatestdatasourceforthose servicestoaccess.Inthef