configure kerberos authentication for sharepoint 2010 web viewconfigure kerberos authentication for...

Configure Kerberos Authentication for SharePoint 2010 Products

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)

Configure Kerberos Authentication for SharePoint 2010 Products

Microsoft Corporation

Published: July 2010

Updated April 2012

Author: Tom Wisnowski. Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, Pej Javaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, Prash Shirolkar, Norm Warren, Josh Zimmerman. ([email protected])

Abstract

This document gives you information that will help you understand the concepts of identity in Microsoft SharePoint 2010 Products, how Kerberos authentication plays a very important role in authentication and delegation scenarios, and the situations where Kerberos authentication should be used or may be required in solution designs. Scenarios include business intelligence implementations which secure access to external data sources such as SQL Server. The document also shows how to configure Kerberos authentication end-to-end within your environment, including scenarios that use various service applications in Microsoft SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration.

This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.

2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Excel, Internet Explorer, Outlook, PerformancePoint, SharePoint, Windows, and Windows PowerShell are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

Table of Contents

Configure Kerberos authentication for SharePoint 2010 Products7

Overview of Kerberos authentication for Microsoft SharePoint 2010 Products8

Who should read these articles about Kerberos authentication?9

Beginning to end9

Upgrading from Office SharePoint Server 20079

Step-by-step walkthrough10

Existing SharePoint 2010 Product environments11

Identity scenarios in SharePoint 2010 Products11

Incoming Identity12

Identity within a SharePoint 2010 Products environment15

Outbound identity16

Delegation across domain and forest boundaries18

Claims primer19

Kerberos protocol primer20

Benefits of the Kerberos protocol20

Kerberos delegation, constrained delegation, and protocol transition21

Kerberos authentication changes in Windows 2008 R2 and Windows 722

Kerberos configuration changes in SharePoint 2010 Products23

Considerations when you are upgrading from Office SharePoint Server 200723

Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)24

Environment and farm topology24

Environment specification26

Web Application specification27

SSL configuration29

Load balancing29

SQL aliasing29

SharePoint Server Services and service accounts30

C2WTS Service Identity31

Tips for working through the scenarios31

Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)33

Configuration checklist34

Step-by-step configuration instructions35

Configure DNS35

Configure Active Directory37

Configure SharePoint Server47

IIS configuration55

Configure the firewall58

Test browser authentication59

Test Kerberos Authentication over SSL74

Test SharePoint Server Search Index and Query75

Test front-end Web delegation78

Kerberos authentication for SQL OLTP (SharePoint Server 2010)81


Scenario environment details83


Configure DNS83


Verify SQL Server Kerberos configuration85

Create a test SQL Server database and test table86

Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)88




Verify SQL Server Kerberos configuration90

Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)93

Scenario dependencies93



Cross-domain Kerberos delegation95


Configure DNS96

Active Directory directory service96

SQL Server Reporting Services104

Configure SharePoint Server106

Verify configuration109

SSL configuration for Reporting Services121

Identity delegation for Excel Services (SharePoint Server 2010)124




SharePoint Server logical authentication127


Active Directory configuration127

SharePoint Server configuration134

Verify Excel Services constrained delegation144

Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)151

Scenarios requiring Kerberos authentication152


Configuration instructions154

Identity delegation for Visio Services (SharePoint Server 2010)155




Kerberos constrained delegation paths157





Verify Visio Graphic Service Constrained Delegation171

Identity delegation for PerformancePoint Services (SharePoint Server 2010)183




Kerberos constrained delegation paths185


Step-by-step Configuration instructions187



Verify PerformancePoint Service Constrained Delegation205

Identity delegation for Business Connectivity Services (SharePoint Server 2010)213



Scenario Environment Details215




Verification223

Kerberos configuration known issues (SharePoint Server 2010)238

Kerberos authentication and non-default ports238

Kerberos authentication and DNS CNAMEs239

Kerberos authentication and Kernel Mode Authentication240

Kerberos authentication and session-based authentication241

Kerberos authentication and duplicate/missing SPN issues242

Kerberos Max Token Size243

Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista243

How to reset the Claims to Windows Token Service account (SharePoint Server 2010)245

Solution245

2

Configure Kerberos authentication for SharePoint 2010 Products

Published: July 15, 2010

This document gives you information that will help you understand the concepts of identity in Microsoft SharePoint 2010 Products, how Kerberos authentication plays a very important role in authentication and delegation scenarios, and the situations where Kerberos authentication should be used or may be required in solution designs. Scenarios include business intelligence implementations which secure access to external data sources such as SQL Server.

The document also shows how to configure Kerberos authentication end-to-end within your environment, including scenarios that use various service applications in Microsoft SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration. The "Step-by-Step Configuration" sections of this document cover the following scenarios for SharePoint Server 2010.

Scenario 1: Core Configuration

Scenario 2: Kerberos Authentication for SQL OLTP

Scenario 3: Identity Delegation for SQL Analysis Services

Scenario 4: Identity Delegation for SQL Reporting Services

Scenario 5: Identity Delegation for Excel Services

Scenario 6: Identity Delegation for PowerPivot for SharePoint

Scenario 7: Identity Delegation for Visio Services

Scenario 8: Identity Delegation for PerformancePoint Services

Scenario 9: Identity Delegation for Business Connectivity Services

The same information about Configuring Kerberos authentication for Share

configure kerberos authentication for sharepoint 2010 web viewconfigure kerberos authentication for...

Documents