This article is a summary of the Guide to configure Kerberos provided by Microsoft for SharePoint 2010 is not intended to replace but to give an overview and an understanding of what will be done. The detail of each step is on the phone at the following address:
Before setting Kerberos must understand how it works and integrates with the different services.
Kerberos is a security protocol that supports authentication by labeling.
This security protocol is needed in SharePoint 2010 when we want to connect to an external data source is required to pass user credentials to connect to the portal. For a better understanding look at the following:
As shown in figure up the credentials are stored in SharePoint as a Claim, it is then necessary to convert back into a Kerberos ticket to authenticate to an external system.
Kerberos is associated with a domain account or accounts as a service to use. This is done by creating a Service Principal Name SPN or in command line on a server running Windows Server 2008 than the domain controller as shown below:
SetSPN -S HTTP / Portal [account domain]
delegation also need an account or otherwise transfer the ticket that carries the user's credentials. As pictured below.
The delegation do this through Active Directory. For accounts that are associated with the SPN in Active Directory on the account properties will see a tab called Delegation, it will allow us to select what services are associated with the account.
in SharePoint as the first step is to enable the Kerberos protocol to authenticate to the portal to generate the ticket.
then have to sign the bills that have generated the SPN as a managed account (an old concept in SharePoint but becomes relevant in 2010) and then associate this account to a SharePoint service will use the ticket generated for or pass the credentials to authenticate the user.
There are certain services associated with SharePoint to use Kerberos Delegation Basic other Kerberos constrained delegation. The rule is that if you can move from a basic to a constrarined delegation but not the reverse. The services required are constrained Kerberos delegation are:
· Excel Services
· PerformancePoint
· InfoPath Forms Services Services Services
· Visio
The Basic require Kerberos delegation are: • Business
service and Microsoft Data Connectivity Business Connectivity Services Access Services
·
• Microsoft SQL Server Reporting Services (SSRS)
• Microsoft Project Server 2010
The important difference between these two systems of delegation to the intervention of a service call or Claims C2WTS to Windows Token Service. The image below clearly shows what should happen.
In short we need to configure Kerberos for:
1. Authenticated site.
2. To pass the C2WTS Ticket Service.
3. To the SharePoint and pass the required credentials for example Performance Point and Excel Services.
4. The service account that starts the external data source, for example R2 SQL Server 2008 Analysis Services or Database Engine or both.
required for this purpose these Windows accounts associate the SPN to them, delegate through Active Directory, configure SharePoint and configure accounts and attach them to the required services.
Tip go testing as suggested by the guide every step to ensure you have done the correct procedure. There are times that Kerberos does not authenticate after recently set up a service, sometimes re-registering the account with the service and restarting it works or well as a last resort restart the SharePoint server or the server that you are setting up the account you wish to use Kerberos.
Other aspects to consider: http://technet.microsoft.com/en-us/library/gg502599.aspx
And another good article on Kerberos and SharePoint is: http://technet.microsoft .com/en-us/magazine/ee914605.aspx
SharePoint4Fun, Manolo Herrera
0 comments:
Post a Comment