configure kerberos authentication for sharepoint 2010 web viewconfigure kerberos authentication for...
Post on 06-Feb-2018
232 Views
Preview:
TRANSCRIPT
Configure Kerberos Authentication for SharePoint 2010 Products
Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)
Configure Kerberos Authentication for SharePoint 2010 Products
Microsoft Corporation
Published: July 2010
Updated April 2012
Author: Tom Wisnowski. Contributors: Philippe-Joseph Arida, Luca Bandinelli, Kevin Donovan, Pej Javaheri , Denny Lee, Cephas Lin, Dave Manning, Carl Rabeler, Prash Shirolkar, Norm Warren, Josh Zimmerman. (itspdocs@microsoft.com)
Abstract
This document gives you information that will help you understand the concepts of identity in Microsoft SharePoint 2010 Products, how Kerberos authentication plays a very important role in authentication and delegation scenarios, and the situations where Kerberos authentication should be used or may be required in solution designs. Scenarios include business intelligence implementations which secure access to external data sources such as SQL Server. The document also shows how to configure Kerberos authentication end-to-end within your environment, including scenarios that use various service applications in Microsoft SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration.
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
2010 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Internet Explorer, Outlook, PerformancePoint, SharePoint, Windows, and Windows PowerShell are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
Table of Contents
Configure Kerberos authentication for SharePoint 2010 Products7
Overview of Kerberos authentication for Microsoft SharePoint 2010 Products8
Who should read these articles about Kerberos authentication?9
Beginning to end9
Upgrading from Office SharePoint Server 20079
Step-by-step walkthrough10
Existing SharePoint 2010 Product environments11
Identity scenarios in SharePoint 2010 Products11
Incoming Identity12
Identity within a SharePoint 2010 Products environment15
Outbound identity16
Delegation across domain and forest boundaries18
Claims primer19
Kerberos protocol primer20
Benefits of the Kerberos protocol20
Kerberos delegation, constrained delegation, and protocol transition21
Kerberos authentication changes in Windows 2008 R2 and Windows 722
Kerberos configuration changes in SharePoint 2010 Products23
Considerations when you are upgrading from Office SharePoint Server 200723
Configuring Kerberos authentication: Step-by-step configuration (SharePoint Server 2010)24
Environment and farm topology24
Environment specification26
Web Application specification27
SSL configuration29
Load balancing29
SQL aliasing29
SharePoint Server Services and service accounts30
C2WTS Service Identity31
Tips for working through the scenarios31
Configuring Kerberos authentication: Core configuration (SharePoint Server 2010)33
Configuration checklist34
Step-by-step configuration instructions35
Configure DNS35
Configure Active Directory37
Configure SharePoint Server47
IIS configuration55
Configure the firewall58
Test browser authentication59
Test Kerberos Authentication over SSL74
Test SharePoint Server Search Index and Query75
Test front-end Web delegation78
Kerberos authentication for SQL OLTP (SharePoint Server 2010)81
Configuration checklist82
Scenario environment details83
Step-by-step configuration instructions83
Configure DNS83
Configure Active Directory84
Verify SQL Server Kerberos configuration85
Create a test SQL Server database and test table86
Kerberos authentication for SQL Server Analysis Services (SharePoint Server 2010)88
Configuration checklist88
Step-by-step configuration instructions89
Configure Active Directory89
Verify SQL Server Kerberos configuration90
Identity delegation for SQL Server Reporting Services (SharePoint Server 2010)93
Scenario dependencies93
Configuration checklist94
Scenario environment details95
Cross-domain Kerberos delegation95
Step-by-step configuration instructions96
Configure DNS96
Active Directory directory service96
SQL Server Reporting Services104
Configure SharePoint Server106
Verify configuration109
SSL configuration for Reporting Services121
Identity delegation for Excel Services (SharePoint Server 2010)124
Scenario dependencies124
Configuration checklist124
Scenario environment details126
SharePoint Server logical authentication127
Step-by-step configuration instructions127
Active Directory configuration127
SharePoint Server configuration134
Verify Excel Services constrained delegation144
Identity delegation for PowerPivot for SharePoint 2010 (SharePoint Server 2010)151
Scenarios requiring Kerberos authentication152
Scenario dependencies153
Configuration instructions154
Identity delegation for Visio Services (SharePoint Server 2010)155
Scenario dependencies155
Configuration checklist155
Scenario environment details157
Kerberos constrained delegation paths157
SharePoint Server logical authentication157
Step-by-step configuration instructions158
Active Directory configuration158
SharePoint Server configuration164
Verify Visio Graphic Service Constrained Delegation171
Identity delegation for PerformancePoint Services (SharePoint Server 2010)183
Scenario dependencies183
Configuration checklist183
Scenario environment details185
Kerberos constrained delegation paths185
SharePoint Server logical authentication186
Step-by-step Configuration instructions187
Active Directory configuration187
SharePoint Server configuration193
Verify PerformancePoint Service Constrained Delegation205
Identity delegation for Business Connectivity Services (SharePoint Server 2010)213
Scenario dependencies213
Configuration checklist214
Scenario Environment Details215
Step-by-step configuration instructions216
Active Directory configuration216
SharePoint Server configuration221
Verification223
Kerberos configuration known issues (SharePoint Server 2010)238
Kerberos authentication and non-default ports238
Kerberos authentication and DNS CNAMEs239
Kerberos authentication and Kernel Mode Authentication240
Kerberos authentication and session-based authentication241
Kerberos authentication and duplicate/missing SPN issues242
Kerberos Max Token Size243
Kerberos authentication hotfixes for Windows Server 2008 and Windows Vista243
How to reset the Claims to Windows Token Service account (SharePoint Server 2010)245
Solution245
2
Configure Kerberos authentication for SharePoint 2010 Products
Published: July 15, 2010
This document gives you information that will help you understand the concepts of identity in Microsoft SharePoint 2010 Products, how Kerberos authentication plays a very important role in authentication and delegation scenarios, and the situations where Kerberos authentication should be used or may be required in solution designs. Scenarios include business intelligence implementations which secure access to external data sources such as SQL Server.
The document also shows how to configure Kerberos authentication end-to-end within your environment, including scenarios that use various service applications in Microsoft SharePoint Server. Additional tools and resources are described to help you test and validate Kerberos configuration. The "Step-by-Step Configuration" sections of this document cover the following scenarios for SharePoint Server 2010.
Scenario 1: Core Configuration
Scenario 2: Kerberos Authentication for SQL OLTP
Scenario 3: Identity Delegation for SQL Analysis Services
Scenario 4: Identity Delegation for SQL Reporting Services
Scenario 5: Identity Delegation for Excel Services
Scenario 6: Identity Delegation for PowerPivot for SharePoint
Scenario 7: Identity Delegation for Visio Services
Scenario 8: Identity Delegation for PerformancePoint Services
Scenario 9: Identity Delegation for Business Connectivity Services
The same information about Configuring Kerberos authentication for Share
top related