Featured Post

Metadata Library View in SharePoint 2010

With SharePoint 2010 Managed Metadata was introduced as a new feature, but with all new features they have their limitations. One of the major limitations of using metadata in a library is that a metadata column filter cannot be applied to a term group but only to a single term. This is because a filter...

Read More

Kerberos constrained delegation (KCD)

Posted by andre | Posted in Kerberos, SharePoint 2010 | Posted on 16-06-2014


Last week I found myself struggling with some Kerberos delegations. I read everything there was to read about it online and got most information from a lot of other blogs. But.. none of them could really tell me everything I needed, so there for another blog about KCD.
The objective: Use Excel services to publish user personalized data stored on a SQL server outside the SharePoint farm.

I started by checking all necessary objects for the correct configuration:


a DNS Host (A) Record for the web application

The appropriate service accounts

- Web applications’ IIS application pool
- Excel services’ IIS application pool
- Claims 2 Windows Token Service
- SQL Server for SharePoint
- SQL Server for data source

Service Principal Names (SPN) for the accounts

The SharePoint Server web application service account
- HTTP/<DNS HOST name>

SQL servers (for both servers you enter 4 SPNs. Depending on the application you’re delegation it will use the right SPN. Better safe than sorry)
- MSSQLSvc/<DNS HOST name>
- MSSQLSvc/<DNS HOST name>:<Port>
- MSSQLSvc/<DNS FQDN>:<Port>

Excel Services’ service account

The Claims 2 Windows Token Service service account

For both the Excel and C2TWS tt doesn’t matter what you enter for SPN, you just need to enter something in order to get the delegation tab available in AD DS. It does however needs to be unique throughout the domain.

Add delegations for the services

The account you use for C2WTS and Excel Services needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with. To configure delegation you can use the Active Directory Users and Computer snap-in.

Right-click each service account and open the properties dialog. In the dialog click the Delegation tab

  • Select “Trust this user for delegation to specified services only”
  • Select “Use any authentication protocol”
  • Click the add button to select the service principal allowed to delegate to
  • Select User and Computers
  • Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL service
  • Click OK. You will then be asked to select the SPNs you would like to delegate to on the following screen.
  • Select the services (or select “Select all”) for the SQL server and click OK.



Log onto the server and add permissions for the C2WTS service account both in Windows and SharePoint, configure Excel services and create a new web application.

  • Add the service account to the local Administrators Groups.
  • In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service

Open Central Administration

  • Under Security → Configure Managed Accounts, Register the C2WTS service account as a managed account
  • Under Security → Configure Service Accounts, Select the Claims 2 Windows Token Service and change the identity of the C2WTS to the new managed account
  • Under services, select Manage services on server
  • In the server selection box in the upper right hand corner select the server(s) running excel services
  • Find the Claims to Windows Token Service and start it

Configure a new Excel Services service application and application proxy to allow web applications to consume Excel Services

  • Select Manage Service Applications under Application Management
  • Select New, and then click Excel Services Application
  • Configure the new service application. Be sure to select the correct service account (create a new managed account if the excel service account is not in the list)

Configure a new web application

  • Navigate to Manage Web Applications in the Application Management section
  • Select New and create your web application. Ensure that the following is configured:
  • Select Classic Mode Authentication
  • Configure the port and host header for each web application
  • Select Negotiate as the Authentication Provider
  • Under application pool, select Create new application pool and select the right managed account


For IIS Windows Authentication via Kerberos needs to be enabled.

  • In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’
  • Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’
  • Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’
  • In the Authentication dialog, select Windows Authentication (usually at the bottom)
  • Click on ‘Providers’ in the right ‘Actions’ pane
  • Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top
  • Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’
  • Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked
  • Click Cancel
  • Exit Internet Information Services Manager.


Test Browser Authentication

See if a Kerberos ticket is distributed to the client after making the connection.

  • From a trusted client open a web browser and go the new web application
  • Check if you’ve received a ticket with Fiddler, Netmon, KList, etc

Test SQL Authentication

Upload a Excel file to the web application and see if the data can be refreshed from the SQL data source. In the SQL server security event log a Kerberos delegation log entry should be created.

It should say that the Kerberos user credentials where transited by the Excel service account.

Lessons learned

Changing a SPN

It happens, you’ve enter a wrongful SPN or you simply found a typo. After you change the SPN you need to reset the delegations. Otherwise they stay pointed towards the old SPN.

Other delegations

In some scenarios it’s necessary to delegate the web application’ service account or the computer object to the data source. Different scenarios, different delegations.



Configuring Kerberos authentication: Core configuration


Identity delegation for Excel Services


SharePoint 2010 themes

Posted by andre | Posted in SharePoint 2010 | Posted on 29-02-2012


SharePoint 2010 themes

Designing a site or even customizing a site in SharePoint is not something everyone is made
for. For most actions you need to go into code or get busy working SharePoint Designer. With
Themes there is a little something everyone can do!

The easiest way to do this is by using Powerpoint. Office themes can be easily created and
saved here. SharePoint 2010 is defined into 12 different colors; 4 background colors, 6 accents
and 2 hyperlink colors. I’ll point out where the colors apply or your site.

“Text/Background – Dark 1″

Applies to the site link in the ribbon and the navigation links in the quick launch menu.









“Text/Background – Light 1″

Applies to the background of your site and all the menus and pop-up screens.

“Text/Background – Dark 2″

Applies to the top bar and the headings in the quick launch menu.











“Text/Background – Light 2″

Applies to the background of the quick launch menu, the ribbon and the top link bar.

“Accent 1″

Applies to the Quick launch and Site Actions hover color, selected month in calendar and select tab in the top link bar.

“Accent 3″

Applies this color to every second bar on the site features page.










“Accent 4″

Applies to the background of the buttons in the top link bar and the web part borders.

“Accent 6″

Applies to the selected calendar date and the hovering loading block.








Accent 2 and 5 don’t apply to any fysical content but only to markup styles. Accent 2 applies to Colored Heading 2, Accent 3 to Style “Caption”, Accent 5 to Colored Heading 4 and Accent 6 to Style “Highlight”.


Metadata Library View in SharePoint 2010

Posted by andre | Posted in Managed Metadata, Nintex Workflow, SharePoint 2010 | Posted on 28-02-2012


With SharePoint 2010 Managed Metadata was introduced as a new feature, but with all new features they have their limitations. One of the major limitations of using metadata in a library is that a metadata column filter cannot be applied to a term group but only to a single term. This is because a filter on the metadata column cannot use the “Begins With” or “Contains” operators.

Today I was working on a project for a customer who wants 12 different views on a single library to sort the related documents. The document types in this library has to be grouped in the 12 categories and a view has to be made for each category.

With the limitations at hand I looked at copying the metadata text from the column to a hidden plain text column. The column filter could then be applied to the “Single line of text” column. I made a Nintex workflow to copy the term to text, which all seemed to go okay.

After a few user tests I seemed that issues occurred when a document was checked in, cause then no changes could be made to the file. So I adjusted the workflow to first check-out the document, but to those who already checked out the document received an error and after adding a “Condition” the workflow locked the file when it was waiting for the check-out status to change.

So after a few errors and conditions the workflow turned from a simple ‘text-copy-workflow’ to a full-grown state machine.

What the Nintex Workflow does is check if the file is checked out, if not then the term is directly copied to text. If the document is checked out the State Machine will start and it will pause for 1 minute. After every pause the document check repeats and it either waits again or changes to the 2nd State and copies the term to text.

This way a document is never locked by the Nintex Workflow, the user or the system.



Thanks for reading.

Special thanks to Jim van Leeuwen.