Featured Post

European SharePoint Conference Day 1

After a goodnight sleep and almost an hour of traffic we arrived at the Estrel Hotel. We were ready to attend sessions hole day and soak up information. The opening session from Bjorn Olstad gave us a refreshing view on the meaning of SharePoint as a platform and how most delegates agreed on that. At 10.00 we kicked-off with John Kleemans session on “Measuring Social Learning in SharePoint with Assessments”. His interactive presentation was a good start of the day. Especially his view on learning and forgetting curves and the 70:20:10 Framework by Charles Jennings. After John it was up to Jan Tielens’ session on Office 365. His perspective on the presentation was based uppon busting the ITPRO myths. Topics like management, public sites, enterprise features, user profile synchronization, Exchange and Lync past the review. Where most administrators or ITPRO’s stay on premise because of management, administration, off-premise storage and so on is out of their hands, light was shed on all topic and Jan tried to convince them otherwise. Also the possibilities and limits of custom code, PowerShell and sandboxing were addressed. The possibility to connect the Office 365 cloud with your own Active Directory for a full user import really lifted some weight of my shoulders. Not having to create every user again, but the ability for each user to logon with their own domain account in the cloud is a great feature. With all this together I think working in the cloud is ‘a thing’ for the small and medium sized companies. A full-size corporation would most likely still want to keep their data and application on premise. I’m glad Jan Tielens mentioned that as well. Before lunch I attended Rafal Lukawiecki’s presentation on BI, or as he called it PI. He planned on putting 90 minutes of content in 45 minutes time. So from the start till the end it was a rapid flow of information. All methods of BI came to pass. From the most popular Excel to the yet to be released PowerView. The PowerPivot review with his endless (over 100 milion rows) Excelsheet gave a excellent view on the possibilities and performance. Even with those amounts of data his virtual machines had to trouble generating calculations and filtered views in a matter of a second. The PivotViewer review got the crowd pretty worked up due the awesome animations of the pictures he showed. For Centric that is a everyday thing of course. Wait till they see our ‘Faceboek’! Other ways to gather and filter data where based upon the Bing Maps data connector and the SQL Reporting Services Report builder. His graphical demos were a good example on the possibilities of these tools. In the afternoon it was up to the best practices for SharePoint Enterprise Search by Agnes Molnar. The session was pretty straight forward and the shown options and points of attention were basic information. A few points on federated search are up for further research, but all other were pretty much known information. In the for last session of day 1 I went for Peter Viellefont’s session on templates. I expected some more on planning and structure on the basic business templates, but it turned out to be a sales pitch. So not much learned there. Last but not least we attended Matthew Hughes’ demo on “SharePoint branding from start to finish”. His demonstration on changing the look and feel on a site by using SharePoint designer made it look easy enough! He gave a few ins and outs on how to change headers, footers, the ribbon, menu’s and logo’s by using a custom masterpage and a style sheet. If he can do it in about 30 minutes I could at least put in an hour or 2 of effort to give it a try myself! Ending his session with the quote “I’m not an expert but I can do stuff” gave a nice touch to his demo. Day 1 is done and 2 more yet to come. See you tomorrow!

Read More

Kerberos constrained delegation (KCD)

Posted by andre | Posted in Kerberos, SharePoint 2010 | Posted on 16-06-2014


Last week I found myself struggling with some Kerberos delegations. I read everything there was to read about it online and got most information from a lot of other blogs. But.. none of them could really tell me everything I needed, so there for another blog about KCD.
The objective: Use Excel services to publish user personalized data stored on a SQL server outside the SharePoint farm.

I started by checking all necessary objects for the correct configuration:


a DNS Host (A) Record for the web application

The appropriate service accounts

- Web applications’ IIS application pool
- Excel services’ IIS application pool
- Claims 2 Windows Token Service
- SQL Server for SharePoint
- SQL Server for data source

Service Principal Names (SPN) for the accounts

The SharePoint Server web application service account
- HTTP/<DNS HOST name>

SQL servers (for both servers you enter 4 SPNs. Depending on the application you’re delegation it will use the right SPN. Better safe than sorry)
- MSSQLSvc/<DNS HOST name>
- MSSQLSvc/<DNS HOST name>:<Port>
- MSSQLSvc/<DNS FQDN>:<Port>

Excel Services’ service account

The Claims 2 Windows Token Service service account

For both the Excel and C2TWS tt doesn’t matter what you enter for SPN, you just need to enter something in order to get the delegation tab available in AD DS. It does however needs to be unique throughout the domain.

Add delegations for the services

The account you use for C2WTS and Excel Services needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with. To configure delegation you can use the Active Directory Users and Computer snap-in.

Right-click each service account and open the properties dialog. In the dialog click the Delegation tab

  • Select “Trust this user for delegation to specified services only”
  • Select “Use any authentication protocol”
  • Click the add button to select the service principal allowed to delegate to
  • Select User and Computers
  • Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL service
  • Click OK. You will then be asked to select the SPNs you would like to delegate to on the following screen.
  • Select the services (or select “Select all”) for the SQL server and click OK.



Log onto the server and add permissions for the C2WTS service account both in Windows and SharePoint, configure Excel services and create a new web application.

  • Add the service account to the local Administrators Groups.
  • In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service

Open Central Administration

  • Under Security → Configure Managed Accounts, Register the C2WTS service account as a managed account
  • Under Security → Configure Service Accounts, Select the Claims 2 Windows Token Service and change the identity of the C2WTS to the new managed account
  • Under services, select Manage services on server
  • In the server selection box in the upper right hand corner select the server(s) running excel services
  • Find the Claims to Windows Token Service and start it

Configure a new Excel Services service application and application proxy to allow web applications to consume Excel Services

  • Select Manage Service Applications under Application Management
  • Select New, and then click Excel Services Application
  • Configure the new service application. Be sure to select the correct service account (create a new managed account if the excel service account is not in the list)

Configure a new web application

  • Navigate to Manage Web Applications in the Application Management section
  • Select New and create your web application. Ensure that the following is configured:
  • Select Classic Mode Authentication
  • Configure the port and host header for each web application
  • Select Negotiate as the Authentication Provider
  • Under application pool, select Create new application pool and select the right managed account


For IIS Windows Authentication via Kerberos needs to be enabled.

  • In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’
  • Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’
  • Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’
  • In the Authentication dialog, select Windows Authentication (usually at the bottom)
  • Click on ‘Providers’ in the right ‘Actions’ pane
  • Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top
  • Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’
  • Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked
  • Click Cancel
  • Exit Internet Information Services Manager.


Test Browser Authentication

See if a Kerberos ticket is distributed to the client after making the connection.

  • From a trusted client open a web browser and go the new web application
  • Check if you’ve received a ticket with Fiddler, Netmon, KList, etc

Test SQL Authentication

Upload a Excel file to the web application and see if the data can be refreshed from the SQL data source. In the SQL server security event log a Kerberos delegation log entry should be created.

It should say that the Kerberos user credentials where transited by the Excel service account.

Lessons learned

Changing a SPN

It happens, you’ve enter a wrongful SPN or you simply found a typo. After you change the SPN you need to reset the delegations. Otherwise they stay pointed towards the old SPN.

Other delegations

In some scenarios it’s necessary to delegate the web application’ service account or the computer object to the data source. Different scenarios, different delegations.



Configuring Kerberos authentication: Core configuration


Identity delegation for Excel Services


Comments (4)

Great internet site! It looks very professional! Sustain the good work!|

Explain how proxies works

Hello I am so excited I found your blog, I really found you by error,
while I was researching on Yahoo for something else, Regardless I am here now
and would just like to say kudos for a remarkable post and a all round enjoyable blog (I also love
the theme/design), I don’t have time to read through it all at the minute but I have book-marked it and also added your RSS feeds,
so when I have time I will be back to read a lot more, Please
do keep up the awesome job.

Pretty component to content. I just stumbled upon your weblog and in accession capital to
say that I acquire actually loved account your weblog posts.
Anyway I will be subscribing for your feeds and even I fulfillment you get admission to persistently rapidly.

Write a comment