Featured Post

Las Vegas: SharePoint Conference 2012 Day 1

The first day of conference has passed and there’s been given quite some information on all fronts! But like most mornings it started with breakfast. In a large hall the morning meal was provided and hundreds of people shared tables, a good start to swap stories. With a filled stomach it was off the large hall for the keynote. Assuming everybody was there, since it was the only session at that time, the hall was filled with about 10,000 people. The kickoff was a intro movie on SharePoint 2013, with a dozen meters wide screen, the loud music and the deep bass I did end up having a few chickenbumbs. It started with some general information on SharePoint and where it’s standing now, Jeff Teper followed with some new added features to the 2013 edition. Search, tasks and off course social was mentioned here. After that there was a big thumbs up to the Yammer folks and their collaboration with the Microsoft team. SharePoint and Yammer share a whole bunch of functionality in the new version. You can now show Yammer messages in your SharePoint feed and vice versa. Also linking your SharePoint documents in your Yammer feed is no more than a few clicks and you can simply view the document in Yammer by using Office Web Apps. After a some notes on Office 365 and the performance upgrades in the new SharePoint version it was off to the breakout sessions. I started with a session from Dan Holme on tips, tricks and scripts on the SharePoint 2013 installation. A few new features were highlighted; request management (http://www.harbar.net/articles/sp2013rm1.aspx), distributed cache (http://technet.microsoft.com/library/jj219700(office.15).aspx) and the increased requirements for the query components (http://technet.microsoft.com/en-us/library/jj219620.aspx). Followed by the creation of the SQL answer file. After the creation of the SQL answer file it was on to the SharePoint 2013 installation process, which was roughly the same as its predecessor. After a few more tips and examples on scripts the session was concluded. The final session of the day was about adopting SharePoint 2013 services in a 2010 farm. It was a really interesting session, although it raises more questions than it answered. This is definitely a subject that needs to be tested thoroughly. Tomorrow is day 2 and I’m ready!  

Read More

Kerberos constrained delegation (KCD)

Posted by andre | Posted in Kerberos, SharePoint 2010 | Posted on 16-06-2014


Last week I found myself struggling with some Kerberos delegations. I read everything there was to read about it online and got most information from a lot of other blogs. But.. none of them could really tell me everything I needed, so there for another blog about KCD.
The objective: Use Excel services to publish user personalized data stored on a SQL server outside the SharePoint farm.

I started by checking all necessary objects for the correct configuration:


a DNS Host (A) Record for the web application

The appropriate service accounts

- Web applications’ IIS application pool
- Excel services’ IIS application pool
- Claims 2 Windows Token Service
- SQL Server for SharePoint
- SQL Server for data source

Service Principal Names (SPN) for the accounts

The SharePoint Server web application service account
- HTTP/<DNS HOST name>

SQL servers (for both servers you enter 4 SPNs. Depending on the application you’re delegation it will use the right SPN. Better safe than sorry)
- MSSQLSvc/<DNS HOST name>
- MSSQLSvc/<DNS HOST name>:<Port>
- MSSQLSvc/<DNS FQDN>:<Port>

Excel Services’ service account

The Claims 2 Windows Token Service service account

For both the Excel and C2TWS tt doesn’t matter what you enter for SPN, you just need to enter something in order to get the delegation tab available in AD DS. It does however needs to be unique throughout the domain.

Add delegations for the services

The account you use for C2WTS and Excel Services needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with. To configure delegation you can use the Active Directory Users and Computer snap-in.

Right-click each service account and open the properties dialog. In the dialog click the Delegation tab

  • Select “Trust this user for delegation to specified services only”
  • Select “Use any authentication protocol”
  • Click the add button to select the service principal allowed to delegate to
  • Select User and Computers
  • Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL service
  • Click OK. You will then be asked to select the SPNs you would like to delegate to on the following screen.
  • Select the services (or select “Select all”) for the SQL server and click OK.



Log onto the server and add permissions for the C2WTS service account both in Windows and SharePoint, configure Excel services and create a new web application.

  • Add the service account to the local Administrators Groups.
  • In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service

Open Central Administration

  • Under Security → Configure Managed Accounts, Register the C2WTS service account as a managed account
  • Under Security → Configure Service Accounts, Select the Claims 2 Windows Token Service and change the identity of the C2WTS to the new managed account
  • Under services, select Manage services on server
  • In the server selection box in the upper right hand corner select the server(s) running excel services
  • Find the Claims to Windows Token Service and start it

Configure a new Excel Services service application and application proxy to allow web applications to consume Excel Services

  • Select Manage Service Applications under Application Management
  • Select New, and then click Excel Services Application
  • Configure the new service application. Be sure to select the correct service account (create a new managed account if the excel service account is not in the list)

Configure a new web application

  • Navigate to Manage Web Applications in the Application Management section
  • Select New and create your web application. Ensure that the following is configured:
  • Select Classic Mode Authentication
  • Configure the port and host header for each web application
  • Select Negotiate as the Authentication Provider
  • Under application pool, select Create new application pool and select the right managed account


For IIS Windows Authentication via Kerberos needs to be enabled.

  • In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’
  • Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’
  • Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’
  • In the Authentication dialog, select Windows Authentication (usually at the bottom)
  • Click on ‘Providers’ in the right ‘Actions’ pane
  • Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top
  • Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’
  • Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked
  • Click Cancel
  • Exit Internet Information Services Manager.


Test Browser Authentication

See if a Kerberos ticket is distributed to the client after making the connection.

  • From a trusted client open a web browser and go the new web application
  • Check if you’ve received a ticket with Fiddler, Netmon, KList, etc

Test SQL Authentication

Upload a Excel file to the web application and see if the data can be refreshed from the SQL data source. In the SQL server security event log a Kerberos delegation log entry should be created.

It should say that the Kerberos user credentials where transited by the Excel service account.

Lessons learned

Changing a SPN

It happens, you’ve enter a wrongful SPN or you simply found a typo. After you change the SPN you need to reset the delegations. Otherwise they stay pointed towards the old SPN.

Other delegations

In some scenarios it’s necessary to delegate the web application’ service account or the computer object to the data source. Different scenarios, different delegations.



Configuring Kerberos authentication: Core configuration


Identity delegation for Excel Services


Comments (4)

Great internet site! It looks very professional! Sustain the good work!|

Explain how proxies works

Hello I am so excited I found your blog, I really found you by error,
while I was researching on Yahoo for something else, Regardless I am here now
and would just like to say kudos for a remarkable post and a all round enjoyable blog (I also love
the theme/design), I don’t have time to read through it all at the minute but I have book-marked it and also added your RSS feeds,
so when I have time I will be back to read a lot more, Please
do keep up the awesome job.

Pretty component to content. I just stumbled upon your weblog and in accession capital to
say that I acquire actually loved account your weblog posts.
Anyway I will be subscribing for your feeds and even I fulfillment you get admission to persistently rapidly.

Write a comment