Featured Post

Kerberos constrained delegation (KCD)

Last week I found myself struggling with some Kerberos delegations. I read everything there was to read about it online and got most information from a lot of other blogs. But.. none of them could really tell me everything I needed, so there for another blog about KCD. The objective: Use Excel services to publish user personalized data stored on a SQL server outside the SharePoint farm. I started by checking all necessary objects for the correct configuration: DNS a DNS Host (A) Record for the web application The appropriate service accounts - Web applications’ IIS application pool - Excel services’ IIS application pool - Claims 2 Windows Token Service - SQL Server for SharePoint - SQL Server for data source Service Principal Names (SPN) for the accounts The SharePoint Server web application service account - HTTP/<DNS HOST name> - HTTP/<DNS FQDN> SQL servers (for both servers you enter 4 SPNs. Depending on the application you’re delegation it will use the right SPN. Better safe than sorry) - MSSQLSvc/<DNS HOST name> - MSSQLSvc/<DNS FQDN> - MSSQLSvc/<DNS HOST name>:<Port> - MSSQLSvc/<DNS FQDN>:<Port> Excel Services’ service account - SP/EXCEL The Claims 2 Windows Token Service service account - SP/C2WTS For both the Excel and C2TWS tt doesn’t matter what you enter for SPN, you just need to enter something in order to get the delegation tab available in AD DS. It does however needs to be unique throughout the domain. Add delegations for the services The account you use for C2WTS and Excel Services needs to be configured for Constrained Delegation with Protocol Transitioning and needs permissions to delegate to the Services it is required to communicate with. To configure delegation you can use the Active Directory Users and Computer snap-in. Right-click each service account and open the properties dialog. In the dialog click the Delegation tab Select “Trust this user for delegation to specified services only” Select “Use any authentication protocol” Click the add button to select the service principal allowed to delegate to Select User and Computers Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL service Click OK. You will then be asked to select the SPNs you would like to delegate to on the following screen. Select the services (or select “Select all”) for the SQL server and click OK.   SharePoint Log onto the server and add permissions for the C2WTS service account both in Windows and SharePoint, configure Excel services and create a new web application. Add the service account to the local Administrators Groups. In local security policy (secpol.msc) under user rights assignment give the service account the following permissions: Act as part of the operating system Impersonate a client after authentication Log on as a service Open Central Administration Under Security → Configure Managed Accounts, Register the C2WTS service account as a managed account Under Security → Configure Service Accounts, Select the Claims 2 Windows Token Service and change the identity of the C2WTS to the new managed account Under services, select Manage services on server In the server selection box in the upper right hand corner select the server(s) running excel services Find the Claims to Windows Token Service and start it Configure a new Excel Services service application and application proxy to allow web applications to consume Excel Services Select Manage Service Applications under Application Management Select New, and then click Excel Services Application Configure the new service application. Be sure to select the correct service account (create a new managed account if the excel service account is not in the list) Configure a new web application Navigate to Manage Web Applications in the Application Management section Select New and create your web application. Ensure that the following is configured: Select Classic Mode Authentication Configure the port and host header for each web application Select Negotiate as the Authentication Provider Under application pool, select Create new application pool and select the right managed account IIS For IIS Windows Authentication via Kerberos needs to be enabled. In Internet Information Services (IIS) Manager, locate the Web Application under ‘Sites’ Select the Web Application and in the middle pane under the heading ‘IIS’, locate ‘Authentication’ Select the ‘Authentication’ Icon and in the right ‘Actions’ pane, clikc on ‘Open Feature’ In the Authentication dialog, select Windows Authentication (usually at the bottom) Click on ‘Providers’ in the right ‘Actions’ pane Verify that ‘Negotiate’ and ‘NTLM’ are the only ones listed and that they are listed in that order, ‘Negotiate’ at the top Click Cancel and then again in the right ‘Actions’ pane click on ‘Advanced Settings’ Verify in the ‘Advanced Settings’ dialog that ‘Extended Protection’ is ‘Off’ and that ‘Enable Kernel-mode authentication’ is unchecked Click Cancel Exit Internet Information Services Manager.   Test Browser Authentication See if a Kerberos ticket is distributed to the client after making the connection. From a trusted client open a web browser and go the new web application Check if you’ve received a ticket with Fiddler, Netmon, KList, etc Test SQL Authentication Upload a Excel file to the web application and see if the data can be refreshed from the SQL data source. In the SQL server security event log a Kerberos delegation log entry should be created. It should say that the Kerberos user credentials where transited by the Excel service account. Lessons learned Changing a SPN It happens, you’ve enter a wrongful SPN or you simply found a typo. After you change the SPN you need to reset the delegations. Otherwise they stay pointed towards the old SPN. Other delegations In some scenarios it’s necessary to delegate the web application’ service account or the computer object to the data source. Different scenarios, different delegations.   Sources Configuring Kerberos authentication: Core configuration http://technet.microsoft.com/en-us/library/gg502602(v=office.14).aspx Identity delegation for Excel Services http://technet.microsoft.com/en-us/library/gg502605.aspx

Read More

European SharePoint Conference Day 2

Posted by andre | Posted in European SharePoint Conference | Posted on 19-10-2011


Day 2 started as planned with keynotes from Mirjam van Olst and Spencer Harbar. their presentation on experiences from the field on SharePoint migrations was a pretty straight forward story. The session was split into work-related fields like management, development and ITPRO. Although most information was known information, it was a good ‘freshen up’ and eye opener on things which are usually forgotten in the process.

After a good opening we went for the session on Project and SharePoint. By using Project Server 2010 it becomes possible to view your project timelines and keep track of costs directly in Sharepoint. SharePoint has the functionality to create an overview for all projects. All project have their own project page where project related information is shown. It is presented as a dashboard. By use of SharePoint a graphical view is presented about the timeline and information on the project.
Right after the break we went for a session on SharePoint upgrade by Joel Oleson. The main decisions were discussed, like migrating, in-place upgrade, pre-upgrade considerations and experiences in the field.
After lunch I went to a BCS session by Andre Vala and Raul Ribeiro. They gave a nice demo on external list with read and write functionality. And not just to a single source but by using a SQL database and information stored in Azure at the same time.
Tom Zitter went to Bob Kreha’ Bridging the Gulf. Implementations of SharePoint are usually viewed and planned from a technical perspective and sight is lost on the ultimate goal; collaboration throughout the organization. Before a collaboration platform can but used to the fullest it is necessary to have everybody on the same page. It is important that everyone knows what is coming and everybody can accept errors and mistakes. At the start all users should be able to post their content on the ECM. Even non-work related blogs or news items should be accepted at start and filtering should not be a bottleneck to a employee to make a post. All of this should be taken in to account and be documented in a considered governance design.
Then it was up to John Baldwin from EMC to update our knowledge on storage optimization and he did! When SharePoint lacks performance storage is the problem in most cases. So making sure that your storage is in optimal shape when you start using SharePoint is key. Make sure you think about how to configure your storage before you start installing SharePoint and SQL, don’t just drop your installation on the disks, but think about where to put your content databases and how many should share a disk, LUN or volume.
Especially the provisioning of diskspace, the minimal amount of IOPS per GB in a farm viewed from the user perspective and the planning on IOPS and GB kept me thinking.
Just like Mirjam van Olst mentioned in the morning presentation John Baldwin mentioned it again, don’t use RBS just because you want to or you think it’s ‘cool’. Make sure you have the right reasons!
After the storage session it was but a small step to Steffen Krause’s session on SQL Best Practices. With the new gained knowledge we jumped into SQL’s need for storage allocation and performance. Making the wrong choices or not choosing it at all could lead up to a 30% to 50% loss of performance!
Just like John Baldwin best practices on usage for RAID and NTFS block sizes were given and multiple tools and settings like SQLIO.exe, quick formats, MAXDOP and autogrowth passed the review.
Day 2 was even better then day 1, let’s hope that day 3 is even better! See you all tomorrow and remember “Never shrink your database!”.
On a personal note we went and explored some more of Berlin and literally tasted some culture!

Comments (2)

Data sharing of this sort is dangerous without effective security
measures. A smart jack is the point at which the Telco
terminates the T1 in your building. Below, you will find many reasons why you might want to
purchase a VPN service in order to hide your IP on the Internet.

The main function is to conduct comprehensive research on consumer behavior, the consumers’ understanding
of a particular item, its use and its relevance in a community, as well as analyzing the variances in demand.
Vans can be very colorful, wild in design, and great in fit.
Thus, the expected growth and demand for CSR providers are expected to intensify.

my web blog giuseppe zanotti mens

Write a comment