Apr 20

Kerberos Helper

I have blogged previously about setting up service principal names for your architecture. To make it really easy to form a perfect SETSPN statement first time and every time, I put together this little spreadsheet that will build the statements for you. It will also help you plan your installation architecture and service accounts.

All you need to do is to carefully fill in all the fields that appear in yellow and your SPN statements will be done. Just make sure you copy both NetBIOS based and FQDN based columns to a batch file and run it as domain admin.

This spreadsheet was a result of many hours of research, so if you feel that it helped you save time and money, please donate any amount you see fit using the button on the right. I will be happy to answer any questions you may have on it, please feel free to comment.

I provide the spreadsheet on “as is” basis and reserve the right to withdraw it at any time. You are free to use it in any way you like, but not distribute it or any part of it without my explicit written permission.

You can download the spreadheet from here. Please leave comment to this post if you found it helpful or indeed otherwise.

Apr 14

Service Principal Name (SPN): how to get it right?

Most of the difficulties in configuring Kerberos actually stem from this absolutely fundamental step in the process: getting your SPNs right. target They help Kerberos find the Service and the computer (Principal) that hosts that service. That is, SPNs are all about the target. They identify the destination of your journey, much like the address for the mail. In the case of Kerberos delegation, they are not about the client, not about the delegating service, but the service that serves the data you are trying to access. OK, there are exceptions, of course: most notably when you would like to use Kerberos to connect to the front end of your application (e.g. SharePoint Portal), but they only prove the rule, as in this case SharePoint portal is the target of your journey!

Now the second important concept to grasp is the syntax of the command commonly used to set up SPNs: SETSPN. Inline help is very generic and does not go very far in helping you with the syntax, but it tells you two very important things – you need to register your SPNs against an account and you need to identify the service:

setspn.exe -S <SPN> <AccountName>

Note here the use of the -S flag. If your domain is at 2003 functional level or later, this is the flag to use: it automatically checks for any duplicate SPNs before adding another. This is a very important step: you do not what to confuse your Kerberos about the destination of your journey! In pre-2003 domains have to check for duplicates explicitely and add SPNs with -A flag.

So how do we udentify the service? This is the hardest bit: there are thee components to this:

  1. Service class or description of the service
  2. Service Host name or DNS “A” record (not CNAMEs!)
  3. Port or Instance Name

Service class is merely an arbitrary label describing the service, naturally it should be commonly recognised, such as HTTP for a web site (IIS Service). Here’s some of the examples of service classes:

Service Classes (Types) Service Classes Description
MSSQLSvc SQL Server Database Engine
MSOLAPSvc.3 SQL Server Analysis Services
MSOLAPDisco SQL Server Analysis Services Discovery Service
MSSQLDisco SQL Server Browser
HTTP IIS service

The second part is the Host name: that is definition of where the service is running. This is normally a NetBIOS name of the computer that is hosting that target service, however in the case of IIS service, that should me the DNS “A” record of the Service your are authenticating to. Please bear in ming 15 character limit over Microsoft implementation of the NetBIOS: make sure your server naming conventions do not exceed this limit. NetBIOS name is one of the properties of your computer account in active directory. Easiest way to check NetBIOS name is is to display Computer Name tab of the host computer properties (right click on My Computer->Properties) and then click “Change…” -> “More…”. Checking DNS records is a little more involved, but your domain admin will be able to help.

The third part only applies to services running on non-default ports and named instances of Analysis Services. Naturally, you need to know if it is indeed the case. Table below should help you make a call:

Service Class Default Port How to tell if the service is set to default
SQL Server Database Engine 1433 Default instance is usually running on default port. Named instances usually set to dynamic allocation, check SQl Server Configuration manager
SQL Server Analysis Services 2383 If Port property of Analysis Services instance in Management Studio has a default value of 0, this means that the instance uses the default port, 2383
SSAS Discovery Service 2384 Usually Default ports are used. Check what ports are used by sqlbrowser.exe using “netstat -aob” command
SQL Server Browser 1434 Usually Default ports are used. Check what ports are used by sqlbrowser.exe using “netstat -aob” command
IIS service 80 Check web site properties in IIS Manager. If port is not specified as a part of URL for the web site, then it is usually default.

Now you should be able to form a correct SPN using the following syntax:

<service class>/<Host Name>[:<port or instance>]

Please remember to use instance name for the named instances of Analysis Services. If you try to specify a port number instead, it will be treated as a part of the host name and of course the call will fail miserably.

Finally, one needs to register this beautifully crafted SPN against an account. This account is the identity of the service you are trying to reach – the identity of the target service, the account that runs that service. Ideally, this is an Active Directory Service Account specially configure to be used as a service identity. If the service is running as “Local System” then this is Active Directory account of the computer that runs the service. Either way, in the SETSPN command it has to follow correctly formed SPN using the following syntax:

<domain name>\<account name>

 Thus a complete syntax of a correct SPN statement should be as follows:

setspn -s <service class>/<Host Name>[:<port or instance>] <domain name>\<account name>

To make it completely fool-proof, I have set up a very straightforward spreadsheet that you can download and use for building a perfect SPN statement every time. Please refer to KerberosHelper post to download.

Apr 14

Claims to Windows Token Service Identity

 C2WTSClaims to Windows token Service plays a very important role in SharePoint 2010 Kerberos delegation. It is a part of .Net Windows Communication Framework. It needs to be running on SharePoint application server in order for a SharePoint service to be able to get a User Windows token in exchange for a UPN (user principal name) claim. SharePoint uses claims for inter-farm communication. To authenticate to a service outside SharePoint farm that is not claims-aware, SharePoint needs to obtain a windows token to use for authentication. In the case of Kerberos delegation this token is then used to get Service ticket to present to the target service. The diagram here is a simplification of the complete process to highlight the role of C2WTS. For full details of Kerberos protocol mechanism, please refer to a far more serious source on Microsoft Technet

When C2WTS is not working properly, no delegation is possible, all calls to external services would fail. Inside SharePoint this failure would result in errors such as the following (see Rodney Viana’s blog):

"Could not retrieve a valid windows identity for NTName='Domain\Joe.Bloggs', 
UPN='Joe.Bloggs@Domain.com'. UPN is required when Kerberos constrained delegation is used."

Widely referred to Microsoft whitepaper on configuring Kerberos for SharePoint suggests changing the identity of Claims to Windows Token Service (C2WTS) to an active directory service account. While this seems like a good idea at first it may cause problems with stability of the service. It does not actually achieve anything in terms of making the configuration more secure as the account must be a member of the host local administrator group for the C2WTS to function correctly, so my recommendation is: leave it be as Local Service. Should you wish to change the delegation properties of other attributes for the identity of the service, please use the host computer account.

I had a case of C2WTS becoming unstable after changing identity from default Local System to an active directory account when configuring Kerberos constrained delegation for a SharePoint 2010 and SQL Server 2012 installation recently. Straigt after (re)start, the service would operate correctly, duly returning a windows token for a UPN claim, but after a few minutes it would inevitably get tired and begin returning an error, as if the user does not exist.

Changing the service identity back to Local System solved this problem: the system has been working reliably for many months now. Changing the identity back to a AD account brings back to problematic behaviour. 

Please bear in mind that if you have changed the identity of Claims to Windows Token Service in SharePoint, you need to tell SharePoint of your decision to undo that change. You can do so using SharePoint PowerShell console:

Get-SPServiceInstance | Where {$_.TypeName.StartsWith("Claims")} | 
ForEach-Object {
$_.Service.ProcessIdentity.CurrentIdentityType = 0; 
$_.Service.ProcessIdentity.Update(); 
$_.Service.ProcessIdentity.Deploy()}

 

Mar 30

I am presenting at SQL Bits!

SQLBitsLogoSaying I am excited to present at SQL Bits is an understatement. I always enjoy sharing what I know with others, but now I have a perfect chance of sharing what I’ve learned about Kerberos delegation with UK SQL Server Community and the entire world! Click on the part-eaten disk array image to find out more…