Service Packs for Microsoft

The last post describes the Delegation Process.  While it is important to understand the Delegation Process, the idea was to provide a background for this post on how to use the Kerberos SPN Generation Setup Tool Beta to help you identify which delegations are needed or missing.  This is a continuation of the series of blog posts “Kerberos SPN Generation / Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post will discuss the “Delegation Tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at RobertLambrecht.com. 

It is assumed that you have completed the Generation SPNs process and the Main Menu / Navigation screen should look something like this the image below.  Select “Delegation” to get to the Delegation tab.

Main Menu / Navigation - Delegation

For review purposes, we will use the ProClarity Analytics Server example and it’s corresponding Delegation example.

“PAS Tab” entries are:

If we look at the “Delegation” tab, notice that the delegation needed does not exist (cell D8 below). 

Delegation Tab Example (Prior to SPNs being Delegated).

You can follow the Delegation Process – PAS Example for the details of how to do Delegation.  After the delegation is complete, the “Delegation” Tab should look like this.

Delegation Exists: (After SPNs were added and Delegation Process was completed)

Since there is a lot of detail on this page, I will break it up into three sections and discuss each separately.

Section 1: Proposed Application Server / Database Server Delegations

Based on the entries in the “Input Tabs” sections, Section 1 is completed for you.  In this case, we have only entered information in for the PAS application tab.  You can see that the “Delegation” tab knows about the service accounts that were entered between the database / SSAS account and the PAS application server account.  In this case, the “Delegation” is also complete.  Note that there is a “*” in the Delegation Exists column.  This is to denote that if the delegation does exist, you will want to make sure all of the attributes are correct in Active Directory.  The process for checking this has been detailed in a previous post.  You can add any notes you wish in the “Notes” column.  Section 1 is basically calculated and completed for you.  You may elect to do some checking on Delegations that exist.

Section 1: Expanded View

Section 2: Delegations Currently in the Domain (for listed accounts)

This section really documents the Kerberos Constrained Delegation.  In other words, it shows you the SPNs that are constrained between the two service accounts that exist on two different machines.  You can use the individual input tabs to find out the details for each BI product used.  In this example, it shows the service accounts from Section 1 along with the SPNs that were generated by the tool for the Database / SSAS service account (sql_analysis).  This is really the heart of what I was trying to accomplish with the tool.

If there are any service accounts listed in this section as “UNKNOWN”, it means that there is an existing delegation set up for the service account but you do not have the service account listed.  You can solve this by putting the missing service account in the “Other Accounts” tab.  When you rerun the “Generate SPNs” process, it will update the “UNKNOWN” account with the proper account.  This may take several iterations if you have to guess at the missing account.  It is important to have all of the accounts properly identified so that the tool can ensure that there are no “Duplicate SPNs”.  It only does this check for accounts that are listed in the tool.

The Front/Middle vs. Middle/Back account is reference nomenclature based on the proximity of the account to the user (Front) or database (Back).  In this case, you could say that the paswebapp account (accessed directly from the user’s browser) is the “Front” account.  This account interacts with sql_analysis which is the service account for the database (the “Back” account).  This nomenclature is typically used when thinking of a 3 tiered architecture where the “Front” tier is the web server, the “Middle” tier is the application server, and the “Back” tier is the database server.   In some cases there may be only two tiers.  The point here is that this nomenclature gives you some direction as to the delegation starting at the “Front” and working your way toward the “Back”.  The actual designation of Front, Middle, Back is not that important.

Section 2: Expanded View

Section 3: Other Delegations Needed – Application Server / Application Server (http)

In a complex delegation, you may need to have a delegation between two applications that is not yet specified.  In this case, you would need to specify the delegation between the applications.  In our simple example, this section is blank.  If you wanted to use this section, you would have to have the applications specified in the “Input Tabs”.  You can only selection delegations like this if the applications are defined in the tool.  The tool can then check for these delegations, etc.  There is also a “Notes” section to denote any additional delegations.  Note that you can only specify “http” delegations in this section.  If you need to define a delegation to a database, this should be done in one of the application input sections. 

Section 3: Expanded View

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

Hotfixes for Microsoft and Service Packs for Microsoft @ RobertLambrecht.com are both created by Robert Lambrecht

Delegation Process – PAS Example

This post takes a short departure from directly discussing the “Kerberos SPN Generation / Setup Tool” as there needs to be a process discussion on how to do “Kerberos Constrained Delegation”.  This is a manual step that needs to be accomplished after completing the Generate SPNs process.  This post shows you how to do the “Kerberos Constrained Delegation” process.  It also shows you how to review SPN setup and Delegation information in Active Directory.

For more details about this example, we will reference a previous post describing how to set up the Kerberos portion of the ProClarity Analytics Server (PAS) 6.3.  The setup for that post will consist of only the “PAS Tab” information.  In other words, imagine that we have only entered information into the “Common Tab” and the “PAS Tab”.  While this example is for a ProClarity setup, it works the same with other Microsoft BI technologies.

As always, we draw a picture to help us understand the definition of the setup. 

ADSI Edit and SPNs

This example assumes that you have completed the Generate SPNs process for PAS.  After you have completed the Generate SPNs process, the rest of the information in this section is optional (it is listed so you know the details of how to check what the tool did).  The Generate SPNs process essentially creates the SPNs and puts them into the appropriate servicePrincipalName (SPN) for you.  This section shows you how to manually check SPNs.  

Start by logging into your Active Directory Domain Controller.  ADSI Edit is a snap-in that can manage objects in Active Directory.  You can use ADSI Edit to check out if the Generate SPNs batch file added the SPNs correctly.  Start ADSI Edit and go to each of the domain user accounts to check the SPN setup.  In our example, you would go to “paswebapp” and “sql_analysis”.  We will start by looking at “paswebapp”.   

Go to the user account properties –> Attribute Editor tab –> and scroll down to the “servicePrincipalName” or SPN. 

Review the SPN values. 

In this example, the SPNs can be seen below for the “paswebapp” account.  The “paswebapp” account was the application pool account used for the PAS application.

• http/analytics
• http/analytics.newdn.com

Repeat this for all of the accounts that you would like to review the SPN entries for (the other account is “sql_analysis” in our example).

Analytics is a Host Header or Host (A) Name Record in DNS for the PAS application instance.

“sql_analysis” is the domain user account used for the Analysis Services instance on the ReportMachine server.

Delegation Process

First determine if delegation is needed (this will be discussed more in a future post).  In our example (after completing the Generate SPNs process), you can go to the “Delegation” tab and review the output.  In this case, you can see that Delegation does not exist (cell D8 below) and we must manually do the Delegation process.

Delegation Tab Example –> "Kerberos SPN Generation Setup Tool – Generate SPNs"

Let’s start the delegation process by going into Active Directory and finding the user account “paswebapp”.  Following the arrows in our diagram above and working from front (the user) to back (data source), we find the application to application communication that takes place.  In our example, the “paswebapp” user account delegates to the “sql_analysis” user account (front to back following the arrows).  This application to application security is what we are interested in “Constraining”.  Find the user “paswebapp” and complete the following process in Active Directory.

Go to Properties –> Delegation Tab.  Select “Trust this user for delegation to specified services only” and then select “Use Kerberos only”. 

Select Add, Users & Computers, and then add the user “sql_analysis”, Select All.  Then select OK, OK, … until you get back to the “paswebapp” Properties window.

Select the Expanded checkbox and then OK.  Notice that the SPNs that you added for the “sql_analysis” account should now show up in the “paswebapp” properties services section of the dialog box shown below.

Select OK to complete.

We have now completed the “Kerberos Constrained Delegation” process for our example.

Completed Kerberos Constrained Delegation Process for “paswebapp”.

Checking Delegation with ADSI

Just like we can check SPNs with ADSI Edit, we can check our Kerberos Constrained Delegation as well.  The Kerberos Constrained Delegation attribute is called “msDS-AllowedToDelegateTo” attribute. 

Start ADSI Edit and go to each of the domain user accounts to check the delegation attribute.  In our example, you would go to “paswebapp”. 

Go to the user account properties –> Attribute Editor tab –> and scroll down to the “msDS-AllowedToDelegateTo”. 

Review the values.  In this example, the SPNs that were “allowed to be delegated to” can be seen below for the “paswebapp” account.  The “paswebapp” account was the application pool account used for the PAS application.

• MSOLAPSvc.3/ReportMachine 
• MSOLAPSvc.3/ReportMachine.newdn.com

Basically we can see that the PAS application is Constrained, via Kerberos, to the Analysis Service instance on the “ReportMachine”.  Remember that Delegation is directional.  In other words there is a difference between the “paswebapp” user account delegating to the “sql_analysis” user account, and the “sql_analysis” user account delegating to the “paswebapp” user account. 

Checking the msDS-AllowedToDelegateTo attribute on “paswebapp”.

For completeness, “sql_analysis” is shown even though the attribute is empty.

Checking your work with the ”Kerberos SPN Generation / Setup Tool”.

After you have completed your constrained delegation, you can rerun the Generate SPNs process and then check out the output on the “Delegation” tab.  You will now notice that the PAS application constrained delegation has been completed (see cell D8).  Notice that the “Delegation Exists?*” (column D) has an “*”.  The “*” basically tells you to check your delegation in Active Directory to make sure all of the attributes are correct.  The above process walks you through how to do this.

Delegation Tab after the manual delegation is complete.

While this example is for the PAS application, it is a valid approach for other BI applications.  Repeat this process for all of the necessary delegations until you complete your setup.

What if you add more configuration later and you have to delegate again?

Do the delegation again and check to see if the attributes are correct (the general process is shown above).  If you add an additional SPN at a later time, you must re-delegate the affected user accounts so that the existing attributes get updated.  You can also accomplish this by adding the new SPNs into the appropriate msDS-AllowedToDelegateTo attribute if needed or go through the delegation process again.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

Hotfixes for Microsoft and Service Packs for Microsoft @ RobertLambrecht.com are both created by Robert Lambrecht

To date, I’ve written a series of blog posts that describe how to use the “Input” section of the “Kerberos SPN Generation / Setup Tool”.  This is a continuation of the series of blog posts “Kerberos SPN Generation / Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  The next short series of posts will discuss the “Generate SPNs” process.  You can download the Kerberos SPN Generation Setup Tool Beta at RobertLambrecht.com. 

Main Menu / Navigation - SPN Generation Section

Generate SPNs

You made it through all of the details on how to enter data into each of the input tabs.  This section’s example will consist of only the “PAS Tab” example given previously.  In other words, pretend that we have only entered information into the “Common Tab” and the “PAS Tab”.  While this example is for a ProClarity setup, it works the same with all input tabs that are complete.

For review purposes, the “PAS Tab” entries look like this:

Now that we have completed the input section, go back to the “Main Menu / Navigation” tab and select the “Generate SPNs” link.  You must be connected to the domain prior to selecting the “Generate SPNs” link.  If there are any errors when we select “Generate SPNs”, you will be notified either by pop up messages, messages in the “Messages” section, or non-green “traffic light” symbols by the appropriate input sections.  You must clear all errors prior to generating SPNs. 

When the “Generate SPNs” traffic light is green, you have successfully generated SPNs.  The tool interrogates your domain (that is why you must be connected to your domain) and creates the proper SPNs.  It is that easy!

The next step is to review the SPN Output via the “SPNOutput” tab.  Notice in this case that there are SPNs Suggested to Add (column E).  Your implementation may have more or less SPNs to add based on information that is already in your domain.  In this case, the SPNs associated with “sql_analysis” already resided in the domain so there was no need to add SPNs for this domain account.

“SPNOutput” Tab Example.

If we look at the “Delegation” tab, notice that the delegation needed does not exist (cell D8).  More on Delegation in the future.

Delegation Tab Example.

Export SPNs to Add

Since there were SPNs to add listed in the “SPNOutput” tab, we need to Export SPNs.  Go back to the “Main Menu / Navigation” tab and select the “Export SPNs to Add” link.  This link creates a file with the commands needed to add the appropriate SPNs.  You must be a Domain Administrator to run the batch file on the Domain Controller. 

The file was purposely created with a .txt extension.  Many times this file must be emailed to another person with Domain Administrator rights on the domain controller.  Email systems normally block files with .bat extensions (that’s why the file is saved as a .txt).  Once you copy the file to the domain controller, change it to a .bat extension.  In this example, we would rename the file to “SPNs2ADDInput.bat”. 

Export SPNs to Add Example (-L means List, -A means Add).

When the file is on the domain controller you can run it and redirect the output to a file if you like.  For example you would run this file and redirect it’s output as follows:

SPNs2AddInput.bat > SPNs2AddOutput.txt

The output file contains listings of what the service accounts looked like before adding the new SPNs as well as after the SPNs are added.  In addition, ensure that each SPN was successfully added by searching the output file for “Updated object” after each add SPN command.  If there was any kind of error or you mistakenly typed in the wrong service account, etc. use the “Export SPNS to Remove (Undo)” commands in the next section.

Example SPNs to Add Batch File Results.

Export SPNs to Remove (Undo)

Hopefully, this section should be self explanatory.  Basically it works exactly like the “Export SPNs to Add” section above except it removes SPNs instead of adding SPNs.  The process is similar and should always be done in conjunction with the “Export SPNs to Add” process.  In other words, you should always select this link immediately after saving the “Export SPNs to Add” link.  In this way, you can assure that the Remove file contains the same information as the Add file.  If anything goes wrong with the “Export SPNs to Add” process, you can remove whatever was done in the “Add” batch file. 

Use this process to clean up mistakes (if an error exists).  The general steps are:

1. Go to the Main Menu / Navigation Tab
2. Select the “Export SPNs to Remove (Undo)” link (immediately after selecting the “Export SPNs to Add” link)
3. Copy the file to the Domain Controller
4. Rename the file to “SPNs2RemoveInput.bat”

5. Run command (ONLY IF NEEDED) SPNs2RemoveInput.bat > SPNs2RemoveOutput.txt

DO NOT RUN THIS FILE AFTER SUBSEQUENT CHANGES TO YOUR DOMAIN CONTROLLER HAVE BEEN MADE.  In other words, this command will remove the SPNs that were added only if subsequent changes have not been made.  If you made additional SPN changes, it could remove a SPN that is now used for another purpose.  The “Remove” process is no longer relevant once other SPN changes are made to the domain.  If you have any question about other changes, do not use this batch file and seek help from a knowledgeable source to remove SPNs manually.

Export SPNs to Add Example (-L means List, -D means Delete).

Example SPNs to Remove (Undo) Batch File Results.

Review SPN Information

Now that we have completed adding SPNs to your domain, go back to the “Main Menu / Navigation” tab and again select the “Generate SPNs” link.  The tool interrogates your domain and creates additional SPN suggestions if needed.  In this case, it should find that you have added the appropriate SPNs and nothing additionally needs to be created.  You can validate this by reviewing the “SPNs to Add” section (column E) via the “SPNOutput” tab.

You can review the SPNs in your domain for each account that is entered into the spreadsheet (columns A & B).  Just as an FYI, some of the SPNs were generated automatically (in this case HOST and TERMSRV).  Other SPNs were entered manually via the SPN tool. 

SPNOutput Tab - Review output information.  Notice there are no SPNs to Add.

Other SPN Generation Tips and Tricks

Domain Controller Replication

Many domains use replication between domain controllers.  This replication may take several minutes to occur.  If you add a new SPN, you may need to wait several minutes to rerun the spreadsheet process in order to do the SPN review process.

The point of this tool is to help you generate SPNs correctly based on parameters that can be gathered by administrators.  The process outlined in these blog posts allows you to have good documentation, reduce issues (like duplicate SPNs), and have a tool to check and troubleshoot your configuration later in case additional changes were made to your domain (other product setups).

Export SPNs to Remove (Undo)

Do not try to generate the “Undo” file at a later date if any domain changes were made.  In other words, do not use the tool to add SPNs and then later select the “Generate SPNs” link in the tool and then try to create the “Undo” file.  The only way that the “Undo” file works is if it is generated at the same time as the “Add” file and no subsequent changes are made to SPNs in the domain.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

Hotfixes for Microsoft and Service Packs for Microsoft @ RobertLambrecht.com are both created by Robert Lambrecht

The last post “Kerberos SPN Generation Setup Tool – MOSS 2007” reviewed how to enter information for Microsoft Office SharePoint Server (MOSS) 2007.  This is a continuation of the series of blog posts “Kerberos SPN Generation / Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post covers how to enter information into the tool for Additional Accounts – the “OtherAccounts tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at RobertLambrecht.com. 

What are Other Accounts?

The Kerberos SPN Generation Setup Tool essentially checks for duplicate SPNs.  It uses the same method as DHCheck.vbs.  There are several ways to check for duplicate SPNs (such as listing individual accounts or searching through every account in the entire forest).  If you have a large forest, searching through the entire user base takes a long time.  Because of this, the tool only checks for duplicate accounts that are listed in one of the input spreadsheets.  If you have a more complex setup, or if you just want to check some other accounts, the OtherAccounts tab is where to list these additional accounts.   

Complex Setups – Reasons to use Other Accounts

There are many setup variations for the Microsoft BI stack.  Here are a couple of examples as to why you would use the “OtherAccounts” tab.  The reasons typically revolve around multiple instances of a technology type (i.e.: SSRS, SSAS, …), multiple web sites (i.e.: MOSS – Mysite, Portal, …), multiple data sources (SSRS, SSAS, …), or other Kerberos setup that you need to account for. 

More than One Instance / Web Sites for a type of Technology (SSRS, SSAS, MOSS, …)

The tool supports one setup of each Technology type.  What if you had two SSRS 2008 instances to setup?  You would basically complete the first SPN generation process by filling out the SPN Generation Setup Tool workbook and generating SPNs, updating Active Directory, etc.  Once this process was complete, you would repeat the process for the SSRS 2008 section and update the appropriate Reporting Services – Service Account(s), machine names, etc.  You would then take the first account(s) and place them into the “OtherAccounts” tab.  The basic idea is to make sure that you have listed all of the accounts that you are using to set up Kerberos either in the specific sections for each type of technology setup or in the Other Accounts section.

Multiple Application Pools / Web Sites

In a previous post for MOSS setup, I mentioned that you might have multiple application pools (Portal, My Sites, WSS Sites, etc.) to worry about.  If this is true, it was assumed that each of these web sites will use a unique application pool and have unique urls (http://portal, http://mysite, etc.).  The service accounts may or may not be different.  Basically, each of these sites have their own port specified, host header, and individual setup.  This is accomplished by using multiple SPN Generation Setup Tool workbooks.  You basically fill out the MOSS section for each individual setup and then run through the entire SPN generation process for each workbook. 

You would list the prior MOSS accounts in the “OtherAccounts” tab.  In this example, we would use “MySitesWebApp” and “WSSWebApp” to be the accounts that were used for the application pools above.  It is assumed that you have already completed workbooks for each of these two configurations and now you are completing the workbook for “MossWebApp” as in the previous example.  In this way, the SPN Generation Setup Tool will check for any duplicates SPNs listed across these accounts.  This process allows for each successive SPN generation to check for duplicate SPNs on prior application pool identities.  In other words, “MossWebApp” would be listed in the MOSS tab, and “MySitesWebApp” and “WSSWebApp” would be listed in the the “OtherAccounts” tab.

Multiple Data Sources or Applications

What if you had multiple data sources for a single SSRS 2008 instance?  Again, use multiple SPN Generation Setup Tool workbooks to enter the information one at a time.  Enter the first data source service account “sql_service” and complete the workbook and SPN process.  Once the first SPN generation process is complete, you can enter the second data source service account “sql_service2” and it’s associated data into the SSRS 2008 worksheet and enter the first data source service account “sql_service” into the “OtherAccounts” tab.  This allows the second SPN generation process to check for duplicate SPNs on both the “sql_service” and “sql_service2” accounts.

Other Kerberos Setup

You can really list any account (both user or machine) in the Other Accounts tab.  Again, the idea is to make sure that all accounts that deal with Kerberos are listed somewhere in the spreadsheet so that it can check for duplicate SPNs across all accounts used in setting up Kerberos.  You may want to list accounts that you have used from other product setups as well as prior installations. 

OtherAccounts Tab Completed

The screen shot below shows an example of how to fill out the OtherAccounts tab.  This screen snapshot really just shows a sample entry.  I did use the accounts from this post for this example. 

Messages

Unlike the other sections, there are no input messages or “traffic light”.  This is an optional section and not needed unless you have a more complex setup.  The account names entered must be valid in the domain or it will cause a warning message to appear when you “Generate SPNs”

SPNOutput and Delegation

Although I have not discussed these tabs yet, only accounts that are listed in the workbook will be shown in the Delegation tab.  In general, when SPNs are calculated and service accounts are associated, the account names may show up as “UNKNOWN” if the account is not listed somewhere in the workbook.  This is a good indicator that you haven’t listed all of the accounts that you need.  While this is not an error, it is suggested that you add the appropriate account(s) to the “OtherAccount” tab so that you can have complete documentation for your setup. 

Machine accounts can be useful to see SPNs that are typically generated automatically.  I usually list all of the machines in the BI setup in the OtherAccounts tab under Machine Accounts column.  This helps me document all of the machines in the BI setup and can be useful in some troubleshooting scenarios. 

For more information about the tool, read the tool overview “Kerberos SPN Generation / Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation / Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

Hotfixes for Microsoft and Service Packs for Microsoft @ RobertLambrecht.com are both created by Robert Lambrecht

The last post “Kerberos SPN Generation Setup Tool – PPS” reviewed how to enter information for PerformancePoint Server (PPS) 2007.  This is a continuation of the series of blog posts “Kerberos SPN Generation / Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post covers how to enter information into the tool for Microsoft Office SharePoint Server (MOSS) 2007 – the “MOSS tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at RobertLambrecht.com. 

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data from the browser?  The data in this case is the SQL content information that SharePoint and WSS sites use.  With MOSS, there is more than one content database.  This diagram is representative of your main portal’s site and content database.  If you have read any of the prior blog posts, you will note that this is the same process that we always follow.  We will follow through with the normal process described as it is beneficial to understand and document the data flow. 

Content Data Source

Application Server – Where MOSS is Installed.

Enter the information for the machine where MOSS is installed.  It is assumed that the content databases and MOSS are installed on different machines otherwise you wouldn’t need to do this delegation.  You only need to specify the port number in cases where the port number is not the default port (normally port 80 for http) and you chose not to use a host header.  In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number. 

DNS Information - Host (A) Name Record / IIS - Host Header

For our example, “MossMachine” will be the machine name where we have MOSS installed.  We will create a host header A-Record called “Portal” to make an easy url for the users to enter.  The A-Record will correspond to the http port 80.  You do not need to specify the port number in the tool when you use a host header.  Using port 80 is not a best practice; however, I wanted to show an example of using a host header and the default port.

MOSS Server Information – Authentication Method

Since we want to use Integrated Windows authentication, make sure that the Portal web sites have the authentication method checked as shown below.  Notice that there is one root web site (Portal).  You will want to do this for other sites of interest (such as “My Sites”, WSS Sites, etc.).  You will do this by using additional spreadsheets.  The tool can only handle one site at a time.  From an authentication perspective, if you are going to use Kerberos Constrained Delegation with Integrated Windows authentication, you will want to have these sites set up like the screen shown below.

Authentication Methods

MOSS Server Information – Service Account

You can find the service account information by using IIS Manager on the MossMachine.  In this example, the Portal web site’s application pool is shown below.  Check to ensure that the application pool listed is set up like the example below.

Service Account

Relational Database 2008 Instance

Fill in the machine information where the relational database (content databases) reside.  In our example, this will be the “sqldb” machine.  This machine will have multiple SQL instances running on it.  In fact, it could be a SQL Cluster.  Just use the Cluster Resource Group Name and the appropriate port number (if needed).  In our case the instance is the default (MSSQLSERVER) instance; therefore, we do not need to specify a name or port.

The SQL Server 2008 service account can be found in the SQL Server Configuration Manager on the “sqldb” machine.  Make sure to select the “Log On As“ service account that corresponds to this.

SQL Server 2008 “Log On As” Service Account – SQL_Service

Named Database Instance Note:

While the tool supports named instances, I have observed issues with named instances and the cluster manager.  Also, named instances are still relatively new as far as Kerberos is concerned.  You may observe issues with older applications and ODBC or OLE connection strings / drivers.  Active Directory 2003 may need a hotfix to enable named instances as well.  We did not used a named instance in this example.  This is just a FYI in case you have a named instance.  It is safer to use the port number that corresponds to the named instance (even though it shouldn’t matter) and avoid these issues.

MOSS Tab Completed – Relational Data Source

The screen shot below shows the MOSS tab filled out for this example.

Note: While there are multiple service types, the default values (shown in column C) are typically used – SQL Server relational data is assumed in this case.

Messages

Upon completing the steps above, you should have a “Green” traffic light and the message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  For now, the Delegation tab will show the default delegation that is suggested. 

Multiple Application Pools / Web Sites

In this application, you may have multiple application pools (Portal, My Sites, WSS Sites, etc.) to worry about.  It is assumed that each of these web sites will use a unique application pool and have unique url’s (http://portal, http://mysite, etc.).  The service accounts may or may not be different.  Basically, each of these sites have their own port specified, host header, and individual setup.  This is accomplished by using multiple spreadsheets.  See the next section for more detail.

Multiple Data Sources or Applications / Multiple Spreadsheets

If you have more than one data source or application pool to set up, then you will have to fill out multiple spreadsheets.  This example shows a single site (Portal) but alludes to multiple sites (My Site, WSS, etc.).  The process to add the additional sites would be to completely fill out one spreadsheet and then complete the SPN creation process all the way through assigning missing SPNs and delegations into the Domain.  After that is completed, then come back and do the same process for each successive site (My Site, WSS, etc.) with additional spreadsheets.  The point is to make sure to complete the entire SPN process (including adding new SPNs and delegations into the Domain) prior to starting to apply the information from the next spreadsheet.  This will allow the additional spreadsheets to check for duplicate SPNs, etc.

Special Note:

The “Delegation” described is not required for MOSS.  There can be a variety of reasons that you would want to have this delegation.  These include custom web parts, reports, or dashboards that may access the database.  For these reasons, the delegation is optional; however, in most cases I would recommend that you set up this optional “extra” delegation (although not required).  For these reasons, the tool treats this delegation as required. 

Other MOSS Tips and Tricks

There are too many tips and tricks to list in this article. Listed below is the details from Microsoft on Kerberos Configuration for MOSS 2007.

Reference Information:

Configure Kerberos authentication (Office SharePoint Server)

http://technet.microsoft.com/en-us/library/cc263449.aspx

For more information about the tool, read the tool overview “Kerberos SPN Generation / Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation / Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

Hotfixes for Microsoft and Service Packs for Microsoft @ RobertLambrecht.com are both created by Robert Lambrecht