Sign in
 
HomeOnline20132010Other VersionsRelated ProductsLibraryForumsGallery
TechCenter >
Sharepoint Kerberos Configuration

Answered Sharepoint Kerberos Configuration

  • Monday, April 29, 2013 3:38 PM
     
     
    Sign In to Vote
    0

    I have a sandbox domain consisting of 3 virtual machines running on a virtual network

    sandboxweb - Sharepoint server running a app under http://reads.sandboxdomain.network. Machince has been trusted for delegation.
    sandboxsql - Sharepoint SQL server. Machince has been trusted for delegation.
    sandboxdc  - Domain Controller

    I am trying to get Kerberos working so I can fetch external (from Sharepoint) data from the SQL server. 
    //C# snippet is used to test kerberos.
    string connectionString = "Data Source=sandboxsql;Initial Catalog=MyDatabase;Integrated Security=True";
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
    connection.Open();
    }

    Managed Service Accounts - Both have been configured for Constrained Delegation
    1) sharepointfarmacct - account for the Sharepoint App Pool
    2) sharepointsqlacct  - SQL Account

    Output SetSPN:
    setspn -L sharepointfarmacct
    Registered ServicePrincipalNames for CN=SharePointFarmAcct,CN=Managed Service Accounts,DC=sandboxdomain,DC=net:
    HTTP/reads
    HTTP/reads.sandboxdomain.net

    setspn -L sharepointsqlacct
    Registered ServicePrincipalNames for CN=SharePointSQLAcct,CN=Managed Service Accounts,DC=sandboxdomain,DC=net:
    MSSQLSvc/sandboxsql.sandboxdomain.net:1433
    MSSQLSvc/sandboxsql:1433

    Output from klist:
    #0>     Client: joeadmin @ SANDBOXDOMAIN.NET
            Server: krbtgt/SANDBOXDOMAIN.NET @ SANDBOXDOMAIN.NET
            KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
            Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
            Start Time: 4/29/2013 8:45:38 (local)
            End Time:   4/29/2013 18:45:38 (local)
            Renew Time: 5/6/2013 8:45:38 (local)
            Session Key Type: RSADSI RC4-HMAC(NT)

    #1>     Client: joeadmin @ SANDBOXDOMAIN.NET
            Server: host/sandboxsql.sandboxdomain.net @ SANDBOXDOMAIN.NET
            KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
            Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
            Start Time: 4/29/2013 8:46:33 (local)
            End Time:   4/29/2013 18:45:38 (local)
            Renew Time: 5/6/2013 8:45:38 (local)
            Session Key Type: AES-256-CTS-HMAC-SHA1-96

    #2>     Client: joeadmin @ SANDBOXDOMAIN.NET
            Server: RPCSS/SANDBOXSQL.sandboxdomain.net @ SANDBOXDOMAIN.NET
            KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
            Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
            Start Time: 4/29/2013 8:46:33 (local)
            End Time:   4/29/2013 18:45:38 (local)
            Renew Time: 5/6/2013 8:45:38 (local)
            Session Key Type: AES-256-CTS-HMAC-SHA1-96

    #3>     Client: joeadmin @ SANDBOXDOMAIN.NET
            Server: MSSQLSvc/sandboxsql.sandboxdomain.net:1433 @ SANDBOXDOMAIN.NET
            KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
            Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
            Start Time: 4/29/2013 8:46:32 (local)
            End Time:   4/29/2013 18:45:38 (local)
            Renew Time: 5/6/2013 8:45:38 (local)
            Session Key Type: RSADSI RC4-HMAC(NT)

    #4>     Client: joeadmin @ SANDBOXDOMAIN.NET
            Server: host/sandboxweb.sandboxdomain.net @ SANDBOXDOMAIN.NET
            KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
            Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
            Start Time: 4/29/2013 8:45:38 (local)
            End Time:   4/29/2013 18:45:38 (local)
            Renew Time: 5/6/2013 8:45:38 (local)
            Session Key Type: AES-256-CTS-HMAC-SHA1-96

    Net Monitor Output:

    NetMon

    Frame Details

    Output from SQL Manager using this query: "select auth_scheme from sys.dm_exec_connections where session_id=@@spid"
    "KERBEROS"

    Sharepoint Reports this error: "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"

    MSSQL reports this error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

    Any help would be appreciated!!!

    Joseph


    • Edited by joeslide Monday, April 29, 2013 3:41 PM Left out Delegation Info.
    •  
     

All Replies

  • Tuesday, April 30, 2013 7:29 AM
     
     
    Sign In to Vote
    0

    Kerberos can be a royal pain.

    Have you got the Claims To Windows Token Service up and running?

    This, monsterously large, document covers everything about configuring Kerberos in various scenarios: http://download.microsoft.com/download/B/B/F/BBF0C6F3-6E36-4979-8C43-DE165AD7AE34/SP2010%20Kerberos%20Guide.docx

    Well worth reading the first few chapters and trying the step by step configuration.

     
  • Wednesday, May 01, 2013 6:37 PM
     
     Answered
    Sign In to Vote
    0

    Added the SPN for the MSSQL Server to the sharepointfarmacct delegation tab - Everything works now. My delegation tab for sharepointfarmacct looks like this:

    • Marked As Answer by joeslide Wednesday, May 01, 2013 6:37 PM
    •