★ EPPM Solutions ★ Technology ★ Business Analysis ★ ITIL ★ ITSM ★ PMBOK ★
( uB )
Custom Implementation, Services, Training & Support through Experienced, Wise Use of Available Knowledge, Facilitating Access to Relevant Information, Research and Opportunities besides hands on EPMO and EPMS Projects. Ask !
As previously detailed we have been busy working on a public (version 2) release of the SharePoint Kerberos Configuration Utility which has been used successfully on a number of customer engagements. We are aiming for a release the first week in February at the SharePoint Best Practices Conference.
Configuring a SharePoint Farm for Kerberos is very easy however there are a large number of variables which depend upon the farm characteristics and more importantly the business requirements. In addition there is a staggering amount of misinformation (such as needing delegation for simple authentication scenarios!!!) out there on blogs and so forth. Kerberos remains a topic for which there are many myths and customers have found it difficult to implement.
The idea of the utility is to automate the vast majority of Kerberos related configuration for a MOSS deployment.
This article walks through the User Interface of the utility in order to get feedback and suggestions for the version 2 release. Please note that the UI is very rough and ready, the focus has been on the functionality and robust exception handling, we will tart up the UI once we have everything else baked. Essentially the UI is just a shim for all the scripts and powershell which make up version 1.
Please leave comments here if you have feedback and/or suggestions.
The utility must be run on a member of the SharePoint Farm (we use the SharePoint APIs) and as a AD domain administrator (we create SPNs and configure delegation).
1. SQL Server (trusted subsystem authentication)
This tab allows you to create SPNs for the SQL Server Instances used in your farm to host Config and Content Databases. This simply allows you to use Kerberos for the intra farm trusted subsystem. It does not relate to Reporting Services or Analysis Services. All instances which host SharePoint related databases are listed, you select them and click Create SPNs. A dialog will pop up providing a preview of the SPNs to be created from which you can back out if there are errors, or proceed and create them.
2. Web Application Authentication
This tab lists all the Web Apps in the farm and their URLs. There will be multiple entries for Applications which have more than one URL (AAMs). The current authentication scheme is also displayed.
By selecting Web Apps and clicking Create SPNs a dialog will show the SPNs to be created allowing you to back out or go ahead and create them.
The Use NTLM and Use Kerberos buttons allow you to toggle the Authentication Scheme used for a given URL.
3. Shared Services
This section lists the SSPs in the farm and the Servers in the Farm. When you select an SSP you can create the SPNs for the Office Web Server application (the correct VDir is picked up). Again there is a dialog offering the chance to back out.
We require the farm be running the Infrastructure Updates or later if you aren’t a warning will be displayed and the functionality is disabled. We have been “persuaded” by a vendor to not ship the hacks for making Shared Web Services Kerberos to work without the new SPN type. That’s a good thing, it didn’t take much persuading!
The Use Negotiate for Shared Web Services button simply turns on Negotiate for the selected SSP.
4. Excel Calculation Services
This one simply turns on negotiate for ECS. We are toying with the idea of adding ECS specific settings here, but there’s really only one of relevance and it’s probably not a good idea.
5. Delegation
This is the tricky one as we have no idea what you want to delegate to. We use Constrained Delegation only at present. We are interested in feedback on that. Things like the RSS Viewer are easy, but some remote service like Reporting Services, OLAP or even (shudder) a UNIX app server are impossible to determine for you!
So we have the SharePoint related App pools and Servers listed. When you select one you can pick some common services and also free type others. Then you click Create SPNs to again see the dialog with a chance to back out or apply the changes.
There is separate verification utility also which lists out and tests current configuration. We are considering adding that functionality if there is enough feedback on that.
Print posted on Thursday, January 08, 2009 1:17 PM
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Great tool Spence, really looking forward to trying it out. One thing I would like from the tool is a script generator, i.e. I can do the configuration in a staging environment (live mirror) and extract the script so that it can be automated. The script would also be useful for dev boxes and demo setups that have automated build refreshes.
Andrew
1/8/2009 1:35 PM Andrew Woodward
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
I am conviced this is going to be very good and usefull tool. I got a couple of suggestions that i would find very handy in a tool like this.
1. Duplicate SPN's is a well know to break kerberos authentication. A tool like this might be utilized by someone to "fix" a misconfigured setup. (ie. SPN's created on wrong account).
I believe it would be a good idea to do a search and find out if the SPN's that the tool are going to register already are registered . If there already is a conflicting SPN registered it should view a warning.
1.5 Create a "review mode" that checks if all SPN's already are registered correctly. It could also do a search for the correct spns. This function can be used to verify existing setups. It can also be used to identify errors caused by someone changing ie. an app pool identity withouth updating the Service Provider Name.
2. For anyone to utilize this tool to its maximum potential, the operator of the tool needs to have an understanding about both how Kerberos authentication works and how the Moss authentication model works.
I think it would be a good idea to include "educational text" in the tool to educate the community in kerberos authentication and its integration with Moss. Kerberos are as you state in the beginning in the article fairly simple, been around for a very long time, but it is still one topics there is alot of confusion around. Including educational explanations in the tool will hopefully prevent people from taking a next-next-next-finnish approach and still not have a clue about what they did, neither know how to change what they did.
3. Create a report based on what the tool did change in MOSS, and what delegations given in AD and what SPN's registered. This can be utilized as system documentation when using the tool in the field.
Thanks
Jan Erik Rasmussen
Principal Consultant, Infrastructure
Objectware AS
1/8/2009 2:23 PM Jan Erik Rasmussen
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Hi Spence
Looking good. A well needed tool
but how about the Component Services Configuration!
Open Component Services on the MOSS server
Navigation to Component Services > Computers > My Computer
Click on Properties (for My Computer) > Default Properties > Default Impersonation Level = Delegate (see http://support.microsoft.com/kb/917409)
Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service
Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab
Edit Launch and Activate Permissions
Grant all three of your application pool account 'Local Activation' permissions (see http://support.microsoft.com/kb/920783). In our example, these accounts would be domain\MySiteAppPool, domain\SSPAdminAppPool, domain\PortalAppPool
If you could add that it would be really cool.
/Rasmus
1/8/2009 3:13 PM Rasmus Glad Romlund
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Jan Erik:
Many thanks for taking the time to provide some good feedback.
re points 1 & 1.5: it's highly likely the verification tools will be added. these address both the duplicate SPN and reviewing existing config to a certain degree. It won't do everything in the version 2 release.
Totally agree with the point about pre-requsite knowledge. There is a white paper currently in review which hopefully will help address this, and put to bed all the misinformation out there! However this area is not a goal of the tool itself - we have to assume the user knows what they are doing! Our public documentation and presentations will attempt to address this area.
re point 3: we will certainly consider a report of current config.
1/8/2009 3:45 PM Spence
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Rasmus,
Thanks for the feedback!
The DCOM delegate setting is actually not required for many scenarios (this being one of the myths!) It's simple to implement however, so we may add this in.
The IWAM Reg one is absoltely nothing to do with Kerberos, and required for least privilege farms. This will not be part of the Kerberos tool. Again this is easy to script so we may make that available as a powershell or similar seperatey.
1/8/2009 3:48 PM Spence
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Andrew:
Thanks for taking the time to feedback!
We won't produce a script (in v2) for running outwith the utility, but we are considering a load/save settings, which you could then use to achieve a similar goal.
1/8/2009 3:54 PM Spence
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Just a few recommendations.
First, I would be particularly careful of the setting up Keberos for the Central Admin or SSP Admin site or any site that diffrentiates itself only through ports or virtual directory/URL segments. See 907272 Kerberos authentication and troubleshooting delegation issues
support.microsoft.com/default.aspx for more details.
Second, the type of DNS record for the SharePoint site plays a role in Kerberos. 938305 Error message when you try to log on to a Web site that requires Kerberos authentication by using Internet Explorer 7: "Access is denied due to invalid credentials"
support.microsoft.com/default.aspx and 911149 Error message in Internet Explorer when you try to access a Web site that requires Kerberos authentication on a Windows XP-based computer: "HTTP Error 401 - Unauthorized: Access is denied due to invalid credentials"
support.microsoft.com/default.aspx The fix is included in XP SP3 but requires the reg change still.
Third, I agree with Andrew. The ability to export a script/batch file for use with setspn.exe would be optimal. As most domain admins are distrustful by nature and would prefer to set the SPN's themselves.
Fourth, don't forget to advise of turning off PAC validation. If you don't then you run the risk of a bottleneck on highly active sites. 906736 You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003
support.microsoft.com/default.aspx
Overall glad to see you have created the tool it has been needed for sometime.
Chris
1/8/2009 5:02 PM Chris Gideon
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Chris:
Many thanks for taking the time to feedback.
Regarding CName related issues. The tool will *not* address these. If administrators are using CNames when they shouldn't be, that is something they need to address. Simarly for delegation - which is *NOT* required for end user authN to any sharepoint app the tool will not deal with DNS configuration or client browser limitations.
Also, regarding PAC validation. This has been fixed in service pack, so again will not be addressed by the tool. However these are highly relevant infomational/knowledge aspects which are included in the white paper/presentations.
1/8/2009 5:24 PM Spence
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Component Services Configuration can be automated, if required, from a script as part of your MOSS scripted install using this utility
http://www.wssdemo.com/Blog/Lists/Posts/ViewPost.aspx?ID=411
1/8/2009 7:36 PM Ian Morrish
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Do you do anything in the utility to check whether the EnableKerbAuthPersist registry setting is checked (http://support.microsoft.com/kb/917557)? At least on Windows 2003, this can make a rather large performance difference upon enabling Kerberos for a farm. Once upon a time I did a small write-up on our experiences with this here: msdeveloper.wordpress.com/.../sharepoint-and-ke...
1/9/2009 1:33 AM Sam Yates
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
I'm currently fighting it out with the MS CRM Webparts for sharepoint. MSCRM is a very common thing to mix up with sharepoint. The docs with the webparts describes some basic kerberos setup procedures, but is in no way complete.
MS CRM is hereby suggested as one of the standard apps to point to.
Also check out some of the help texts from delegconfig in regard to Jan-Eriks point on docs: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434
Not sure if it's relevant; but I mean to recollect that I got pleasantly surprised when setting this up with IIS7. Might be useful with some clear distingtions on that.
1/9/2009 4:41 PM Mads Nissen
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Mads: yes hte delegconfig tool is already part of the presos, as per the previous posts about this here.
1/9/2009 5:01 PM Spence
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Looks great, Spence. I have spent untold hours trying to get Reporting Services working in farm after farm. Would really love it if your tool could help identify and correct problems with integrated SSRS.
1/10/2009 3:34 AM Jeff Roberts
# re: SharePoint Kerberos Configuration Utility: Last call for feedback and suggestions
Very interesting tool, I would love to try it out since configuring Kerberos manually is a lot of work and sometimes results to invalid or wrong SPN's. This would easily enable Kerberos for sure. Is this already available for download? Hope to hear from you guys soon! Keep up the good work!
1/12/2009 8:19 AM Melvin Castrence
0 comments:
Post a Comment
Thank you.