Kerberos Configuration for a SharePoint Farm.pps

Document Sample
Kerberos Configuration for a SharePoint Farm.pps Powered By Docstoc
					      Kerberos configuration
                       for a
           SharePoint Farm
                             L. Carlos Rodriguez
                       Data Collections Unlimited, LLC
A .NET and SharePoint Training and Consulting Practice
                   Odds & Ends           eMail
    @sharepointexprt       Twitter
    770.965.1382            Phone
 Data Collections Information

• Data Collections offers Training
  in SharePoint development and
  administration areas.
• Data Collections also offers
  Training in security and
  authentication areas related to
  Kerberos and windows identity

• This talk is divided into four sections:
  –SQL Server
         Authentication choices
•   NTLM
•   Kerberos
•   Anonymous
•   Basic
•   Digest
        Authentication choices
• The choices for enterprise intranets
  – NTLM
  – Kerberos
• Both of these protocols are used with
  Integrated Windows authentication in
  a classic challenge/response scheme
• For internet
  – Basic
  – NTLM
  – Kerberos
Back-end Double Hop
           NTLM requirements

• User names
• Passwords
• encrypted before transmission
• Re-authentication is required when
  accessing a new network resource
• Local communication by default
• Credentials have to be hardcoded for
  remote communications
                What is Kerberos?
• Kerberos is a network authentication
  protocol developed by MIT
• Uses encrypted time-sensitive tickets
  instead of passwords for authentication
• Kerberos applications obtain tickets
  from the central Kerberos server to
  authenticate transactions
• Kerberos is an open standard
What are the Kerberos components

  1.    Windows 2008 r2
  2.    TCP/IP
  3.    PORTS/End-points
  4.    Domain Name Services (DNS)
  5.    Active Directory (AD)
  6.    KDC ticket server
  7.    Tickets/Keys
  8.    Service Principal Names
  9.    Services
          Kerberos requirements
•   Requires a Domain Name Server
•   Requires an Active Domain controller
•   Requires a User/password domain
•   Passwords are never transmitted
•   Requires a Kerberos ticketing server
        Kerberos requirements
• Requires a Key Distribution Center
  – Keys, different key used for encryption
  – Used to identify end points
    knows as services
• Requires Tickets, used for delegation
  and impersonation
Kerberos Structure
Basic Kerberos Dependencies
• Active Directory replication must be
  able to send user or computer
  password changes throughout the
• Proper name resolution is required
  – the proper IP Addresses for the KDC
  – the Service Principal
Basic Kerberos Dependencies
• Both DNS and NetBIOS name
  resolution must be setup correctly
• HOSTS/LMHOSTS files must have
  valid data
• DNS SRV records for _Kerberos will
  need to be in place for both the
  _tcp and _udp DNS sub-domains
Basic Kerberos Dependencies
• All machines participating in Kerberos
  authentication need to be within
  5 minutes of time
• By default Windows will use the
  Windows Time (w32time) service
• Must have good connectivity
Basic Kerberos Dependencies
• TCP and UDP ports 88 must be open
  from clients to domain controllers
• LDAP queries will be made by the
  DC/KDC for Service Principal Name
• Duplicate computer names,
  usernames or manually registered
  duplicate SPN's anywhere in the
  forest can cause Kerberos errors
           Kerberos Advantages
• Unencrypted passwords aren’t sent
  across the network
• Username and password are needed
  only once
• A network cannot be compromised by
  attackers using packet sniffers to steal
  user IDs and passwords
           Kerberos Advantages
• A Kerberos ticket is needed to perform
  an action over a network
• Kerberos provides several types of
• Kerberos uses account delegation
What is an Service Principal Name?

    • A Service Principal Name(SPN) is the
      name of an Active Directory Account
    • A Service Principal Name(SPN) is a
      service locator record
    • Is used by Kerberos to identify a service
      – http or mssqlsvc
    • Service is also called a protocol on other
      documentation areas
         How To Create An SPN

• Use the Active Directory ADSEdit
• Use the SETSPN program
• Using the ADSEdit program is simpler
  and safer
               Components of an SPN

      The main components of an SPN are:
                  The PROTOCOL or SERVICE component
                    The HOST NAME or URL component
The Active Directory Service/User ACCOUNT component

       Case sensitive
Using the setspn program
SQL Server SPN Examples
Active Directory Users and Computers
     1. Setup the Advanced Features view
        menu entry
          – This will enable the attributes tab
     2. Select the target account
     3. Select the properties
     4. Select the attributes editor tab
     5. Select and double click the attribute
     6. The serverPrincipalNames screen
     7. Add/Remove any SPN
      Advanced Options

            On the VIEW option
  select the Advanced Features
entry to view the attributes TAB
Service Account
                 Attributes Editor Tab

           On the
Properties screen
        select the
 Attributes Editor
                    Account attributes list

 On the attributes list
  scroll and select the
     entry to bring up
 the servicePrincipal’s

Click the Add button
        to add a new
     Service Principal

This can also be done
     with the SETSPN
     console program
More SPN Examples from MSDN
          What is DELEGATION?
• Delegation is the ability to connect to
  multiple servers with a single logon
• A client connects to a server with
  username/password and a Kerberos
  ticket is created
          What is DELEGATION?

• Each server retains the authentication
  credentials of the original client
  – Example
    if user DTCAFE\coffeDrinker
    connects to ServerA, which then
    connects to ServerB,
    ServerB knows the connection
    DTCAFE\coffeDrinker is secure
        Kerberos Delegation
• Kerberos delegation allows a
  service to authenticate on behalf
  a user
• The service account is trusted to
  authenticate on the requestor’s
   Delegation configuration
• A service account is required
• A Service Principal Name for the
  service account is required
• Delegation is configured by using
  the Active Directory Users and
  Computers program
• Select
  1. The Delegation tab of the user or
     computer account
  2. Trust this user/computer for
     delegation to any service (Kerberos)
     radio button
  – Delegation has to be turned on explicitly
  – An SPN has to be put on the target account
    BEFORE the delegation tab is visible
• Constrained DELEGATION
  – Restricts the service types to a given set of
  – Puts an ACL on the Delegation
     • An ACL in this case is an SPN
  – Protocol Transition goes from one protocol
    to another
     • Example: basic to Kerberos
Active Directory Users and Computers

     1.   Select the target account
     2.   Select the delegation tab
     3.   Select the trust user for delegation
     4.   Choose the desired delegation
Service Account
             Delegation Tab

                         Delegation Choices

   Select the trust
user for delegation

 Other choices are:
         no delegation
constrained delegation
             DELEGATION button names

    Use Kerberos radio
   button opens up the
          SPN edit box.
Use any Authentication
     protocol opens up
           the Protocol
         Transition SPN
                edit box
How to confirm Kerberos use

  • Trace the traffic with a packet
    analyzer such as Wireshark
  • Use a tool such as Kerbtray.exe
    & Klist
  • Check the event logs
    – Kerberos event logging has
      to be turned on
                    Kerberos tools

• KLIST – used to list/purge the tickets
  on a particular machine
• KERBTRAY is the graphical version and
  starts as a tray icon
• These tools are found on the windows
  2000 and 2003 resource kits or can be
  downloaded from Microsoft
SharePoint authentication options

    • SharePoint offers:
      – Multiple authentication options
         • NTLM
         • KERBEROS
      – Multiple authentication zones
Where to set Kerberos in SP
What are the SharePoint components

    1.   IIS
    2.   SQL server
    3.   Services
    4.   Farms
    5.   Web applications
    6.   Site collections
    7.   Sites
What are the IIS components

1. Application Pools
2. WEB services
3. Web apps
               IIS Authentication
1. Anonymous authentication
2. Basic authentication
3. Windows integrated authentication:
  – Kerberos
4. Certificate Authentication
  – ssl
kernel-mode Authentication
• IIS 7 supports kernel-mode
  authentication and is the default
• kernel-mode uses the
  Network Service account
• The Network Service account
  represents the local machine
• Kernel-mode works in a single
• In a farm, domain accounts
  that can be verified against the
  KDC need to be used

• Kerberos authentication is more
  complex than NTLM
• Kerberos authentication is more
  secure than NTLM
• Kerberos is an open standard
• Kerberos is checked by default
  in IIS7

• Kerberos is a requirement for a
  SharePoint Farm
• Kerberos documentation for
  SharePoint deployment is lacking
• SharePoint Kerberos verification
  and troubleshooting are
  complex subjects

• Kerberos benefits are:
  – Performance
  – Avoidance double hop authentication
  – Highly secure

• KB articles:
  – KB 917409
  – KB 920783
  – KB 962943
  – KB 871179
  – KB 832769
  – KB 953130
               ODDS & ENDS          eMail
    @sharepointexprt       Twitter

Shared By: