Working With Kerberos Authentication Part 2 – Configuring (SQL) August 31st, 2009

Mike

What follows are the instructions for configuring Kerberos for various aspects of SQL (this part) and SharePoint (Part 3, coming soon). This is not necessarily a hard and fast set of instructions but a collection of steps known to prove working results for Microsoft Office SharePoint Server (MOSS) 2007 with SP1 and the Infrastructure Update running on Windows Server 2003 R2 with SP2 and connected to a Microsoft SQL Server 2005 Database Engine. Configuration may be slightly different for Windows Server 2008 (and therefore later versions of IIS than 6.0). Note that the infrastructure update for MOSS is necessary if you require all aspects of your Shared Services Provider (SSP) to use Kerberos. These instructions should also be fine if you are running MOSS SP2.

Enabling Kerberos for the SQL Server Database Engine

To enable Kerberos for SQL Server, it is simply a case of mapping the correct SPNs to Active Directory user accounts. Up to four commands should be run:


setspn –A MSSQLSvc/sqlserver yourdomain\SQLServerServiceAccount
setspn –A MSSQLSvc/sqlserver.yourdomain.com yourdomain\SQLServerServiceAccount
setspn –A MSSQLSvc/sqlserver:1433 yourdomain\SQLServerServiceAccount
setspn –A MSSQLSvc/sqlserver.yourdomain.com:1433 yourdomain\SQLServerServiceAccount

This is for a default instance on port 1433. If the port number has been manually changed or you are using a non-default instance then only two SPNs are required but you must use the two commands above containing the port number and substitute your non–default port number. Also ensure that the non–default instance is properly configured to use a fixed port number.

Two less SPNs are required in this case because clients can no longer connect by simply using the computer name, they must specify the port number so any SPNs without port numbers would simply never be passed.

We can check that Kerberos is now working by connecting to SQL using the Management Studio from another machine on the same domain. Open the Management Studio, connect to the Database Engine and look in the Security log on the SQL Server. You should see a 540 success event containing the following kind of information:


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 09/07/2009
Time: 12:17:37
User: DOMAIN\UserName
Computer:
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x3FF14)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {cc8d6921-4c0d-e68c-8b1b-ba2fcdf4836f}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.11.12.3
Source Port: 1150

Note that user, domain and computer names have been deliberately removed.

This is all that is required for the SQL Database Engine to use Kerberos. It always prefers to use Kerberos by default but if you manually choose the accounts used to run your services (which is usual) then you have to add the SPNs to Active Directory yourself for it to work. According to MSDN: For Win32 services, a service installer specifies the logon account when an instance of the service is installed. The installer then composes the SPNs and writes them as a property of the account object in Active Directory Domain Services. If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Using Kerberos with other SQL Components

In addition, if you wish to connect to other SQL components using Kerberos (such as Analysis Services) then you will require further SPNs. The commands for adding SPNs for use with Analysis Services are as follows:


setspn –A MSOLAPSvc.3/sqlserver:instance yourdomain\SQLServerAnalysisServicesServiceAccount
setspn –A MSOLAPSvc.3/sqlserver.yourdomain.com:instance yourdomain\SQLServerAnalysisServicesServiceAccount

Note that this is a little different to the SPNs for the Database Engine because, rather than a port number, you specify the instance name (if non–default, otherwise leave blank). SQL Server Analysis Services can only operate as a named instance in SQL Server 2005 (it is not supported in SQL Server 2000).

In the next part, I'll move on to talking about configuring Kerberos for SharePoint.

No Comments »

Continue reading...


 

Working With Kerberos Authentication Part 1 – Introduction July 23rd, 2009

Mike

I've had a few encounters with Kerberos so, as a result, I decided to collect what I have learnt together in a series of blog posts. Primarily my concern is with regards to enabling Kerberos Authentication for SharePoint, but I will add some general information, too.

Enabling Kerberos offers a few advantages over NTLM, it:

  • Is less susceptible to replay attacks because it includes a timestamp of when the network traffic was sent
  • Allows verification of servers through the use of Service Principal Names (SPNs)
  • Reduces authentication traffic because authentication is valid until the tickets expire (or are manually purged)
  • Allows authentication over multiple hops (via the use of delegation).

The last point is frequently the driving force in enabling Kerberos for SharePoint, although reduced authentication traffic and increased performance are also often cited. An example of where we might need authentication over multiple hops would be where we need to authenticate with a SharePoint Web Application, our credentials have to be passed on to a web service and this web service has to pass our credentials to SQL to retrieve data from a database. This is only possible if Kerberos is enabled and the intermediate accounts are trusted for delegation in Active Directory.

Concepts

There are some concepts key to Kerberos which are worth understanding. This is a very basic level understanding of them but hopefully will provide some insight.

What is a Service Principal Name?

An SPN is a string constructed using an arbitrary text name for a service, the computer name that the service is running on and the port. This then appears in the following format:

ServiceName/Computer:Port

An example would be MSSQLSvc/sqlserver01:1433

It is used to allow a client to uniquely identify an instance of a service.

To enable Kerberos we need to configure a mapping in Active Directory between SPNs and the account that the service is supposed to be running under. To do that, we either use ADSIEDIT or SETSPN (found in the Windows Server Support Tools or downloadable from Microsoft). You must at least be a domain administrator to perform these updates.

SETSPN

SETSPN is a command–line tool and has 3 switches that we're interested in:

–A to add an arbitrary SPN
–D to delete an arbitrary SPN
–L to list registered SPNs

The syntax we'll use is as follows:

setspn –A service/computer:port domain\user
setspn –D service/computer:port domain\user
setspn –L domain\user

Computer may be the NetBIOS name, Fully Qualified Domain Name (FQDN) or another DNS name – more about this later.

How Kerberos Works (very briefly)

Kerberos is an authentication service developed at MIT. The idea behind Kerberos is that both the user and service have a shared key and this is used to encrypt and decrypt something freshly created (for example a timestamp). If the wrong key is used at either end, decryption is not possible and authentication fails. In practise, what occurs is much more complicated, but this is the very basic idea.

When using Kerberos in a Microsoft environment, broadly speaking, the following occurs. A Kerberos authentication server will grant a ticket in a response to a client computer authentication request, as long as the request contains valid user credentials and a valid SPN (see above). This ticket can be used to access network resources. For the lifetime of the ticket (by default, it is 600 minutes, i.e. 10 hours) a new ticket does not have to be issued and this is how authentication traffic is reduced. For Kerberos to work, both the client and server must have a trusted connection to the domain Key Distribution Centre (KDC). The KDC distributes the shared secret keys to allow encryption to take place. Both computers also need to be able to access Active Directory directory services and the forest root domain is the centre of Kerberos authentication referrals.

In the next part I'll move on to talking about configuring Kerberos.

No Comments »

Continue reading...


 

Bubbles Bathrooms and Tiles May 6th, 2009

Mike

I've been working on a web site for a friend who has opened a shop selling bathrooms and tiling services. There's still more functionality to add but it is definitely now in a live state. Please feel free to visit the site and comment back here. Site address: www.bubblescoventry.co.uk

No Comments »

Continue reading...


 

SharePoint Permissions – Part 1 April 24th, 2009

Mike

After some hunting, I discovered that the information from Microsoft (and elsewhere) regarding the SharePoint Permission Levels was somewhat sparse and also a little conflicting. There are a few good articles (links at the bottom) but they disagree and don’t fully represent the number of Permission Levels. So, I did this the hard way and clicked through them all and made some tables.

Permission Levels

Permission Levels

The following tables show the permissions that comprise each out of the box Permission Level, correct for an out of the box Collaboration Portal on Microsoft Office SharePoint Server 2007 Enterprise as of Service Pack 1 and the Infrastructure Update.

List Permissions

Permission Level
Permission Full Control Design Manage Hierarchy Approve Contribute Read Restricted Read Limited Access View Only
Manage Lists X X X
Override Check Out X X X X
Add Items X X X X X
Edit Items X X X X X
Delete Items X X X X X
View Items X X X X X X X X
Approve Items X X X
Open Items X X X X X X X
View Versions X X X X X X X
Delete Versions X X X X X
Create Alerts X X X X X X X
View Application Pages X X X X X X X X

Site Permissions

Permission Level
Permission Full Control Design Manage Hierarchy Approve Contribute Read Restricted Read Limited Access View Only
Manage Permissions X X
View Usage Data X X
Create Subsites X X
Manage Web Site X X
Add and Customise Pages X X X
Apply Themes and Borders X X
Apply Style Sheets X X
Create Groups X
Browse Directories X X X X X
View Pages X X X X X X X X
Enumerate Permissions X X
Browse User Information X X X X X X X X
Manage Alerts X X
Use Remote Interfaces X X X X X X X X
Use Client Integration Features X X X X X X X X
Open X X X X X X X X X
Edit Personal User Information X X X X X

Personal Permissions

Permission Level
Permission Full Control Design Manage Hierarchy Approve Contribute Read Restricted Read Limited Access View Only
Manage Personal Views X X X X X
Add/Remove Personal Web Parts X X X X X
Update Personal Web Parts X X X X X

See also: Permission Levels and Permissions at Office Online and Permissions behind the permission levels in SharePoint at Sridhar's Blog.

I'm sure there’ll be more articles to come on SharePoint Permissions, hence this is Part 1 :)

No Comments »

Continue reading...


 

Free Stuff! April 7th, 2009

Mike

Free stuff is great (when it's worth having) and recently I think I have found two resources that are.

Firstly, I am often looking for chunks of CSS to get me started, help me write good navigation menus and so forth. Invariably, I find such a resource, use it and then promptly forget about it. Well, no longer! Behold, Free CSS! This is a great resource to get you started when you have an idea in your mind of the desired end result but inspiration to CSS it is lacking. The terms of use for each item varies, so be sure to check the author's web site(s).

The second nomination for great free resource goes to Icons Etc. This is a repository of icons that, at the time of writing, are free for both personal and commercial use. The icon sets might not be to everyone's tastes or suitable for all projects but I think they are pretty nice and, best of all, completely free!

Enjoy!

No Comments »

Continue reading...


 

Floated Images Disappearing in IE6 April 1st, 2009

Mike

Having made quite good progress developing a site, I added a right float to an image only to have it disappear completely in IE6 (running on a Windows 98 SE Virtual Machine, if you’re interested ;) ). After a bit of Googling, I discovered that the simple solution was to ensure that all images had their position set to relative in the CSS file. I.e. all that was required was:


IMG  {
position: relative;
}

Credit where credit is due, I found the solution on this blog.

1 Comment »

Continue reading...


 

Apache Mod Rewrite March 31st, 2009

Mike

Another task in my quest to develop a half decent web site was getting my head around Apache Mod Rewrite again.

For anyone that’s bemused at this point, a rewrite engine is a piece of software that can modify a web address’ appearance (or rewrite it). To end users it means that they can type in a user friendly address such as www.example.com/page/ and behind the scenes something like www.example.com/index.php?name=page is passed to the web server. Advantages include obfuscation of the technology driving your web site (to an extent), more user friendly URLs (easier to remember, guess and nicer to look at) and better SEO.

This is the trusty Mod Rewrite syntax reference I always refer to.

3 Comments »

Continue reading...


 

CSS Positioning and The Box Model March 31st, 2009

Mike

I’ve had to write a web site recently for a friend. I’ll post up a link when it’s done and I want to expose it to the wider world. However, as a result, I’ve been reminding myself of a few key concepts. First was properly getting my head around CSS positioning and the box model, mainly in order to deal with the oddities that older versions of IE always throw up. I don’t think you can beat this article at BrainJar.com. Highly recommended.

No Comments »

Continue reading...


 

Joining FLAC files March 31st, 2009

Mike

I just bought myself a shiny new portable audio player (I was about to write MP3 player but realised I didn’t buy it to play MP3s primarily so that would have been somewhat redundant). I went for a Cowon iAudio 7 (Silver, 16GB). There were a few reasons for this:

  1. Up to 60 hours of battery life (claimed)
  2. 16GB flash memory
  3. Reasonable price (less than £120 inc. postage at time of purchase)
  4. Generally good reports of sound quality
  5. Ability to play many audio formats (particularly FLAC).

Why are those things a big deal? Well, battery life is because I see this as a very sensible alternative to buying a CD changer for my new car (probably cheaper and I can take it to my next car). Sound quality is important because anyone that knows me also knows I’m an audiophile. Finally, the killer feature is the ability to play many formats, in particular FLAC. Being an audiophile, I’m moving towards ripping CDs as FLAC instead of MP3.

However, I’d read there was one gotcha – a lack of support for gapless playback. The solution? Well, rather obviously, rip mix CDs as one file (I don’t care about skipping tracks in the car). Hang on, surely there’s a way to combine FLAC files automatically, I thought (since I’m not going to want to rip/store only one file on my HDD). The answer is the rather useful shntool. A very simple command line tool (available for Linux and Windows – I like it already :) ) that will stick together a bunch of audio files and spit out a WAV (or, with a bit of work and very simple scripting, another compressed audio file).

I’ve used it on Windows only so far and simply stuck it in a directory that I added to the PATH environment variable. I did the same for the FLAC tools. The really neat part of this is that shntool can read a list of files to stitch from a text file. So, if you rip with something like CDex and create a playlist, you can then feed shntool the playlist to stick the files in order. Brilliant! Then run the WAV through the FLAC encoder again and you have one big file. If you’re feeling adventurous, shntool supports supplying a choice of encoder and parameters to do the whole thing in one go. So far I’ve been lazy, so all I do is something like this:


shntool join -F playlist.m3u
flac -o mixname.flac -8 joined.wav

No Comments »

Continue reading...


 
Newer Entries »