Configuring Kerberos Delegation (without infrastructure update)

This blog post will detail the steps needed to configure a SharePoint farm to successfully delegate credentials to a backend data source without the Infrastructure update (Infrastructure update for SharePoint 2007 resolves an issue with SSP delegation which I will talk about in my next blog post). To configure Kerberos delegation in a SharePoint farm with Infrastructure update already installed please refer to this technet article: Configure Kerberos authentication (Office SharePoint Server).

Configuring Kerberos delegation in a SharePoint farm for Excel Services involves the following steps:

  1. Setting up SPN's:

    As mentioned in the Kerberos Protocol blog post, setting up SPN's is an essential prerequisite for Kerberos delegation. Following is an example of the SPN's that will need to be setup where the data source is a SSAS 2005 cube:

    Id

    Service Class

    Host

    Service account

    1

    HTTP

    All servers which have WFE configured

    Web app's app pool account

    2

    HTTP

    All servers which have ECS configured

    SSP Account

    3

    HTTP

    MOSS Server configured for Index server role

    SSP Account

    4

    MSOLAPSvc.3

    SSAS Server

    SQL Server Analysis Server Account

    Note: Setup SPN's for both netbios name as well as FQDN names.

    In addition, constrained delegation will need to be setup for the following SPN's:

    • Between the set of SPN's in 1 and the set of SPN's in 2
    • Between the set of SPN's in 2 and the set of SPN's in 4
  2. Enabling Kerberos for Shared Services Provider:

    The web front end (step 1) rendering the excel report calls the ECS component (step 2) to refresh the data (refer section for more details). To make ECS delegate user credentials to back end data sources, Kerberos authentication will have to be enabled for the web site hosting the ECS component.

    Running the following stsadm command will change the authentication settings of the "Office Server Web Services" (refer to the following blog posts for more details: SharePoint Server 2007 and Enterprise Search) web site to use only Kerberos protocol:

    STSADM –o setsharedwebserviceauthn –negotiate

    STSADM –o execadmsvcjobs

  3. Enabling delegation for ECS

    Enabling Kerberos authentication protocol would provide the ability for the ECS sitting under that web site to delegate the end user credentials to the back end sources. But to specifically let ECS to do the delegation following stsadm admin command has to be executed:

    STSADM –o set-ecssecurity –ssp <SSPTitle> -accessmodel delegation

    STSADM –o execadmsvcjobs

    Execution of the above commands would result in ECS successfully forwarding the Kerberos token to the data source (step 3).

After completion of the above steps, you should be able to refresh your excel based report in a browser with user credentials successfully getting forwarded to your data source.

Comments