SharePoint 2013+ Sqlserver 2014 Kerberos 配置传奇, 最终的解决方案 验证。

SharePoint 2013+ Sqlserver 2014 Kerberos 配置传奇。

1，安装数据库，我就不多说安装，客户一定要注意。 我将参照以下实施例和账户。

2，建立DNS，假设没有DNSserver 在本地改动hosts吧。 

3。Configure Claims to Windows Token Service Account.（呵呵 中文 是声明为windows令牌服务）

      Create an AD account to be used by the Claims to Windows Token Service Account e.g. SP_C2WTS

      Open a SharePoint PowerShell prompt as Administrator and run the following command:

      $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the URL of your web application)

      $w.GrantAccessToProcessIdentity("blue\sp_c2wts") (Put your service account name)

验证一下啊

图例告诉我们OK

Change the account in the SharePoint UI running the Claims to Windows token Service

1. Navigate to Security in Central Admin,
2. Click on managed Accounts and add the new C2WTS account as a Managed Account,
3. Click Security again and Click on Service Accounts,
4. Click the Drop Down and Select Claims to Windows Token Service,
5. Select the new Managed Account SP_C2WTS and click OK. (Wait a few minutes for it to complete)
6. Set the following permissions on all SharePoint servers in the farm (All must be done) – this is completed under Local Security Policy on each server

watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvZHVhbmNodWFudHRhbw==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center" alt="">

下一步是到SPfarm server上配置，

1. Grant Log on as a service (this should have happened automatically)
2. Impersonate a User (this should have happened automatically)
3. Act as part of the operating system (If its greyed out then your domain admin will need to update the group policy to allow it)

下图

既然配置到这里了 把其它几个也配置了吧。 如图 单击身份验证后模拟client--加入用户或组 把kerberos 账号加进去。

watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvZHVhbmNodWFudHRhbw==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center" alt="">

以操作系统方式执行。加入kerberos 账号。

watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvZHVhbmNodWFudHRhbw==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center" alt="">

1. Local admin on all SharePoint servers
2. STOP and START the Claims to Windows Token Service (From SharePoint UI) on all servers in the Farm. Simply navigate to Services in Farm and select each server from the link in the top right corner and Stop and Start
   each one individually waiting for them to finish

以下 就有意思了。 给应用连接池授权。这个须要灵活。假设个别的账号找不到，或者授权比較麻烦。 你就在这个连接池使用管理员账号， 再把那个权限复制给 管理员账号。

也能够全然依照步骤来做。例如以下；

Grant permission for the account running the application pool for the Service Application



e.g. Excel Services Service Application, Reporting Services Service Application, etc.

1. For Analysis services this User must be Granted SQL Analysis Services Administrator access (Unfortunately this is required as Read permission is insufficient for the delegation of credentials)
2. Check which account is being used by navigating to Central Admin Security and then select Service Accounts and from the drop down list validate each service or application pool.
3. In my example I have an account SP_Services and that account is granted Admin permissions on Analysis Services and granted “SP_DataAccess” on SQL to the SharePoint web application content database(s).
4. Validate that the account has the following permissions on each SharePoint server
   
   (This should be completed automatically but should be validated under the Local Security Policy)
   1. Grant Log on as a service
   2. Impersonate a User
5. Grant process identity access to the Service account
   
   $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the
   URL of your web application)
   
   $w.GrantAccessToProcessIdentity("blue\sp_Services") (Put your service account name)

依照上面步骤 抓图例如以下，呵呵 步骤 你自己对比一下哈。须要在SP 的server上的 管理员组添加 这个kerberos账号。

设置APP Pool的权限，确认 Claims to Windows Token Service Account 是开启的。

在管理中心--server应用程序--管理服务应用程序： 注意 Report Service application 管理账号是 excerService 也就是在IIS出现复杂名称的连接池。

这个是可配置的。

配置一下SQL server 2014 Analysis server 的属性  打开数据库--使用实例登录 Analysis 数据库 右键单击 属性加入刚才的  ExcelService 账号，假设没有管理账号的话 也顺便加上吧。以下几个抓图 也把 管理加进去。

运行例如以下命令 结果如图

1. Grant process identity access to the Service account
   
   $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the
   URL of your web application)
   
   $w.GrantAccessToProcessIdentity("blue\sp_Services") (Put your service account name)

If using PowerPivot – Setup the PowerPivot account

Change the account running the PowerPivot browser service to use an AD Account

(This is completed through the SQL Server Configuration manager) and restart the service (This will take a few minutes and it will not be accessible during this time).

以下这两个账号配置一下确保使用是SQL 管理账号。

配置SPN 不陌生吧 好Come ON

1. Check for existing Service Principal Name
   
   (check each account prior to configuring as some may already exist and duplicates / misconfiguration break Kerberos)
   
   This also impacts SQL connectivity as misconfiguration of Kerberos will throw invalid SSPI context errors in SQL as SQL will automatically use Kerberos if SPN’s are registered. It also self-registers the SPN’s if Local System is used.
   
   SPN’s have to be set for the NetBIOS (Short name) and FQDN (Fully qualified name)
   
   e.g. SETSPN –S HTTP/bi.blue.com blue\sp_webapp,  SETSPN –S HTTP/bi blue\sp_webapp
2. Configure SPN's
   1. CONFIGURE SPN'S (SHAREPOINT SQL SERVER)
      
      [REQUIRED FOR SQL SERVER FOR SHAREPOINT DATABASES - NOT REQUIRED FOR SQL ALWAYS ON AVAILABILITY GROUPS]
      
      Details required: SQL Instance name, Static Port and SQL Service account
      
      e.g. My SQL instance is SQL01\SQL2012 and my service account is SP_SQL and my port is 40000 (Replace the red with your server and account details).
      
      The 1st one is on my instance name
      
      setspn -s MSSQLSvc/SQL01:SQL2012 SP_SQL
      
      setspn -s MSSQLSvc/SQL01.blue.com:SQL2012 SP_SQL
      
      
      
      and the 2nd one is on port
      
      setspn -s MSSQLSvc/SQL01:40000 SP_SQL
      
      setspn -s MSSQLSvc/SQL01.blue.com:40000 SP_SQL
      
      
      
      [REQUIRED FOR SQL 2014 ALWAYS ON AVAILABILITY GROUPS ONLY - this is required as a Listener registers in DNS exactly the
      same as a server name]
      
      This section Details required: Listener name only
      
      e.g. My Listener is SQLSYNCLISTEN and my service account is SP_SQL and my port is 1433 (This must be 1433 or you will need to
      use a SQL Alias as a SQL Listener does not use SQL Browser).
      
      
      
      The 1st one is the SQL Listener without a port
      
      setspn -s MSSQLSvc/SQLSYNCLISTEN SP_SQL
      
      setspn -s MSSQLSvc/SQLSYNCLISTEN.blue.com SP_SQL
      
      
      
      and the 2nd one is with the port [If you use a SQL Alias then any port can be used but then replace 1433 below with the new port number]
      
      setspn -s MSSQLSvc/SQLSYNCLISTEN SP:1433 SP_SQL
      
      setspn -s MSSQLSvc/SQLSYNCLISTEN SP.blue.com:1433 SP_SQL
      
      
      
      
      
      
   2. CONFIGURE SPN'S (SQL Analysis Services Multidimensional) (Server name and Instance required)
      
      e.g. SQLAS01\Multi
      
      setspn -s MSOLAPSvc.3/SQLAS01:MULTI SQL_AS
      
      setspn -s MSOLAPSvc.3/SQLAS01.blue.com:MULTI SQL_AS
      
      setspn -s MSOLAPDisco.3/SQLAS01 SQL_AS
      
      setspn -s MSOLAPDisco.3/SQLAS01.blue.com SQL_AS
   3. CONFIGURE SPN'S (SQL Analysis Services Tabular)
      
      (Server name and Instance required)
      
      e.g. SQLAS01\Tabular
      
      setspn -s MSOLAPSvc.3/SQLAS01:Tabular SQL_AS
      
      setspn -s MSOLAPSvc.3/SQLAS01.blue.com:Tabular SQL_AS
   4. CONFIGURE SPN'S (SQL Analysis Services PowerPivot)
      
      (Server name and Instance required - POWERPIVOT)
      
      e.g. APP01\POWERPIVOT
      
      setspn -s MSOLAPSvc.3/APP01:POWERPIVOT SQL_AS
      
      setspn -s MSOLAPSvc.3/APP01.blue.com:POWERPIVOT SQL_AS
      
      setspn -s MSOLAPDisco.3/APP01 SQL_AS
      
      setspn -s MSOLAPDisco.3/APP01.blue.com SQL_AS
   5. CONFIGURE SPN'S (SQL Server - DataWarehouse)
      
      (Server name, Instance and Port is required)
      
      e.g. SQLAS01\SQL_SQLDW and my port is 41000
      
      setspn -s MSSQLSvc/SQLAS01:SQLDW SQL_SQLDW
      
      setspn -s MSSQLSvc/SQLAS01.blue.com:SQLDW SQL_SQLDW
      
      setspn -s MSSQLSvc/SQLAS01:41000 SQL_SQLDW
      
      setspn -s MSSQLSvc/SQLAS01.blue.com:41000 SQL_SQLDW
   6. HOST HEADER / AAM
      
      This is the same DNS entry you already configured)
      
      e.g. http://bi.blue.com and my account is sp_webapp (This is the account that is running the application pool in IIS that requires Kerberos)
      
      setspn -s HTTP/bi.blue.com sp_webapp
      
      setspn -s HTTP/bi sp_webapp
   7. FAKE SPN
      
      (These are the accounts configured to run the Service Application app pools and the Claims to Windows Token Service)
      
      FAKE SPN’s are used just to enable the delegation tab in Active Directory. (It doesn't matter what you use for the service name here - only the accounts matter)
      
      e.g. sp_services and sp_c2wts
      
      setspn -s SP/EXCEL sp_services
      
      setspn -s SP/C2WTS sp_c2wts

參考抓图

把这个几个托管账户 和在域控server上的权限提升。中文说明及抓图图 

1. Set Constrained Delegation
   
   (Constrained delegation must be set for any account running the Service Application pools for the services that require Kerberos as well as the Claims to Windows Token Service account and the Account running PowerPivot SQL Service)
   
   In my case this is SP_Services and SP_C2WTS and SQL_AS (only
   for PowerPivot Data Sources - this is a change with Excel 2013 as the connection refreshes with the worksheet)
   
   The Domain Admin is required here and must log in to a Domain Controller.
   1. Find the SP_Services(Replace with your account name) account and click on the Delegation tab
      1. Click on “Trust this user for delegation to specified services only”
         
         
      2. Use any authentication protocol
      3. This is where it can get confusing and you need to make sure you have all your service accounts ready that you setup previously.
         
         (These are the ones you ran SETSPN for)
         
         
      4. Start with your first Data Source and type in your service account name (NOT SERVER NAMES) e.g. SP_SQL , SQL_AS, SQLDW_SQL and click OK.
         
         
      5. You will then be prompted with all the SPN’s and you need to select only the ones you need here i.e. the ones that are noted above.
      6. The worst case scenario here is if the account you use is utilized for many services and you will see many SPN's.
      7. Select the required SPN’s (The ones you added above) and click ok.
      8. Click “Apply” button after each add i.e. when you want to select another account otherwise you will get an error.
         
         
      9. Repeat this process selecting each account that you need to delegate to i.e. all the data sources and the web application. It’s all about where you want to allow it to delegate to.
      10. Now select the Claims to Windows Token Service Account e.g. SP_C2WTS (Replace with your account) and repeat the exact steps you did for the SP_Services account. (Technically
          for the SP_C2WTS you can exclude the Web Application but for simplicity sake I made the process the same)
      11. For my PowerPivot Service account SQL_AS I was connecting to a SQL Data Warehouse and my Analysis Services so you only set constrained for the destination
          data source so in my case I looked up SQL_SQLDW and "selected all", clicked ok and applied constrained delegation.

配置思路 參考地址http://blogs.technet.com/b/scottstewart/archive/2014/04/10/kerberos-sharepoint-2013-sql-2012-for-business-intelligence.aspx

1. Set Constrained Delegation
   
   (Constrained delegation must be set for any account running the Service Application pools for the services that require Kerberos as well as the Claims to Windows Token Service account and the Account running PowerPivot SQL Service)
   
   In my case this is SP_Services and SP_C2WTS and SQL_AS (only
   for PowerPivot Data Sources - this is a change with Excel 2013 as the connection refreshes with the worksheet)
   
   The Domain Admin is required here and must log in to a Domain Controller.
   1. Find the SP_Services(Replace with your account name) account and click on the Delegation tab
      1. Click on “Trust this user for delegation to specified services only”
         
         
      2. Use any authentication protocol
      3. This is where it can get confusing and you need to make sure you have all your service accounts ready that you setup previously.
         
         (These are the ones you ran SETSPN for)
         
         
      4. Start with your first Data Source and type in your service account name (NOT SERVER NAMES) e.g. SP_SQL , SQL_AS, SQLDW_SQL and click OK.
         
         
      5. You will then be prompted with all the SPN’s and you need to select only the ones you need here i.e. the ones that are noted above.
      6. The worst case scenario here is if the account you use is utilized for many services and you will see many SPN's.
      7. Select the required SPN’s (The ones you added above) and click ok.
      8. Click “Apply” button after each add i.e. when you want to select another account otherwise you will get an error.
         
         
      9. Repeat this process selecting each account that you need to delegate to i.e. all the data sources and the web application. It’s all about where you want to allow it to delegate to.
      10. Now select the Claims to Windows Token Service Account e.g. SP_C2WTS (Replace with your account) and repeat the exact steps you did for the SP_Services account. (Technically
          for the SP_C2WTS you can exclude the Web Application but for simplicity sake I made the process the same)
      11. For my PowerPivot Service account SQL_AS I was connecting to a SQL Data Warehouse and my Analysis Services so you only set constrained for the destination
          data source so in my case I looked up SQL_SQLDW and "selected all", clicked ok and applied constrained delegation.

再配置 SharePoint 身份验证模式。

1. Navigate to Central Admin,
2. Select web applications,
3. Highlight the Web application (Do not click on the link – click next to it to highlight it and select it),
4. Select Authentication providers and click Windows,
5. Scroll down and change NTLM and select Kerberos
6. Open a Command Prompt as Administrator and run IISRESET (USERS WILL LOSE CONNECTIVITY AND THEIR CURRENT SESSIONS SO DO THIS DURING SCHEDULED DOWNTIME)

又一次启动IIS

之后 关闭浏览器 又一次登录SP 假设成功 就证明配置完毕 并根据開始启作用了。 这里假设没有配置成功 会出现重复登录而 不成功的问题。