Kerberos planning, and then we're going to take a deep dive look at how we actually configure Kerberos for the relational database engine.

Size: px
Start display at page:

Download "Kerberos planning, and then we're going to take a deep dive look at how we actually configure Kerberos for the relational database engine."

Transcription

1 Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with SQL Server 2012 Tom Wisnowski - Architect, Microsoft Consulting Service Hello. Welcome to Configuring and Securing Complex BI Applications in a SharePoint 2010 Environment with SQL Server My name is Tom Wisnowski, and I'm an architect with Microsoft Consulting Service. In today's lesson we're going to cover four modules. In module one we're going to look at the basic challenge we face as infrastructure architects when we're planning scale-out architectures that require pass-through authentication. From there we're going to take a foundational look at Kerberos to understand how that technology can help us overcome those challenges. Now, if you're familiar with Kerberos, I suggest you skip onto module two. In module two we start to look at some of the new features of SQL Server 2012, in particular the new Service Account Type support. We're going to take a look at how those new account types affect our

2 Kerberos planning, and then we're going to take a deep dive look at how we actually configure Kerberos for the relational database engine. In module three we move on to Reporting Services. Reporting Services in 2012 has significantly changed from the previous versions. We're going to take a look at the new architecture, we're also going to take a look at some of the new features of Reporting Services to see how we can leverage some of the advanced capabilities to get around some of our double-hop challenges beyond just using Kerberos. We'll then take a look at an example of how we configure passthrough authentication with SQL Server Reporting Services Finally, we'll wrap up with module four. In module four we're going to take a look at more complex scenarios. These might be scenarios that you're more familiar with in your own environments where maybe you have to deal with multiple domains or maybe multiple forests. Maybe you even have a cloud boundary you have to cross. We'll take a look at some of the challenges that we face in those scenarios, and how we can leverage some of the capabilities of SQL Server 2012 to overcome those issues. Now, before we begin, everything you see here is going to be based on Windows Server 2008 R2 service pack 1, SharePoint Server 2010 service pack 1 plus the December 2012 CU, and SQL Server 2012 release candidate zero. What you will not see today are future versions of Windows Server or SharePoint Server. In addition, we are currently using the release candidate of SQL Server, so there is a possibility that once you see the final version of SQL some of the things you see in this video may have changed.

3 Module one. In module one you'll walk away being able to describe how scale-out affects authentication in certain scenarios, and then you'll also gain a foundational understanding of Kerberos to help you configure and triage Kerberos in your own environments.

4 So, let's take a look at a scenario that's probably pretty familiar to everyone here. In this scenario you're getting ready to build a BI solution. So, you're standing up a development environment and you've installed the typical software you would expect. You have SQL Server 2012, you have SharePoint Server 2010, maybe it's Visual Studio, in addition Internet Explorer, and you've deployed all this to a development machine. This is a single server box, maybe a virtual machine, and you go and you build your first solution. Maybe that's the Excel Services dashboard you've always wanted to build. You build that out, you deploy it, you run it, and magically everything works. So, now confident in what you've built, you decide it's time to deploy to maybe a preproduction environment or maybe production. Now, this environment looks slightly different. In this scenario you have multiple servers to deal with. You may have a SharePoint Server or servers that act as web front-ends, you may have multiple SharePoint Servers acting as application servers, and finally you may have one or more SQL Servers hosting that data that you need for your dashboard.

5 You take that solution that you just developed in your development environment, you deploy it, and everything seems to deploy correctly. You bring up the site, you bring up your dashboard; so far everything is looking good. But then you click that little data refresh button and all of a sudden bang, it doesn't work. You start digging around the logs a little bit, and you see this error, something about anonymous logon. And you wonder to yourself, why is it giving me an error about anonymous logon? I didn't configure my solution to use anonymous authentication. So, what happened? Well, what you most likely ran into is the double-hop issue. Let's take a look at this issue in a little bit more detail.

6 So, in this case we have the client, Bob. Bob is going to try to access some resource on SharePoint, say the Excel Services dashboard. That dashboard needs to authenticate as Bob to SQL Server to grab that data, render it, and return it back to Bob. So, the first thing Bob has to do is he has to authenticate to SharePoint. This is hop number one. Now, if we're using the default authentication mechanism in classic mode this is going to be NTLM authentication. What's going to happen is SharePoint is going to challenge Bob, Bob is then going to be able to respond to that challenge using NTLM and prove his identity. Now, Bob is going to bring up the dashboard, and he's going to click refresh. At that point, SharePoint is going to have to delegate Bob's identity back to SQL Server. Now, this delegation only occurs if Excel Services or the service in question has been configured to use pass-through authentication, but the challenge we have is if we're using NTLM authentication in our environment, NTLM cannot perform that second hop. When the SQL Server challenges SharePoint, SharePoint is not going to be able to respond to the challenge and it's not going to be able to use Bob's identity to authenticate. So, Kerberos, what is it and how does it help us in this scenario? Well, it's an authentication protocol. It's Windows integrated so it's built into our Negotiate SSP. It's based on a ticket exchange architecture which leverages symmetric encryption to pass these tickets back and forth. But most importantly, the one thing it enables that we need that NTLM does not provide is it allows identity delegation.

7 So, when you're looking to learn about Kerberos, I suggest you look at the key concepts behind the technology. Part of that would be the components involved. Now, these are the components we just looked at on the previous slide. This includes the client. This is a person or a service that needs to consume another service and authenticate. You have the service itself, which needs to authenticate the caller, and potentially then delegate that caller's identity to another service down the road. And then finally, we have this trusted middleman called the Key Distribution Center. In a Windows realm this is going to be your Active Directory controller, and that Active Directory controller has two key services that are going to be giving us the tickets we need for this authentication scheme to work. The first is the Authentication Service, and the second is the Ticket Granting Service. We'll take a better look at both of those in a second. Now, the tickets that are going to be exchanged back and forth, there's two types of tickets you need to be aware of. First is the Ticket Granting Ticket. The Ticket Granting Ticket basically allows us to go back to the KDC at a later time to grab the second type of ticket, which is a Service Ticket. It's the Service Ticket which has the identity information that we need to be able to either authenticate and/or delegate to another service. Now, how does this all flow? Well, through a number of sub-protocols. The first protocol we'll look at would be the Authentication Service requests and replies. This is how we exchange Ticket Granting Tickets. Then we have the Ticket Granting Service request and reply. This is how we exchange Service Tickets back and forth. And then finally the application request and reply. This is how we actually pass a Service Ticket to the service in question.

8 So, let's take a look at that in a little greater detail. Now, in this scenario we have Bob the client. Bob is logging into his desktop. We have a server, and that server is running a particular service that Bob would like to authenticate to. In this case it's maybe the Internet portal and that portal is running with a particular identity, SVC Portal. Now, it's important to understand that key concept. Service Portal is an identity that the KDC understands, it's an account in Active Directory, and it has a secret key, something derived basically from the password we use for that account. Now, when we've configured that portal application we had to specify that secret information when we typed in the password for that service account, either through IIS or if this was SharePoint when you actually set up that managed account. Now, the KDC, it's aware of the account, it is the Active Directory, it is the directory that contains all the account information, but what it doesn't know by default are these services that that particular account is being used in. So, to actually associate the account to a service we use something special called a Service Principal Name or SPN or "spin" for short. The SPN, all that is is just a unique identifier that identifies a service that we then can use to associate a service to a particular account in a directory. So, let's see why that's important.

9 So, the first thing that happens when Bob logs in, in the morning, is his environment or his machine is going to send off an authentication service request, and if he logs in successfully he'll get a reply. And in that reply there's going to be a special type of ticket. This is the first ticket he receives. That ticket is the Ticket Granting Ticket. That is what Bob will use to go back to the KDC at a later point to get Service Tickets as needed when he tries to authenticate with various services. So, now Bob is going to try to hit that dashboard. Well, Bob's machine, he's going to open up the browser and he's going to make his first request. That request will be denied by the server. But with that denial the server will also tell his browser what authentication schemes that that server supports or that application supports. Most likely that's going to be Negotiate. So his browser is going to look at that and realize, okay, the server will support Negotiate; I'm going to try to use Kerberos authentication.

10 At that point, the browser is going to go off and make a Ticket Granting Service request. He's going to pass the original Ticket Granting Ticket, and with that ticket the Service Principal Name for the service which the client wants to authenticate to. Now, if that Service Principal Name is registered and found in the KDC -- so that's a key point -- if it's found successfully, what Bob will get back is a second type of ticket, the Service Ticket. The Service Ticket contains Bob's identity, but note that Bob's identity is in that little envelope that's secured with a lock. What's going on there is the Service Ticket is actually encrypted with that secret that's derived from the password that only the directory and the server knows that's the password for SVC Portal. This is important. This is what ensures Bob cannot tamper with his identity, Bob cannot decrypt that so that he could potentially alter his ticket and maybe elevate his privileges.

11 So, now that we have the Service Ticket, Bob's machine will now go back again, making the same request, but this time passing the Service Ticket with a response if the Service Ticket is decrypted successfully, Bob will get back the dashboard he was looking for. So, Service Principal Names. Service Principal Names are probably one of the most important components of a Kerberos architecture. If Service Principal Names are not configured correctly, Kerberos will not work. This is typically nine times out of 10 the issue I deal with when I'm looking at environments where Kerberos seems to be failing. Either the Service Principal Names are not registered, they're registered incorrectly, or we have multiple duplicate SPNs in the environment. So, again what is a Service Principal Name? It's a unique identifier for a service running on the server. We associate Service Principal Names to accounts, either users or computers, in the Active Directory, and you'll see that we store the values, these Service Principal Names, in an attribute called ServicePrincipalName in AD. We recommend that you configure your Service Principal Names using a command line tool called SETSPN. There are other mechanisms you can use to register Service Principal Names. You can use the user computer snap-in, you can even use PowerShell or script, but I recommend SETSPN because there are some special features of SETSPN that will do things like check for duplicates before it registers a SPN and allow you to query for SPN configuration in the environment, which is beneficial when you're looking to either configure your SPNs for the first time or you're triaging various Kerberos issues. So, these SPNs they're technically just a unique identifier, just a string, but they do follow a particular pattern or format, and you see that here. Now, depending on the service, the service class will be different. So, in the examples that we have below the first Service Principal Name you're looking at is for an HTTP service. Note that

12 the service class is HTTP. But now the second Service Principal Name is for SQL Server, specifically for the database engine or the relational database engine. Note that the SPN does look like a URL but it is not a URL, and this is a very common mistake. More often than not I always seem to find SPNs that have instead of HTTP/. So, for more information you can find plenty of information about how to register Service Principal Names on TechNet. In addition, there's a great whitepaper on configuring Kerberos for SharePoint that you could look at that goes into this in great detail. So, now let's take a look at a quick demo. Let's take a look at configuring Kerberos in a typical SharePoint environment. We'll take a look at how those tickets are actually exchanged, and we'll look at how we use Netmon to diagnose and triage Kerberos issues in our environment. Okay, so in this demo what we're going to look at is how to an analyze Kerberos traffic using Network Monitor. Understanding the basics of how Kerberos works on the wire will help you triage Kerberos configurations in your own environment. So, if we take a look at my environment, you can see that I'm running a pretty basic scale-out architecture where I have an Active Directory controller, a Windows 7 client, a SQL Server, and then a couple of SharePoint Servers. So, right now we're taking a look at my client, and what we're going to do just for this demo is take a look at the traffic that's requested or the requests that are made across the wire when I pull up my SharePoint site. So, I've preconfigured this particular web application, MVA Demo, to use Kerberos authentication. So, we're going to take a look at what that looks like in Network Monitor. Now, before we begin, we're actually going to clear our ticket cache. So, Kerberos tickets are cached for every session, and if I use klist you can see that I have a number of tickets already cached.

13 Now, if the tickets are cached, we won't see them being requested on the wire, and so that's not going to be good for demo purposes. So, I'm going to go ahead and clear this out. We use the command "purge" to purge the cache. Okay, so now we have no tickets. Check that. Yep, no tickets. Now, I'm going to come over and I'm going to run Network Monitor. Now, note that I have a display filter applied: ProtocolName=KerberosV5. That's going to help us see just the Kerberos traffic we're interested in. So, I'm going to go ahead and start this. Okay. I'm going to come back here, and I'm just going to check to make sure we still don't have any tickets in our cache. Great. Now I'm going to come over to Internet Explorer and I'm going to do a refresh. Okay, we've refreshed, come back to Network Monitor and stop the capture. So, let's take a look at a few frames we've captured. So, I'm going to go ahead and zoom in here for a second, and you can see a number of requests and replies. I'm going to go ahead and scroll over so you can see that better. So, let's take a look at what's going on. So, the first thing we talked about was at the beginning of the process the client has to request a Ticket Granting Ticket. So, you can see here that's that first request. We're asking for a service, the Kerberos Ticket Granting Ticket service, for VMLAB.LOCAL domain. Now, we initially get back an error because in this particular Windows environment we're requiring pre-authentication for Ticket Granting Tickets. That's not always the case. So, then we go back and re-request the same ticket, but this time we pre-authenticate. We get back a response, and you can see the response is successful, because we got back a ticket. Now, take a look at the next request. What we're requesting this time is a service ticket for our web application. So, you can see again in the service name we're asking for a Kerberos ticket for HTTP/mvademo.vmlab.local. This is critically important to understand. When you are debugging your environments, nine times out of 10 it's because Service Principal Names are either missing or misconfigured. This tells you specifically what service name Kerberos is looking for. So, this is a specific Service Principal Name that has to be registered in the directory for Kerberos to work. And then on success we get back the response and the client is administrator, as we would expect. So, now if we go back and look at klist again, just to confirm, you can see I've got a couple tickets in my cache. I have that Ticket Granting Ticket for my domain, and then I have the HTTP ticket for my web application. Let's go ahead and take a look at what this looks like for SQL Server. So, I'm going to go ahead, go back, start my capture, and now I'm going to come over and instead of refreshing the browser I'm going to go ahead and open up a quick query.

14 We're going to connect to the database engine, and that connection should have forced the Kerberos tickets we're looking for. So, I'm going to go ahead and go back to Network Monitor, I'm going to hit Stop, and we'll take a look at what's going on here. So, again note the service name is being requested. Now, this time we don't see the original Ticket Granting Ticket from the last example, and that's because that's already been cached, so we don't need to go and request it again. But you can see that I'm connecting to the relational database engine and that service name is MSSQLSvc. We'll talk about Service Principal Names in the next demo, but just note that it's the same method to debug Kerberos regardless of the service you're talking about. You should always see a request for the service with a service name and the value that has to be registered in your directory. And with that, that concludes this demo. Module two.

15 In module two we're going to take a look at the various Service Principal Names you need to register depending on the SQL services you run in your environment. In addition, we'll take a look at the new service account types supported by SQL Server And then finally, we're going to take a look at how we configure Kerberos for the relational database engine and how we can validate that configuration. So, first, let's take a look at the common SQL Service Principal Names you'll be defining in your environment. First, let's take a look at the relational database engine. For the relational database engine you're going to configure multiple Service Principal Names. Note that the service class always starts with MSSqlSvc, and then you're going to configure both the host name and the fully qualified domain name. In addition, you also need to include port. So, if you're running on the

16 standard port, 1433, you would use 1433, and if you're using a non-default port, you would put that port number here. Finally, if you're using a named instance, you also need to include the instance name using the forward slash instance syntax. Now, with named instances, because they're leveraging dynamic ports, which leverages SQL browser, you need to also ensure that SQL browser is configured for Kerberos so that it returns the correct connection string to your client. You do this by registering a different service class, the MSOLAPDisco.3 service class, and then you register the server host name and the server host fully qualified domain name. For Analysis Services it's very similar. You have a new service class, which is MSOLAPSvc.3, but then what's slightly different with Analysis Services is you have to take a look at how you register instance names. Note that unlike the relational database engine you don't use the forward slash instance name syntax, you actually include the instance name where you typically would put port. Note that with Analysis Services you do not use port number here. With the same thing as the relational database engine you have to register again the SQL browser service when you're using instance names or instances of Analysis Services, and you use the same syntax, MSOLAPDisco.3, the server host name and then the service host fully qualified name.

17 Also take note that there are some additional Service Principal Names supported. Typically, you're not going to run into these, but if you do want to specify your Service Principal Name in your connection string you can do that, and then here are some of the additional options you have available to you. So, now let's take a look at account types. So, the first account type is your standard domain account. This is what you've been used to using throughout your career with managing SQL, pretty straightforward, nothing really new here. But now we also support Active Directory managed accounts. Now, we're not going to go into details around what a directory managed account is, but basically understand that a managed account is an account which the Active Directory manages the password and password policies and password reset. It's a special type of account that you have to register in a special way, and it requires Windows Server 2008 R2.

18 A full background on what Active Directory managed accounts are can be found in the link provided. Also note that if you're using Active Directory managed accounts you'll need to apply the hotfix noted here. Finally, we have virtual service accounts. Now, this is actually going to be the default service account type you're going to see when you go to install SQL Server These are local managed accounts, meaning that they really only exist within the context of the local machine, but that does not mean that you cannot connect to external services using these accounts. What will happen in that case is you're actually going to leverage the machine identity when that happens. And for more information you can follow the supplied link, and this too requires Windows Server 2008 R2. So, standard service accounts. When we're using standard service accounts we use the Setspn tool. We prefer to use the -S option. The -S will actually check for duplicate SPNs for us, which is a pretty critical function. And then we supply the Service Principal Name -- these are the names we just covered -- and then finally the account that you're using for the SQL Server database engine.

19 Managed Service Accounts, again these are accounts that the Active Directory will manage for us, and they'll manage the passwords and the password reset and the password policies. This requires 2008 R2 schema. So, you have to have at least one 2008 R2 domain controller and you have to update the schema to 2008 R2. You have to create these accounts with PowerShell, and there's actually multiple steps when you do this. The first thing you do is you create the managed account. Then you have to associate a managed account with a computer and only one computer, and this is a key requirement here. The third point, you have to install that Managed Service Account on a computer which it was associated. And then finally you actually configure the service or services that need to use that managed account. Now, because the Managed Service Accounts are associated to a single computer, this means you cannot use them in clustering scenarios, nor can you use them as scenarios where you're using load balancing. Also note that you cannot use account names that are more than 15 characters in length, otherwise you will get an error when you try to run the commandlet to install the Managed Service Account. For more information you can follow the link supplied.

20 Virtual accounts, again these are the accounts that will appear by default. They always start with NT Service. So, that's the way you can quickly determine that you're using a virtual account. And you can see here from the screenshot we have an example of what the install experience looks like, and in this case we're going ahead and installing an instance of SQL Server using the new virtual account types. Note that the account format is NT Service, service, and then with an instance it's $<instanceid>. If we're going to register a Service Principal Name for a virtual account, you actually have to register it against the machine and not the account. This is because again the account is virtual. It doesn't actually exist in the directory; therefore there's no way to associate a SPN because it does not exist. So, now let's take a look at the Service Principal Names we have to register in a SQL Server 2012 environment. We'll take a look at virtual service accounts and then the classic service account examples.

21 Okay, in this demo we're going to take a look at how we configure Kerberos for the relational database engine in SQL Server We're going to take a look at the Service Principal Names you'll typically have to register, and we'll take a look at how we confirm that configuration when we're done. So, if you skipped ahead from module one or the introduction, I'll just quickly introduce you to the environment. You can see here I've got a typical scale-out environment where I have an Active Directory controller, I've got a Windows 7 client, I've got a single server of SQL Server and multiple SharePoint Servers, and a web front-end and an application tier. So, let's go ahead and first take a look at our SQL Server. So, first, let's take a look at the particular services we're running on this server. So, you can see here I'm running a number of services. Let's zoom in. I'm running a named instance of Analysis Services. I've got a named instance of SQL Server. I've got a default instance of SQL Server and a default instance of Analysis Services. In addition, I'm running the agent and browser that you'd also expect. So, if we look at the accounts that I'm using to run these services, this might be new to you. So, let's go ahead and zoom in here and take a look. So, note that most of my services start with NT Service. This is the new virtual account type we just talked about. This is also going to be the default account type that's going to be selected when you install SQL Server. What's going on is this particular account only exists on this particular server, it does not exist in a directory. So, when we're registering Service Principal Names typically we register the Service Principal Name to the account that's running the service. In this case when you're running a virtual account you have to register the Service Principal Name to the machine running the service. So, let's go ahead and see what that looks like. So, I'm going to go ahead and open up a command prompt, and I'm going to go ahead and clear this real fast. I'm going to go ahead and show you Setspn. So, Setspn is a tool that we typically use to register Service Principal Names, but it also is a tool to query Service Principal Names and accounts. So, I'm going to list all the SPNs for a particular server, and I'm going to go ahead and show you my SQL Server, and we should see all the Service Principal Names that we need, because all of our services are running virtual accounts. Let that query for a second. Sometimes it takes a second or two to return. Okay, great. Let's go ahead and zoom in here.

22 So, I've got a number of Service Principal Names, all of which we've talked about. So, let's take a look at what we have. So, first the service class MSSQLSvc, this is for the database engine. You can see I've got my functionally qualified name, I've got name with port, I've got a named instance and another port. I also have Analysis Services. So, you can see here, here are my Analysis Services Service Principal Names, and this is for my named instance. And in addition for the browser I'm also running Kerberos, and you can see that I've registered my Disco SPNs. So, what does this look like? So, if I were to do this manually, I would run Setspn -S the SPN that I want to register -- so let's demonstrate what that would look like MSSQLSvc, for instance, forward slash the service, so the host that's running the service, in this case MVA SQL and let's fully qualify it, colon port, and then space and then the account that you want to associate the SPN to. Now, remember, if you're using typical domain service accounts or domain accounts, we're going to go ahead and register the SPN to that account, so something like this. But because we're using virtual accounts we register the Service Principal Name to the machine. In this case it's MVA SQL. Now, I'm going to run this, because that would create a duplicate SPN, and because we've actually used the -S parameter we'll actually get back an error saying there's a duplicate. But it takes a few seconds for that to check and for the result to come back, so we're going to go ahead and skip that. Now let's go over to the directory just to take a peek at what this actually looks like. So, I'm going to go over to my directory controller. Now, I have to actually look at computers because remember I'm using virtual service accounts. So, I'm going to go find my SQL Server. Here we go, MVA SQL. I'm going to go ahead and open up the properties here. Now in the attribute editor I look for Service Principal Name, open this up. You can see all the Service Principal Names listed here, and you could also create new ones from this dialogue as well. Now, I typically don't recommend you use this to register your Service Principal Names, and that's because this particular editor lacks the feature of checking for duplicates. That's a pretty key feature that Setspn provides. So, I'm going to go ahead and cancel out of this. So, now we've registered the Service Principal Names, so let's go check to see if SQL Server is actually using Kerberos. So, now I'm going to go back to my client, and we're going to go ahead and check the relational database engine. So, I'm going to go ahead and open up a query. So, what this query does is uses a couple system views to display the connections and sessions that are currently active, and what I'm showing you is the session IDs, the logon being used, the host where the connection is being made, and the authentication scheme that was used. Now, just for demo purposes I'm also going to go ahead and I'm going to clear out my ticket cache, so against Klist purge. So, now we should have no tickets. Great.

23 I'm going to go back here and I'm going to reconnect. Okay. Now I'm going to go ahead and run the query, and if you look at the result you can see I have a number of sessions, various logons coming from different machines, all using Kerberos. This is how I know Kerberos is working correctly. Now, if you run this query from the SQL Server itself, you may notice that there are a few NTLM connections. You shouldn't be alarmed by that, because if you're running the Management Studio from the SQL Server locally, it's actually going to default and leverage NTML versus Kerberos. But the other remote services you should see they all connect with Kerberos. Let's also go and take a look at our ticket cache. This time we're just going to do a Klist. And we should see our SQL SPNs, and we do. So, again here's the SQL Server class, this was the instance I was connecting to on a default port, and at the domain we're at. So, that concludes our demo. So, we took a look at the Service Principal Names that we would have to register, we took a look at how you would use Setspn to register Service Principal Names, how you can list Service Principal Names, and then we took a look at Klist to see how we could actually see those in the cache, and then we also showed you a handy script that you can use to check to see how you're connecting to the relational database engine. Module three.

24 In this module we're going to take a look at SQL Server Reporting Services We're going to look at it in SharePoint integration mode, and we're going to look at the architectural components that are new to SQL Server 2012 and contrast that to what we had in 2008 and 2008 R2. We're then going to describe how SharePoint 2010 identity delegation works, and how that affects SQL Server Reporting Services in this new configuration. And then finally, we'll have an example of how we configure pass-through authentication in SQL Reporting Services 2012 in SharePoint integration mode. Note that up to this point we've been heavily focused on Kerberos for identity delegation. We're also going to talk about some other options we have available to us in Reporting Services when we're connecting to Analysis Services, whether it be in the multidimensional mode or in the new tabular mode.

25 So, first let's take a look at the Reporting Services architecture. This is Reporting Services 2012, and the first thing to note is SQL Server Reporting Services is now a SharePoint service application. This is a pretty big change from what we had in 2008 and 2008 R2. We now pick up the common architecture because we implement the service application framework. We now have the common components that make up service applications, which include the proxy components, the instance components, and we pick up all the benefits from that framework. We also pick up a dependency on the Claims to Windows Token Service. Now, the Claims to Windows Token Service basically is responsible for converting a claims identity into a Windows identity. We're going to learn a little bit more about when we leverage this and what does it mean in our environment. Note that for each instance of Reporting Services you have to run the Claims to Windows Token Service on each server. Also take note that because we now leverage the service application framework, when we have multiple instances of SQL Server Reporting Services we no longer have to worry about load balancing. This is because when we're in SharePoint integration mode it's that service application framework that's doing the load balancing for us. So, now let's take a look at authentication in SharePoint So, we have clients. Clients are trying to authenticate with SharePoint, and they have a couple options. You can either leverage classic mode, which is either NTLM or Kerberos or you have some new claims options available to you. These may include federation with SAML claims or Windows claims or even FBA claims. Now, once you've authenticated, your identity will be normalized into a claim. Now, this is a very important concept to understand. Regardless of the incoming authentication provider, once you've authenticated with a farm, any inter-farm communications that require authentication are going to leverage claims authentication. So, in essence you lose your

26 Windows identity once you moved off of the web front-end and you're executing code on the application servers. And this is important when we start to look at the SQL Server Reporting Services architecture, because it now follows that same service application framework architecture, and now also picks up the same claims authentication architecture. Once we've authenticated within the farm, there are scenarios where we may have to go outbound. In BI scenarios this is very common, you're going to go query external systems to pull in data to report on. So, outbound we can either go outbound with classic mode and we'll look at how the Claims to Windows Token Service is used to do that. Or in some scenarios, depending on the service application in question, you can also use those claims that we're using inter-farm and we can pass those outbound. So, again let's just talk about identity normalization. The key point to take away here is regardless of the incoming authentication mode, SharePoint is going to normalize you down into an SPUser and into a claim set. This means that once you've moved off the web front-end you lose your Windows identity. You're now just a set of claims being passed around.

27 So, this architecture introduced a lot of improvements from previous versions of SharePoint. We won't go into the details, but it does introduce a challenge. So, let's take a look at the following scenario. So, if we have Bob and Bob is going to authenticate with let's say NTLM to web front-end, and then Bob is going to pull up a SQL Server Reporting Services 2012 report on the application server, the application server is going to authenticate Bob using the claim that the web front-end provides. But what happens when that Reporting Services server needs to authenticate to a back-end SQL Server using Bob's credentials? In SQL Server 2012 we still do not support claims authentication for the relational database engine or Reporting Services outside of SharePoint integration mode. So, how do we convert the claim back into a Windows identity that could be used to authenticate with SQL?

28 This is where the Claims to Windows Token Service comes into play. Just like the name sounds, it's responsible for turning a claim into a Windows token. What it basically does is it looks at the incoming claim. In particular it actually looks at just a claim and a claim value, which is your UPN. It then takes that UPN and does a special type of logon. So, we get an S4U logon. This basically means it's able to log on that particular user and get their Windows identity without knowing the password. Now, you can imagine the service that's running the Claims to Windows Token Service, it requires special permissions to do this, and we'll talk about that in a minute. But once it has that Windows identity, it could then pass that Kerberos ticket to any service, which then can pass that back to a service that needs to authenticate the caller. Now, to actually do that we have to configure a special type of Kerberos delegation. This is Kerberos constrained delegation. It's very important to note this. When you're using the Claims to Windows Token Service, and this means all the service applications that leverage the service application framework, in other words Reporting Services, Excel Service, PerformancePoint, all these services require Kerberos constrained delegation when you're configuring delegation out of the farm. And we'll talk about what that means in a minute. So, let's take a look at how this actually works. So, first we have Bob coming into the web frontend using NTLM. The web front-end authenticates Bob, and now the web front-end goes back to the application server, in this case Reporting Services, using Bob's claim set. SSRS takes a look at that claim and says, oh, okay, I know who Bob is, but I need to go off and I need to grab data from SQL Server, so I'm going to use the local Claims to Windows Token Service to translate that claim into Bob's Windows identity. The Claims to Windows Token Service does the S4U logon, and it gets a Kerberos ticket. It then passes that Kerberos ticket back to the service application, in this case Reporting Services, and then Reporting Services is able to delegate that ticket all the way back to SQL Server. Remember the delegation here is Kerberos constrained delegation.

29 So, what does this mean? Well, since we're using the Claims to Windows Token Service we have to think about a couple things. First, we have to think about the security of the environment. The Claims to Windows Token Service to do the S4U logon requires Act as Operating System privileges. Now, this is the very highest, most privileged right you can give to a service on a box. By default, the Claims to Windows Token Service runs as local system, but we recommend typically that you run this as a service account. When you run this as a service account, you're going to have to remember to give that service account Act as Operating System and in addition some other privileges. One is impersonate a client, and then the other is run as service. Also note that because the operation that the Claims to Windows Token Service performs, which is this logon without password, because it's so highly privileged, the Claims to Windows Token Service uses local procedure calls, or LPC, to communicate with its clients to perform this operation. What this means is it's not actually listening on any network port, you can't connect to a remote instance of the Claims to Windows Token Service. This is why you must run this service on every machine that's running the service application that requires it. Now, because this privilege operation could potentially be used maliciously we also enforce other restrictions. The type of ticket that it gets back has to be a constrained ticket. This means we have to define the specific services that this ticket can be delegated to. When we do this, however, we pick up a constraint. The constraint is we can no longer delegate that identity across a domain boundary. So, this means if I have SharePoint running in one domain and I have my data source running in another, I can not ask the Reporting Services instance to go and grab a Kerberos ticket for a user and delegate it over that domain boundary. I have to go and use one of the other authentication options available to me. Also note that in the current version of SharePoint this requires the web front-ends to either be using windows-claims or Windows classic mode. Some of the services that you're probably familiar with that leverage this architecture, in particular the Claims to Windows Token Service, include Excel Services, PerformancePoint, and now SQL Reporting Services 2012.

30 We also require the Claims to Windows Token Service for PowerPivot, but we don't actually need it to delegation. We actually use it internally. So, I don't list it here, but just be aware that it is leveraged with PowerPivot as well. So, now how do we configure Kerberos delegation for Reporting Services? So, we have to use constrained delegation with protocol transition. So, this means with Reporting Services service account we're going to go ahead and specifically set up constrained delegation to every SQL Server service that we need to connect to or every Analysis Services instance that we connect to. We'll do the same thing for Excel services and for PerformancePoint. In addition, we also have to set up delegation from the Claims to Windows Token Service to those very same services. The reason why we also need it on the Claims to Windows Token Service is because it is the service that actually does the work to request the logon. So, it actually has to also have the delegation setting setup correctly. We'll take a look at this in greater detail in a second.

31 So, let's take a look at what this looks like at a high level. So, in our example here we have the user coming in with either classic authentication or windows-claims. They authenticate with the web front-end, and then the web front-end has service application components and a service application proxy running on it. The web frontend will use claims to pass the identity back to the application server. In our example it's Reporting Services. And then Reporting Services, if it's configured to use pass-through authentication, will then go to the Claims to Windows Token Service, grab the identity that's needed, and as long as the delegation has been set up correctly in Active Directory -- and again the delegation has to be set up between the service itself and the data source, in addition the Claims to Windows Token Service and the data source -- if both those are configured correctly, we get back the token that's needed and then we're able to pass back that ticket all the way back to the data source and authenticate. So, now let's take a look at what this looks like in SQL Server Reporting Services 2012.

32 Okay, in this demonstration we're going to take a deep dive look at SQL Server Reporting Services in SQL Server Now, in SQL Server 2012 we made some fundamental changes to the architecture Reporting Services when you run in SharePoint integration mode. What we've done is we've adopted the service application framework, meaning that Reporting Services, when running in integration mode, is now a full-fledged service application within SharePoint. So, let's take a look at what that means. So, the first thing we'll do is we'll take a look at application management. So, I'm in central administration, and I've gone over to application management, and I'm going to scroll down and I'm going to manage my service applications. So, the first thing you'll notice when I click new is we've got a new type of service application. This is something you haven't seen before if you have not tried this with SQL Server You have the SQL Server Reporting Services service application. So, let's take a look at what we would do to install and configure the service application. So, after you've installed the actual service application from the SQL media -- so you first have to deploy the Reporting Services bits from the SQL Server install -- you then have to go into central administration and you have to configure a running instance of that service on one or more of your application servers, and then you have to create that service application here in service application management. So, first let's go back and let's take a look at running the instance. So, we're going to go to managed services on a server, and we're going to select one or more application servers. In this case I already have mine selected, but you may have to change the server selected here in your particular example. And I'm going to come down and I'm going to look for the SQL Server Reporting Services service. Now, if you do not see this service, then you have not installed this particular feature from SQL Server's install media. Once you install it, you'll see this service available and you will have to manually start it on every server that you want to run this particular service. In this case I'm running it just on one application server, my MVA app server. And then you're going to go ahead and go into application management, and you're going to go Manage Service Applications, and you're going to create a new instance of the service application. So, this is basically telling SharePoint I want to run this particular service application, I'm going to tell you the configuration of that application, I'm going to add this proxy to either the default proxy group or a new group so that web front-ends can access and talk to this particular service application. So, I'm going to go ahead and hit new. You would typically provide a name, typically create a new application pool. You would select the managed service account you want to use. I've already pre-created one. Provide some basic information about the database server you want

33 to use, the name of the database that you want to have, and then the web applications you want to associate the service to. Now, I'm not going to do this because I've already done this, and you can see here here's my configuration, here's my service application. And if I bring up properties, this is the particular configuration, and I've already associated it to my demo web application. So, now in addition to having to have to have the service or the Reporting Services service instance running and the service application instantiated, you also have to run the Claims to Windows Token Service on that server. So, again if we go back and take a look at central administration, and services on server, there's a service called the Claims to Windows Token Service. This has to be started on the application server and every application server that runs Reporting Services. It actually has to run on every application server running any service application that requires the Claims to Windows Token Service, because it only accepts local calls. You cannot configure one instance of this and have all your service applications talking over the network to consume its services. So, we've already started this service. So, let's go ahead and take a look at the service accounts that I'm using for these services. This is going to be important to note because we're going to have to use these services to configure delegation to delegate authentication from Reporting Services to our data source, in this case SQL Server. So, let's go ahead and go back to central administration, and I'm going to quickly note down the accounts that we're using. So, if I look again at security, and configure service accounts, I can go ahead and select my service application for Reporting Services. You can see here I'm running this service using MVA SSRS, so we'll make a note of that, and then also if we look at the Claims to Windows Token Service you'll see here that I'm actually using a domain account, and the domain account is MVA Claims to Windows Token Service. The default is going to be local system, but I've elected to use a domain account for demonstrations purposes. So, now I'm going to go over and I'm going to go over to the application server, and I'm going to show you how you would actually configure the Claims to Windows Token Service if you elected to use a domain account. So, if I come over here and I go over to services, the first thing we'll see is the Claims to Windows Token Service. If I zoom in, I've actually got a Windows service called the Claims to Windows Token Service. It's started and it's using my service account. Now, you will not see this listed if you have not actually started the service on the server from central administration. When you install SharePoint, it is not going to run this service or deploy this service by default. You have to go through central administration and go to services on server and start it on every server where you need it. So, now because we're running again as a domain account there are additional privileges that this domain account needs on every server where it's running.

Hybrid for SharePoint Server 2013. Search Reference Architecture

Hybrid for SharePoint Server 2013. Search Reference Architecture Hybrid for SharePoint Server 2013 Search Reference Architecture 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views expressed in this document, including

More information

SharePoint 2013 Logical Architecture

SharePoint 2013 Logical Architecture SharePoint 2013 Logical Architecture This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

More information

Microsoft Business Intelligence 2012 Single Server Install Guide

Microsoft Business Intelligence 2012 Single Server Install Guide Microsoft Business Intelligence 2012 Single Server Install Guide Howard Morgenstern Business Intelligence Expert Microsoft Canada 1 Table of Contents Microsoft Business Intelligence 2012 Single Server

More information

Flowing Identity in the Microsoft BI Stack using Claims-based Authentication

Flowing Identity in the Microsoft BI Stack using Claims-based Authentication Flowing Identity in the Microsoft BI Stack using Claims-based Authentication If you are adopting Active Directory Federation Services () as a method of user authentication for and desire to implement role

More information

How-to: Single Sign-On

How-to: Single Sign-On How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features

More information

Security and Kerberos Authentication with K2 Servers

Security and Kerberos Authentication with K2 Servers Security and Kerberos Authentication with K2 Servers SECURITY RIGHTS AND STEP-BY-STEP INSTRUCTIONS FOR CONFIGURING KERBEROS FOR K2 [BLACKPEARL] January 10 Learn about the security rights required by K2

More information

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior

More information

Microsoft Dynamics GP Release

Microsoft Dynamics GP Release Microsoft Dynamics GP Release Workflow Installation and Upgrade Guide February 17, 2011 Copyright Copyright 2011 Microsoft. All rights reserved. Limitation of liability This document is provided as-is.

More information

How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers.

How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers. 1 How to Scale out SharePoint Server 2007 from a single server farm to a 3 server farm with Microsoft Network Load Balancing on the Web servers. Back to Basics Series By Steve Smith, MVP SharePoint Server,

More information

Optimization in a Secure Windows Environment

Optimization in a Secure Windows Environment WHITE PAPER Optimization in a Secure Windows Environment A guide to the preparation, configuration and troubleshooting of Riverbed Steelhead appliances for Signed SMB and Encrypted MAPI September 2013

More information

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Applies to: Microsoft Office SharePoint Server 2007 Explore different options

More information

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.

More information

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4

More information

T his feature is add-on service available to Enterprise accounts.

T his feature is add-on service available to Enterprise accounts. SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need

More information

Using RPC over HTTP with Exchange Server 2003 SP1

Using RPC over HTTP with Exchange Server 2003 SP1 Using RPC over HTTP with Exchange Server 2003 SP1 Author: Bill Boswell Bill Boswell Consulting, Inc. www.billboswellconsulting.com bill@billboswellconsulting.com RCP over HTTP has a lot of moving parts

More information

Windows XP Exchange Client Installation Instructions

Windows XP Exchange Client Installation Instructions WINDOWS XP with Outlook 2003 or Outlook 2007 1. Click the Start button and select Control Panel: 2. If your control panel looks like this: Click Switch to Classic View. 3. Double click Mail. 4. Click show

More information

SSO Methods Supported by Winshuttle Applications

SSO Methods Supported by Winshuttle Applications Winshuttle and SSO SSO Methods Supported by Winshuttle Applications Single Sign-On (SSO) delivers business value by enabling safe, secure access to resources and exchange of information at all levels of

More information

Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment. White Paper

Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment. White Paper Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment White Paper March 2009 The information contained in this document represents the current view of Compulink

More information

DARMADI KOMO: Hello, everyone. This is Darmadi Komo, senior technical product manager from SQL Server marketing.

DARMADI KOMO: Hello, everyone. This is Darmadi Komo, senior technical product manager from SQL Server marketing. Microsoft SQL Server 2012 for Private cloud (Part 1) Darmadi Komo - Senior Technical Product Manager DARMADI KOMO: Hello, everyone. This is Darmadi Komo, senior technical product manager from SQL Server

More information

Introduction. Just So You Know... PCI Can Be Difficult

Introduction. Just So You Know... PCI Can Be Difficult Introduction For some organizations, the prospect of managing servers is daunting. Fortunately, traditional hosting companies offer an affordable alternative. Picking the right vendor and package is critial

More information

SharePoint 2010 Interview Questions-Architect

SharePoint 2010 Interview Questions-Architect Basic Intro SharePoint Architecture Questions 1) What are Web Applications in SharePoint? An IIS Web site created and used by SharePoint 2010. Saying an IIS virtual server is also an acceptable answer.

More information

Introduction to Open Atrium s workflow

Introduction to Open Atrium s workflow Okay welcome everybody! Thanks for attending the webinar today, my name is Mike Potter and we're going to be doing a demonstration today of some really exciting new features in open atrium 2 for handling

More information

Enabling single sign-on for Cognos 8/10 with Active Directory

Enabling single sign-on for Cognos 8/10 with Active Directory Enabling single sign-on for Cognos 8/10 with Active Directory Overview QueryVision Note: Overview This document pulls together information from a number of QueryVision and IBM/Cognos material that are

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple how-to whitepapers will

More information

Contents Release Notes... ... 3 System Requirements... ... 4 Administering Jive for Office... ... 5

Contents Release Notes... ... 3 System Requirements... ... 4 Administering Jive for Office... ... 5 Jive for Office TOC 2 Contents Release Notes...3 System Requirements... 4 Administering Jive for Office... 5 Getting Set Up...5 Installing the Extended API JAR File... 5 Updating Client Binaries...5 Client

More information

CMB 207 1I Citrix XenApp and XenDesktop Fast Track

CMB 207 1I Citrix XenApp and XenDesktop Fast Track CMB 207 1I Citrix XenApp and XenDesktop Fast Track This fast paced course provides the foundation necessary for students to effectively centralize and manage desktops and applications in the datacenter

More information

Guide to SASL, GSSAPI & Kerberos v.6.0

Guide to SASL, GSSAPI & Kerberos v.6.0 SYMLABS VIRTUAL DIRECTORY SERVER Guide to SASL, GSSAPI & Kerberos v.6.0 Copyright 2011 www.symlabs.com Chapter 1 Introduction Symlabs has added support for the GSSAPI 1 authentication mechanism, which

More information

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led Course Description This course is aimed at experienced IT Professionals who currently administer their on-premises infrastructure.

More information

Salesforce Classic Guide for iphone

Salesforce Classic Guide for iphone Salesforce Classic Guide for iphone Version 37.0, Summer 16 @salesforcedocs Last updated: July 12, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark

More information

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions Course 20533B: Implementing Microsoft Azure Infrastructure Solutions Sales 406/256-5700 Support 406/252-4959 Fax 406/256-0201 Evergreen Center North 1501 14 th St West, Suite 201 Billings, MT 59102 Course

More information

Get started with cloud hybrid search for SharePoint

Get started with cloud hybrid search for SharePoint Get started with cloud hybrid search for SharePoint This document supports a preliminary release of the cloud hybrid search feature for SharePoint 2013 with August 2015 PU and for SharePoint 2016 Preview,

More information

SSO BDC is Easy! By Brett Lonsdale, MCTS, MCSD.NET, MCT Lightning Tools www.lightningtools.com brett@lightningtools.com 1/12/2008

SSO BDC is Easy! By Brett Lonsdale, MCTS, MCSD.NET, MCT Lightning Tools www.lightningtools.com brett@lightningtools.com 1/12/2008 SSO BDC is Easy! By Brett Lonsdale, MCTS, MCSD.NET, MCT Lightning Tools www.lightningtools.com brett@lightningtools.com 1/12/2008 Copyright 2008, Lightning Tools English, Bleeker & Associates, Inc. makes

More information

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Deployment Guide Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP v11.2

More information

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior

More information

Secret Server Installation Windows Server 2008 R2

Secret Server Installation Windows Server 2008 R2 Table of Contents Introduction... 2 ASP.NET Website... 2 SQL Server Database... 2 Administrative Access... 2 Prerequisites... 2 System Requirements Overview... 2 Additional Recommendations... 3 Beginning

More information

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code. Content Introduction... 2 Data Access Server Control Panel... 2 Running the Sample Client Applications... 4 Sample Applications Code... 7 Server Side Objects... 8 Sample Usage of Server Side Objects...

More information

Implementing Microsoft Azure Infrastructure Solutions

Implementing Microsoft Azure Infrastructure Solutions Course Code: M20533 Vendor: Microsoft Course Overview Duration: 5 RRP: 2,025 Implementing Microsoft Azure Infrastructure Solutions Overview This course is aimed at experienced IT Professionals who currently

More information

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition The installation of Lync Server 2010 is a fairly task-intensive process. In this article, I will walk you through each of the tasks,

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

Team Foundation Server 2013 Installation Guide

Team Foundation Server 2013 Installation Guide Team Foundation Server 2013 Installation Guide Page 1 of 164 Team Foundation Server 2013 Installation Guide Benjamin Day benday@benday.com v1.1.0 May 28, 2014 Team Foundation Server 2013 Installation Guide

More information

Secret Server Installation Windows Server 2012

Secret Server Installation Windows Server 2012 Table of Contents Introduction... 2 ASP.NET Website... 2 SQL Server Database... 2 Administrative Access... 2 Prerequisites... 2 System Requirements Overview... 2 Additional Recommendations... 3 Beginning

More information

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple

More information

Configure the Application Server User Account on the Domain Server

Configure the Application Server User Account on the Domain Server How to Set up Kerberos Summary This guide guide provides the steps required to set up Kerberos Configure the Application Server User Account on the Domain Server The following instructions are based on

More information

How to move a SharePoint Server 2007 32-bit environment to a 64-bit environment on Windows Server 2008.

How to move a SharePoint Server 2007 32-bit environment to a 64-bit environment on Windows Server 2008. 1 How to move a SharePoint Server 2007 32-bit environment to a 64-bit environment on Windows Server 2008. By & Steve Smith, MVP SharePoint Server, MCT Penny Coventry, MVP SharePoint Server, MCT Combined

More information

Okta/Dropbox Active Directory Integration Guide

Okta/Dropbox Active Directory Integration Guide Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for

More information

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials

More information

Windows Server Update Services 3.0 SP2 Step By Step Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide Windows Server Update Services 3.0 SP2 Step By Step Guide Microsoft Corporation Author: Anita Taylor Editor: Theresa Haynie Abstract This guide provides detailed instructions for installing Windows Server

More information

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE

SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE SHAREPOINT 2013 IN INFRASTRUCTURE AS A SERVICE Contents Introduction... 3 Step 1 Create Azure Components... 5 Step 1.1 Virtual Network... 5 Step 1.1.1 Virtual Network Details... 6 Step 1.1.2 DNS Servers

More information

System Administration Training Guide. S100 Installation and Site Management

System Administration Training Guide. S100 Installation and Site Management System Administration Training Guide S100 Installation and Site Management Table of contents System Requirements for Acumatica ERP 4.2... 5 Learning Objects:... 5 Web Browser... 5 Server Software... 5

More information

Ipswitch Client Installation Guide

Ipswitch Client Installation Guide IPSWITCH TECHNICAL BRIEF Ipswitch Client Installation Guide In This Document Installing on a Single Computer... 1 Installing to Multiple End User Computers... 5 Silent Install... 5 Active Directory Group

More information

ICONICS Using the Azure Cloud Connector

ICONICS Using the Azure Cloud Connector Description: Guide to use the Azure Cloud Connector General Requirement: Valid account for Azure, including Cloud Service, SQL Azure and Azure Storage. Introduction Cloud Connector is a FrameWorX Server

More information

An Email Newsletter Using ASP Smart Mailer and Advanced HTML Editor

An Email Newsletter Using ASP Smart Mailer and Advanced HTML Editor An Email Newsletter Using ASP Smart Mailer and Advanced HTML Editor This tutorial is going to take you through creating a mailing list application to send out a newsletter for your site. We'll be using

More information

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Course 20533: Implementing Microsoft Azure Infrastructure Solutions Course 20533: Implementing Microsoft Azure Infrastructure Solutions Overview About this course This course is aimed at experienced IT Professionals who currently administer their on-premises infrastructure.

More information

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:

More information

Tableau Server Security. Version 8.0

Tableau Server Security. Version 8.0 Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic

More information

MOC 20467B: Designing Business Intelligence Solutions with Microsoft SQL Server 2012

MOC 20467B: Designing Business Intelligence Solutions with Microsoft SQL Server 2012 MOC 20467B: Designing Business Intelligence Solutions with Microsoft SQL Server 2012 Course Overview This course provides students with the knowledge and skills to design business intelligence solutions

More information

Using RD Gateway with Azure Multifactor Authentication

Using RD Gateway with Azure Multifactor Authentication Using RD Gateway with Azure Multifactor Authentication We have a client that uses RD Gateway to allow users to access their RDS deployment from outside their corporate network. They have about 1000+ users.

More information

In this topic we will cover the security functionality provided with SAP Business One.

In this topic we will cover the security functionality provided with SAP Business One. In this topic we will cover the security functionality provided with SAP Business One. 1 After completing this topic, you will be able to: Describe the security functions provided by the System Landscape

More information

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2 Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2 Table of Contents Table of Contents... 1 I. Introduction... 3 A. ASP.NET Website... 3 B. SQL Server Database... 3 C. Administrative

More information

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009 Microsoft Dynamics AX 2009 Installation Guide Microsoft Corporation Published: November 2009 Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your

More information

10231B: Designing a Microsoft SharePoint 2010 Infrastructure

10231B: Designing a Microsoft SharePoint 2010 Infrastructure 10231B: Designing a Microsoft SharePoint 2010 Infrastructure Course Number: 10231B Course Length: 5 Days Course Overview This 5 day course teaches IT Professionals to design and deploy Microsoft SharePoint

More information

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations

More information

Jive Connects for Openfire

Jive Connects for Openfire Jive Connects for Openfire Contents Jive Connects for Openfire...2 System Requirements... 2 Setting Up Openfire Integration... 2 Configuring Openfire Integration...2 Viewing the Openfire Admin Console...3

More information

Earn Money Sharing YouTube Videos

Earn Money Sharing YouTube Videos Earn Money Sharing YouTube Videos Get Started FREE! Make money every time you share a video, also make money every time the videos you have shared get watched! Unleash The Viral Power of Social Media To

More information

mylittleadmin for MS SQL Server 2005 from a Webhosting Perspective Anthony Wilko President, Infuseweb LLC

mylittleadmin for MS SQL Server 2005 from a Webhosting Perspective Anthony Wilko President, Infuseweb LLC mylittleadmin for MS SQL Server 2005 from a Webhosting Perspective Anthony Wilko President, Infuseweb LLC April 2008 Introduction f there's one thing constant in the IT and hosting industries, it's that

More information

Avatier Identity Management Suite

Avatier Identity Management Suite Avatier Identity Management Suite Migrating AIMS Configuration and Audit Log Data To Microsoft SQL Server Version 9 2603 Camino Ramon Suite 110 San Ramon, CA 94583 Phone: 800-609-8610 925-217-5170 FAX:

More information

Migrating Exchange Server to Office 365

Migrating Exchange Server to Office 365 Migrating Exchange Server to Office 365 By: Brien M. Posey CONTENTS Domain Verification... 3 IMAP Migration... 4 Cut Over and Staged Migration Prep Work... 5 Cut Over Migrations... 6 Staged Migration...

More information

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory HOWTO, 2 nd edition Introduction... 2 Integration using the Lights-Out Migration Utility... 2 Integration using the ilo web interface...

More information

Ingenious Testcraft Technical Documentation Installation Guide

Ingenious Testcraft Technical Documentation Installation Guide Ingenious Testcraft Technical Documentation Installation Guide V7.00R1 Q2.11 Trademarks Ingenious, Ingenious Group, and Testcraft are trademarks of Ingenious Group, Inc. and may be registered in the United

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Integration Package for Microsoft Office SharePoint3

Integration Package for Microsoft Office SharePoint3 Panorama NovaView 5 Integration Package for Microsoft Office SharePoint3 About the Integration package Release Notes This package applies to the Panorama NovaView Server and the Microsoft office SharePoint3.

More information

PingFederate. IWA Integration Kit. User Guide. Version 3.0

PingFederate. IWA Integration Kit. User Guide. Version 3.0 PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

RemotelyAnywhere Getting Started Guide

RemotelyAnywhere Getting Started Guide April 2007 About RemotelyAnywhere... 2 About RemotelyAnywhere... 2 About this Guide... 2 Installation of RemotelyAnywhere... 2 Software Activation...3 Accessing RemotelyAnywhere... 4 About Dynamic IP Addresses...

More information

Setup Forms Based Authentication Under SharePoint 2010

Setup Forms Based Authentication Under SharePoint 2010 Introduction This document will cover the steps for installing and configuring Forms Based Authentication (FBA) on a SharePoint 2010 site. The document is presented in multiple steps: Step#1: Step#2: Step#3:

More information

Security IIS Service Lesson 6

Security IIS Service Lesson 6 Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and

More information

Websense Support Webinar: Questions and Answers

Websense Support Webinar: Questions and Answers Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user

More information

PingFederate. IWA Integration Kit. User Guide. Version 2.6

PingFederate. IWA Integration Kit. User Guide. Version 2.6 PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation

More information

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015

Metalogix Replicator. Quick Start Guide. Publication Date: May 14, 2015 Metalogix Replicator Quick Start Guide Publication Date: May 14, 2015 Copyright Metalogix International GmbH, 2002-2015. All Rights Reserved. This software is protected by copyright law and international

More information

Centralized Self-service Password Reset: From the Web and Windows Desktop

Centralized Self-service Password Reset: From the Web and Windows Desktop Centralized Self-service Password Reset: From the Web and Windows Desktop Self-service Password Reset Layer v.3.2-007 PistolStar, Inc. dba PortalGuard PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200

More information

SQL SERVER REPORTING SERVICES 2012 (POWER VIEW)

SQL SERVER REPORTING SERVICES 2012 (POWER VIEW) SQL SERVER REPORTING SERVICES 2012 (POWER VIEW) INSTALLATION AND CONFIGURATION Authored by: AVINASH KUMAR SINGH COMPANY: PAXCEL TECHNOLOGIES PVT.LTD SQL SERVER REPORTING SERVICES 2012 (POWER VIEW)) WHAT

More information

Windows Azure Pack Installation and Initial Configuration

Windows Azure Pack Installation and Initial Configuration Windows Azure Pack Installation and Initial Configuration Windows Server 2012 R2 Hands-on lab In this lab, you will learn how to install and configure the components of the Windows Azure Pack. To complete

More information

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division VIDEO Intypedia013en LESSON 13: DNS SECURITY AUTHOR: Javier Osuna García-Malo de Molina GMV Head of Security and Process Consulting Division Welcome to Intypedia. In this lesson we will study the DNS domain

More information

SafeNet Authentication Service

SafeNet Authentication Service SafeNet Authentication Service Push OTP Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have

More information

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation

Password Reset PRO. Quick Setup Guide for Single Server or Two-Tier Installation Password Reset PRO Quick Setup Guide for Single Server or Two-Tier Installation This guide covers the features and settings available in Password Reset PRO version 3.x.x. Please read this guide completely

More information

SQL Server Business Intelligence

SQL Server Business Intelligence SQL Server Business Intelligence Setup and Configuration Guide Himanshu Gupta Technology Solutions Professional Data Platform Contents 1. OVERVIEW... 3 2. OBJECTIVES... 3 3. ASSUMPTIONS... 4 4. CONFIGURE

More information

Deploying F5 with Citrix XenApp or XenDesktop

Deploying F5 with Citrix XenApp or XenDesktop Deploying F5 with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP system v11.4 and later. This guide shows how

More information

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services

More information

IBM/Softlayer Object Storage for Offsite Backup

IBM/Softlayer Object Storage for Offsite Backup IBM/Softlayer Object Storage for Offsite Backup How to use IBM/Softlayer Object Storage for Offsite Backup How to use IBM/Softlayer Object Storage for Offsite Backup IBM/Softlayer Object Storage is a redundant

More information

Aspera Connect User Guide

Aspera Connect User Guide Aspera Connect User Guide Windows XP/2003/Vista/2008/7 Browser: Firefox 2+, IE 6+ Version 2.3.1 Chapter 1 Chapter 2 Introduction Setting Up 2.1 Installation 2.2 Configure the Network Environment 2.3 Connect

More information

Deploy Remote Desktop Gateway on the AWS Cloud

Deploy Remote Desktop Gateway on the AWS Cloud Deploy Remote Desktop Gateway on the AWS Cloud Mike Pfeiffer April 2014 Last updated: May 2015 (revisions) Table of Contents Abstract... 3 Before You Get Started... 3 Three Ways to Use this Guide... 4

More information

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors. page 1 of 11 The following information is provided as a service to our users, customers, and distributors. ** If you are just beginning the process of installing PIPSPro 4.3.1 then please note these instructions

More information

Building a Scale-Out SQL Server 2008 Reporting Services Farm

Building a Scale-Out SQL Server 2008 Reporting Services Farm Building a Scale-Out SQL Server 2008 Reporting Services Farm This white paper discusses the steps to configure a scale-out SQL Server 2008 R2 Reporting Services farm environment running on Windows Server

More information

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM) MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM) MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM) Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative

More information

Archive Migrator Install Guide

Archive Migrator Install Guide Archive Migrator Publication Date: December, 2015 All Rights Reserved. This software is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this software,

More information

Kaseya 2. User Guide. Version 1.1

Kaseya 2. User Guide. Version 1.1 Kaseya 2 Directory Services User Guide Version 1.1 September 10, 2011 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations.

More information

As you ask them and if not, you have things to question, we can answer, we can give advice to you by email within 24 hours.

As you ask them and if not, you have things to question, we can answer, we can give advice to you by email within 24 hours. Thanks for your patience and welcome to the CDI MobyMax Interactive Webinar this afternoon. We appreciate you joining us. I now have with me most of you are. Certainly, we'll do our best to make today's

More information

Deploying the BIG-IP System with Microsoft SharePoint

Deploying the BIG-IP System with Microsoft SharePoint Deploying the BIG-IP System with Microsoft SharePoint Welcome to the F5 deployment guide for Microsoft SharePoint. This document contains guidance on configuring the BIG-IP system version 11.4 and later

More information