1. KERBEROS, SQL AND YOU Adam W. Saxton Microsoft - SQL Support @awsaxton asaxton@microsoft.com

2. 2 WHY YOU ARE HERE … Not to learn about the mythical dog You like when your head hurts

3. 3 WHY DO WE NEED KERBEROS? Allows for authentication in a secure manner Both client and server prove their identity Prevention against Eavesdropping and Replay attacks Provides ability to forward (delegate) credentials

4. 4 CHALLENGES OF KERBEROS Complicated to configure Domain Admin rights Service Principal Names (SPN) Delegation settings Understanding what Applications support Hard to diagnose Errors rarely point to Kerberos Time is everything Clocks on servers need to be synchronized 5 minute window to use the session request – Replay protection Typically an anonymous error I.E. 401 or Login failed

5. 5 ELEMENTS OF KERBEROS CONFIG Active Directory Service Account Database Global Catalog for directing referrals Kerberos Key Distribution Center (KDC) Service Identifier Service Principal Name (SPN) Forwarding of Credentials Defined on Account in Active Directory Delegation Your Domain Controller Accounts for 80- 90% of CSS Kerb issues Used for multiple service hops

6. 6 FORWARDING USER CREDENTIALS UserA Middle ServerBackend ServerClient Second Hop First Hop The Classic Double Hop

7. 7 HOW BAD CAN IT GET? Load Balanced RS Servers http://virtualreports Load Balanced SP Servers http://virtualsharepoint Login failed for user ‘null’ SharePoint Content DB RS Catalog RS Data Source Linked Server Web Service Data Source

8. 8 THE INFAMOUS SPN … Uniquely identifies an instance of a service Used to request a service ticket You can only have one! Bound to one Active Directory Object User or Machine account Attribute of that object servicePrincipalName Some Tools don’t prevent duplicate entries Some Tools don’t prevent duplicate entries

9. 9 SPN BROKEN DOWN … / : Arbitrary name created by Service Represents a suite of service Examples: HTTP, MSSQLSvc, MSOLAPSvc.3 HOST is a special Service Class Service Class The name of the computer on which the service is running Could be a Virtual name (i.e. Load Balanced or Cluster) This can be a fully qualified domain name or NetBIOS name Host Optional item Used to differentiate between multiple instances Port NetBIOS names may not be unique in a Forest

10. 10 HTTP SERVICE CLASS HTTP/passrs.pass.local No Port by default HTTP/passrs:80 HTTP works for both http and https HTTP/passrs FQDN NetBIOS Ports make it unique

11. 11 SQL SERVICE CLASS MSSQLSvc/passsql.pass.local:1433 MSSQLSvc/passsql.pass.local:56772 MSSQLSvc/passsql.pass.local MSSQLSvc/passsql.pass.local:myinstance TCP Named Pipes Default Instance Named Instance Default Instance Named Instance SQL creates FQDN not NetBIOS Blog: What SPN do I use and how does it get there?What SPN do I use and how does it get there? Blog: What SPN do I use and how does it get there?What SPN do I use and how does it get there? Started with SQL 2008

12. 12 BUILDING OUT THE SQL SPN … Virtual FQDN Machine FQDN TCP ProtocolNamed Pipes Protocol Are we in a Domain? Are we a Cluster? Yes No ListenAll ? IPALL IPx (1-N) Enabled? Dynamic and/or Static Port Both can be set! Yes No Default Instance? MSSQLSvc/myserver.mydomain.com:1433:5555 Yes No :INSTANCENAME Always Uses Ports! This is what the System Center Advisor SPN rule does!

13. 13 WHY DO I NEED BOTH SPNS? MSSQLSvc/passsql.pass.local:1433 MSSQLSvc/passsql:1433 If DNS Name Resolution fails, we fall back to NetBIOSNetBIOS SPN is needed if NetBIOS was usedIf NetBIOS name resolution failed, you have other issues SQL Client will resolve IP to Name. IE and IIS will not! SQL Client will resolve IP to Name. IE and IIS will not!

14. 14 SPN TOOLS SetSPN Klist & KerbTray ADSIEdit

15. 15 SPN ISSUES WE SEE … It was never created Missing SPN SPN exists, but is tied to the wrong Account Misplaced SPN SPN exists on more than one account Duplicate SPN

16. 16 DELEGATION Forwarding Credential from one service to anotherMust know all accounts involvedUser Account must be allowed to be delegated “Account is sensitive and cannot be delegated” Service Accounts must be allowed to delegate Unconstrained – Delegate to any Service Constrained – Delegate to specified Services only SharePoint 2010 Claims Auth may force Constrained

17. 17 DELEGATION TOOLS AD Users & Computers

18. 18 WHAT ACTUALLY HAPPENS? RS SQL Client KDC 1. HTTP/passrs.pass.local 2. Session Key Sent Contains Service Ticket 3. Accepted 4. MSSQLSvc/passsql.pass.local 5. Session Key Sent Contains Service Ticket 6. Accepted Steps 1 & 4: InitializeSecurityContext Steps 3 & 6: AcceptSecurityContext

19. 19 A PEAK INSIDE SQL … Client Provider builds SPN off of Connection String based on ProtocolWe always try to resolve the FQDN for the server entryWe get the port for the Named Instance by way of SQL BrowserSQL will validate the SPN and credentials. SPN must match the Server Properties Server=passsql\demo;database=AdventureWorks2008;Integrated Security=SSPI; MSSQLSvc/passsql.pass.local:59256 passsqldemo MSSQLSvc/passsql.pass.local:59256

20. 20 Negotiate goes Kerb because SQL1 SPN is present We always try Kerb IS NEGOTIATE THE SAME AS KERBEROS? No! It is a decision point to determine NTLM or KerberosOnce decision is made to go Kerberos, no turning backIf the SPN is wrong, Kerb Failure on Server Server: SQL1 MSSQLSvc\SQL1:1433 Single Hop Example: SSMS to SQL Client Ticket for SQL2 Account Cannot Generate SSPI Context Misplaced SPN KDC

21. 21 A DISTRIBUTED CONFIG EXAMPLE … SharePoint WFE – Win2k8 R2 PASS\spservice PASS\asaxton Member of IIS_IUSRS HTTP/passsp.pass.local Trusted for Delegation Kernel Mode Auth Disabled SP Site is set for Kerberos RS set to Windows Auth Report Server – Win2k8 R2 PASS\rsservice Member of IIS_IUSRS HTTP/passrs.pass.local Trusted for Delegation RSWindowsNegotiate SQL Server – Win2k8 R2 PASS\sqlservice MSSQLSvc/passsql..local:59256 Account is Sensitive is unchecked

22. 22 KERBEROS EVENT LOGGING http://support.microsoft.com/kb/262177 This was actually a Duplicate SPN May not see error if item was cached

23. 23 NETWORK MONITOR Interested in Kerb Traffic Only May not see error if item was cached HTTP SPN Request Failed SQL SPN Request

24. 24 asaxton@microsoft.com @awsaxton http://blogs.msdn.com/psssql

25. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.