Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos Pt 2 “Advanced” Scenarios ITP370 Spencer Harbar Bob Fox.

Published byMiles Biglow Modified over 9 years ago

Similar presentations

Presentation on theme: "Kerberos Pt 2 “Advanced” Scenarios ITP370 Spencer Harbar Bob Fox."— Presentation transcript:

1 Kerberos Pt 2 “Advanced” Scenarios ITP370 Spencer Harbar Bob Fox

2 About the speakers...  Spencer Harbar, MVP, MCTS, MCSD.NET, MCAD, MCSE, APM  www.harbar.net www.harbar.net  Enterprise Architect working with some of Microsoft’s largest customers deploying Office SharePoint Server 2007.  15 years in Enterprise IT  ISPA Board Member  Bob Fox, MVP, MCTS  bobfox.securespsite.com bobfox.securespsite.com  IT Professional with over 15 years experience  Specializing in SharePoint architecture and deployment  ISPA Board Member

3 Agenda Load Balancing Shared Services Search Excel Services Additional Tools Announcing Configuration Wizard Q&A / Discussion

4 Load Balancing  Many “myths” surrounding Load Balancing  SharePoint Web Application Configuration  Cnames (again!)  Configure host name/host headers correctly  Load Balancers don’t know or care about Kerberos

5 IMPLEMENTING KERBEROS FOR SHAREPOINT Web Applications

6 Shared Services Stsadm.exe –o setsharedwebserviceauthn -negotiate

7 Shared Services .NET client can’t bind to the server using non default ports  without host headers  SSP services binding to the server using non default ports without host headers  The indexer can’t crawl Kerberos web applications on non default ports

8 Shared Services Office Server Web Services SharedServices1 SharedServices2 HTTP/server1 domain\user1 HTTP/server1 domain\user2 Stsadm.exe –o setsharedwebserviceauthn -negotiate Duplicate SPN’s

9 Shared Services Solution  Install Infrastructure Updates (or later) on all servers in farm  Add Registry Key HKLM\Software\Microsoft\Office Server\12.0\KerberosSpnFormat = 1  Reboot!  SPNs for each machine MSSP/server1:56737/SharedServices1 domain\user1 MSSP/server1:56738/SharedServices1 domain\user1  Configure Shared Services Stsadm.exe –o setsharedwebserviceauthn -negotiate

10 Shared Services  You cannot mix and match NTLM and Kerberos  In the same Farm  All SSPs must either NTLM or Kerberos

11 SHARED SERVICES

12 Excel Services  When using with Analysis Services  Additional Configuration  MSOLAPSvc.3/HOST domain\user  MSOLAPSvc.3/HOST:instance domain\user  Middle Tier Delegation  MSKB 917409  stsadm.exe -o set-ecssecurity -ssp %SSPNAME% -accessmodel delegation

13 EXCEL SERVICES

14 Testing and validation  Don’t test from DC or Web Server!  Windows Security Auditing  Kerberos Auditing  Kerbtray and Klist  Netmon and Fiddler (etc)  IIS Log Files, IIS7 Failed Request Tracing  Above all, be patient!  Use IISRESET

15 Kerberos Auditing  HKEY_LOCAL_MACHINE\SYSTEM\CurrentCo ntrolSet\Control\Lsa\Kerberos\Param eters\LogLevel  Value Type: REG_DWORD  Value Data: 1  Do not leave on!!

16 Kerberos Debug View  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr ol\Lsa\Kerberos\Parameters\KerbDebugLevel  Type: DWORD  Data: c0000043  this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff.  Value: LogToFile  Type: DWORD  Data: 1  C:\Windows\System32\lsass.log

17 Announcing...  Kerberos Configuration Wizard

18 Kerberos Configuration Wizard

19

20

21

22 Recommendations  Windows 2008 if at all possible  Infrastructure Updates  NTLM first, then enable Kerberos  Patience!  Script configuration after extensive testing

23 Essential Tools  CLI: Setspn.exe  Windows 2003: part of Resource Kit or separate download http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd  GUI: Adsiedit.msc  Windows 2003: part of support tools (on Windows CD)  Kerbtray.exe http://www.microsoft.com/downloads/details.aspx?familyid=4E3A58BE-29F6-49F6-85BE-E866AF8E7A88 http://www.microsoft.com/downloads/details.aspx?familyid=4E3A58BE-29F6-49F6-85BE-E866AF8E7A88  Klist.exe http://www.microsoft.com/DownLoads/details.aspx?familyid=1581E6E7-7E64-4A2D-8ABA-73E909D2A7DC http://www.microsoft.com/DownLoads/details.aspx?familyid=1581E6E7-7E64-4A2D-8ABA-73E909D2A7DC  Both part of the Windows 2003 Resource Kit Tools http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd  Network Monitor 3.2 http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d  DelegConfig http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434 http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434

24 Common Issues Issue  Mis-configured SPNs  Duplicate SPNs  PAC Validation  Host name issues  Load Balancing Myths  IE6 Clients use NTLM Best Practice  Use correct notation!  Use new –X switch  Disable PAC Validation  Never use CNames!  Setup Web App Correctly  Don’t use CNames  or MSKB 911149911149 DON’T USE ALIASES (Cnames) for Web Applications!

25 Takeaways  It’s easy!!  However, tons of misinformation and myths on the ‘net  DCOM Configuration  Delegation  Dodgy Blog Posts!  The best links:  Configure Kerberos authentication (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263449.aspx http://technet.microsoft.com/en-us/library/cc263449.aspx  Kerberos Authentication Tools and Settings http://technet.microsoft.com/en-us/library/cc738673.aspx http://technet.microsoft.com/en-us/library/cc738673.aspx  Troubleshooting Kerberos Errors http://www.microsoft.com/downloads/details.aspx?FamilyID=7DFEB015-6043-47DB-8238-DC7AF89C93F1 http://www.microsoft.com/downloads/details.aspx?FamilyID=7DFEB015-6043-47DB-8238-DC7AF89C93F1  Ken Schaefer’s Blog http://www.adopenstatic.com/cs/blogs/ken http://www.adopenstatic.com/cs/blogs/ken

26 Thank you for attending! Post conference DVD with all slide decks Sponsored by

Download ppt "Kerberos Pt 2 “Advanced” Scenarios ITP370 Spencer Harbar Bob Fox."

Similar presentations

Introduction to SharePoint for .NET Developer

Introduction to SharePoint for .NET Developer
Windows Server 2008 R2 IIS 7.5 Steve Evans

Windows Server 2008 R2 IIS 7.5 Steve Evans
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Volume activation.

Volume activation.
You too can be one step closer to having a clean, pristine SharePoint environment! 1 Methods and Solutions for Dealing with Orphaned Sites in a Large Scale.

You too can be one step closer to having a clean, pristine SharePoint environment! 1 Methods and Solutions for Dealing with Orphaned Sites in a Large Scale.
Mythbusters Debunking Common SharePoint Farm Misconceptions ITP361 Spencer Harbar.

Mythbusters Debunking Common SharePoint Farm Misconceptions ITP361 Spencer Harbar.
Server functionality is split into ~ 40 modules... Modules plug into a generic request pipeline… Modules extend server functionality through a public.

Server functionality is split into ~ 40 modules... Modules plug into a generic request pipeline… Modules extend server functionality through a public.
Go Live! Launching your MOSS Publishing site DEV435 Spencer Harbar.

Go Live! Launching your MOSS Publishing site DEV435 Spencer Harbar.
Overview and Demonstration of declarative workflows in SharePoint using Microsoft SharePoint Designer 2007 Kevin Hughes MCT, MCITP, MCSA, MCTS, MCP, Network+,

Overview and Demonstration of declarative workflows in SharePoint using Microsoft SharePoint Designer 2007 Kevin Hughes MCT, MCITP, MCSA, MCTS, MCP, Network+,
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
ITP327 Spencer Harbar Bob Fox

ITP327 Spencer Harbar Bob Fox
Agenda Why are we doing this? What are we talking about? Whats similar to what you know? Whats different from what you know? Lets see it in action! Parting.

Agenda Why are we doing this? What are we talking about? Whats similar to what you know? Whats different from what you know? Lets see it in action! Parting.
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Designing, Deploying and Managing Workflow in SharePoint Sites Steve Heaney Product Development Manager OBS

Designing, Deploying and Managing Workflow in SharePoint Sites Steve Heaney Product Development Manager OBS
Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
Creating Dashboards with Performance Point Monitoring & Analytics Tim Toennies Covenant Technology Partners.

Creating Dashboards with Performance Point Monitoring & Analytics Tim Toennies Covenant Technology Partners.
SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.

SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.

Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Andy van den Biggelaar SecIdm Specialist Wortell

Andy van den Biggelaar SecIdm Specialist Wortell
Configuring Windows to run Dr.Web scanner remotely.

Configuring Windows to run Dr.Web scanner remotely.

Similar presentations

Ads by Google