Creating SPNs and Kerberos Delegation - Reporting services in sharepoint integrated mode

There are a few prerequisites to setting up Kerberos delegation.

1. Both sharepoint web sites and report server are now installed and configured.
2. All computers accessing the application must be in the same domain.
3. Kerberos ports must be open if going through a firewall.
4. Client browsers must be setup to allow integrated authentication.
5. Clients must be domain users.
6. All clients must be running Windows 2000 or greater.
7. All client’s browsers must be IE 5+

Probably the most likely culprit for not getting this Kerberos authentication to work is improper or duplicate SPN’s. Duplicate SPN’s can easily be created if the person that install say, SQL, is a domain admin and decides to run the setup under their domain admin account. What happens in this scenario, is the SPN for SQL server is automatically registered under that Domain Admin’s user account. Even if they go back and change the service to run under localsystem, Active Directory will still know of a SPN to SQL01′s SQL Server Service. This creates a duplicate SPN and will break your entire setup.

Duplicate spns can be found using following command in command prompt

setspn -x

if you see any duplicate spns then delete them by running follwoing command

setspn -d [SPN TO DELETE] [OBJECT FRM WHICH YOU WANT TO DELETE IT]

Example c:\>setspn -d MsSQLSvc/SQL01:1433 domainnamedomainadmin

Creating Necessary SPN’s
if sharepoint server is WEB01 and reporting server is REP01 then we need to setup following SPNS with both NETBIOS and FQNs

REP01:
1. SETSPN –a HTTP/REP01.xyz.local:80 [REPORTING SERVICE DOMAIN ACCOUNT]
2. SETSPN –a HTTP/REP01.xyz.local [REPORTING SERVICE DOMAIN ACCOUNT]
3. SETSPN –a HTTP/REP01 [REPORTING SERVICE DOMAIN ACCOUNT]
4. SETSPN –a HTTP/REP01:80 [REPORTING SERVICE DOMAIN ACCOUNT]

We will also need to set spn for the sql service i.e.

SETSPN –a MSSQLSvc/[REP01].xyz.local [SQL SERVICE ACCOUNT]
SETSPN –a MSSQLSvc/[REP01].xyz.local:1433 [SQL SERVICE ACCOUNT]
SETSPN –a MSSQLSvc/[REP01] [SQL SERVICE ACCOUNT]
SETSPN –a MSSQLSvc/[REP01]:1433 [SQL SERVICE ACCOUNT]


WEB01:

On the web end we need to specifiy SPNs for each sharepoint site including the central admin

SETSPN –a HTTP/[WEB ADDRESS]:[PORT NUMBER] [APP POOL DOMAIN ACCOUNT]

Allowing Constrained Delegation
1. Log on to the domain controller.

2. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

3. Expand the domain node, and then click Users.

4. Right-click the application pool identity user account, and then select Properties.

5. On the Delegation tab, verify that the Trust this user for Delegation to specified Services only option is selected.

6. Select Use Kerberos Only.

7. Click Add.

8. Click Users or Computers.

9. Enter the domain and user name of the account running the service that you want to have accept Kerberos credentials, and then click OK.

10. The Available Services values will appear for the account that you selected. Select the appropriate service and click OK.

Note:

This will normally be the Web service associated with the application pool identity that you are modifying or any services associated with data sources that you want to be able to access using Kerberos authentication.
1. Repeat steps 8 through 10 for each service that you want to accept credentials from this account.

2. Click OK to close the account properties dialog box.