The real creative thinkers amongst you might think of more ways to do the same, but that\u2019s not the point here. The point is that SharePoint is not going to magically filter the data, so you need to make arrangements to make sure that your security requirements are met. And for that, you will need to be able to know which user is requesting the data, no matter which solution you choose.<\/p>\n
<\/p>\n
Kerberos authentication, the basics<\/h2>\n
As the name implies, Kerberos will help us with authenticating the user. It\u2019s important to understand that authentication is not the same as authorization. Authentication will help you to identify the user, making sure their identity is validated. Authorizing is the process of granting a user access to resources, based on that same identity. I will not go into the details of authentication; it suffices to know that Kerberos implements a way of checking your credentials to validate your identity. In Microsoft Active Directory environments, Kerberos or NTLM is used as authentication method, where Kerberos is the more secure one.<\/p>\n
In the mentioned case, our user\u2019s identity will be used in several places:<\/p>\n
- \n
- First, SharePoint will authenticate the user.<\/li>\n
- It will then use the user\u2019s identity to check if he \/ she is authorized (there\u2019s the difference!) to view the page, the BCS entity, etc.<\/li>\n
- Now, assuming our user is authorized, BCS is going to query the SQL database to get the actual data. SQL is going to ask for credentials as well. That is where delegation <\/strong>comes in.<\/li>\n
- SharePoint delegate your credentials to SQL, who will authenticate<\/li>\n<\/ul>\n
<\/p>\n
Why Kerberos?<\/h2>\n
When you search for the combination of SharePoint and Kerberos online, you will find a lot of people having problems with it (myself included by the way). Based on that, you might ask: why should I use Kerberos at all? Well for starters, your domain admins might have specified it\u2019s required. Secondly, NTLM doesn\u2019t support double hop authentication<\/strong>. Double hop means your credentials are passed on to a second service \/ server, like we\u2019re doing in this case. Lastly and arguably the most important reason: it\u2019s the most secure over NTLM. So, Kerberos it is\u2026<\/p>\n
<\/p>\n
Step 1: SPNs<\/h2>\n
To be able to use Kerberos, the service using it should be registered in Active Directory. This is done using a service principal name<\/strong> (SPN). To register an SPN, we need some detail on the service which will be using Kerberos as an authentication provider.<\/p>\n
- \n
- Which service you\u2019ll be using. When you initially enabled Kerberos for SharePoint, you used HTTP as the service type. Since we\u2019re enabling SQL Server to use Kerberos, we use: MSSQLSvc<\/strong>\n
- \n
- The fully qualified domain name (FQDN) of the SQL server: sqlserver.contoso.com<\/strong><\/li>\n
- The port your server is using, or in case of a named instance: the named instance itself. 1433 <\/strong><\/b>(default)<\/li>\n
- SP <\/strong>(named instance)<\/li>\n
- The service account which is used to run the SQL service: CONTOSO\\sqlserver_svc<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
We use these parameters as input for the setspn command, as follows:<\/p>\n
setspn \u2013A MSSQLSvc\/sqlserver.contoso.com:1433 CONTOSO\\sqlserver_svc
\nsetspn \u2013A MSSQLSvc\/sqlserver.contoso.com:SP CONTOSO\\sqlserver_svc<\/code><\/p>\nThe setspn command should be executed by a domain admin. When the details are correct, this will register the SPN in AD.
\nTIP! <\/strong>Ask your DBA for these details. And should he \/ she not know (or there is no DBA…): Microsoft has a tool which finds out for you. It\u2019s called \u201cMicrosoft Kerberos Configuration Manager for SQL Server\u201d. With this tool, you can easily check if your configuration is OK and it can also generate the script to generate the correct SPNs when needed. This way you have to worry less about the correct ports and named instances.<\/p>\n![\"Siegmund_BCS](\"http:\/\/blog.repsaj.nl\/wp-content\/uploads\/2014\/06\/Siegmund_BCS-Kerberos-Delegation_01-1024x152.png\")
<\/a><\/p>\nFigure 1: The Kerberos Configuration Manager shows missing SPNs and allows to generate a script for SPN creation.<\/em><\/p>\n
Note:<\/strong> when you\u2019re running SQL 2012 AlwaysOn, you will need to register SPNs for all of the servers in your availability group. You do not have to register SPNs for your listener or aliases. Use the Kerberos Configuration Manager to find out exactly what you need to register.<\/p>\n
<\/p>\n
Step 2: delegation<\/h2>\n
Setting the SPNs will not yet have enabled the double-hop scenario. We now need to tell Active Directory that our SharePoint application pool accounts are allowed to delegate credentials to the previously added SPNs.<\/p>\n
To do so, open up the Active Directory Users and Computers tool and find the account used for the SharePoint application pool. Note that this is the application pool which serves the site in which you want to use the external content type (ECT). When you\u2019re going to use it in multiple web applications, you might have to do these steps for multiple accounts as well.<\/p>\n
![\"Siegmund_BCS](\"http:\/\/blog.repsaj.nl\/wp-content\/uploads\/2014\/06\/Siegmund_BCS-Kerberos-Delegation_02.png\")
<\/a><\/p>\nFigure 2: the Delegation tab shows to which SPNs this account is allowed to delegate credentials. <\/em><\/p>\n
On the Delegation tab (Figure 2), you will find all of the SPNs to which this account is allowed to delegate. Of course you could also select \u201cTrust this user for delegation to any service (Kerberos only)\u201d, which would be the easier, but less safe option. To add an SPN, click \u201cAdd\u201d and search for your SQL Server service account (NOT the server itself). You will now find all SPNs (servers) registered for that particular service account; select the ones you need to enable delegation for. At this time, Kerberos will now allow delegation of user credentials by the SharePoint application pool, to the SQL server hosting the database.<\/p>\n
<\/p>\n
Step 3: Configuring ECT for delegation<\/h2>\n
When you create an External Content Type (ECT), the connection properties (figure 1) have an \u201cAuthentication Mode\u201d property. Here, we can choose between the following values:<\/p>\n
- \n
- User\u2019s Identity<\/li>\n
- BCS Identity<\/li>\n
- Impersonate Windows Identity<\/li>\n
- Impersonate Custom Identity<\/li>\n<\/ul>\n
The two impersonate<\/strong> options use a credential which is stored in the secure store and identified with a secure store application ID. This will usually be a service account stored in Active Directory, or a SQL account. The \u201cBCS Identity\u201d option uses the application pool account. This option is disabled by default and in most cases you should leave it that way. Reusing such an account for multiple purposes adds security risks and complicates your security scheme.
\nThe first option is the one we\u2019re interested in: using the User\u2019sIdentity<\/strong>. This means BCS will connect to the SQL server by delegating (acting on behalf of) the currently logged on user. This way, we can use this information to filter data.<\/p>\n![\"Siegmund_BCS](\"http:\/\/blog.repsaj.nl\/wp-content\/uploads\/2014\/06\/Siegmund_BCS-Kerberos-Delegation_03.png\")
<\/a><\/p>\nFigure 3: BCS connection properties<\/em><\/p>\n
That\u2019s it! You should now be able to create a new External List based on your previously created content type. When everything is configured, SharePoint now passes along the identity of the currently logged on user to SQL. You can check if your connections are using Kerberos by using the following SQL statement:<\/p>\n
SELECT auth_scheme FROM sys.dm_exec_connections<\/code><\/p>\nAnd when you want to include the current user in your view, use the CURRENT_USER variable as such:<\/p>\n
SELECT CURRENT_USER
\n<\/code><\/p>\nOf course, these same steps apply to any service for which you want to enable Kerberos. Make sure you register the correct service type, server name and accounts; and you\u2019re good to go!<\/p>\n
<\/p>\n
Used sources \/ links<\/h2>\n
Identity delegation for Business Connectivity Services
\nhttp:\/\/technet.microsoft.com\/en-us\/library\/gg502600(v=office.14).aspx<\/a><\/p>\nSharePoint 2010 and Kerberos
\nhttp:\/\/www.harbar.net\/archive\/2010\/03\/31\/sharepoint-2010-and-kerberos.aspx<\/a><\/p>\nAuthenticating to Your External System
\nhttp:\/\/blogs.msdn.com\/b\/bcs\/archive\/2010\/03\/12\/authenticating-to-your-external-system.aspx<\/a><\/p>\nSetspn overview
\nhttp:\/\/technet.microsoft.com\/nl-nl\/library\/cc773257(v=WS.10).aspx<\/a><\/p>\nMicrosoft\u00ae Kerberos Configuration Manager for SQL Server\u00ae
\nhttp:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=39046<\/a><\/p>\n
- The port your server is using, or in case of a named instance: the named instance itself. 1433 <\/strong><\/b>(default)<\/li>\n
- The fully qualified domain name (FQDN) of the SQL server: sqlserver.contoso.com<\/strong><\/li>\n
- SharePoint delegate your credentials to SQL, who will authenticate<\/li>\n<\/ul>\n
![\"Siegmund_BCS](\"http:\/\/blog.repsaj.nl\/wp-content\/uploads\/2014\/06\/Siegmund_BCS-Kerberos-Delegation_01.png\")
<\/a><\/p>\n