Kerberos constraint delegation for SharePoint 2010 SP1 and SQL Server 2012 Reporting Services (Named Instance)
There is the following configuration:
1. SharePoint 2010 SP1 with SQL Server 2012 Reporting Services installed
2. SQL Server 2008 R2 with Named Instance on which the base is spinning, from which we need to take information for generating reports. SQL 2012 is configured on article
3. Advanced options:
domain: test.com
- SQL instance name: SP
account for the instance: svcSQL
Task : make it all work using Kerberos
Let's get started
1. Create an account for the Claims to Windows Token Service service (for example, svcC2WTS) in Active Directory and assign it with the following rights on the SharePoint server:
-Act as part of the operating system
-Impersonate a client after authentication
-Log on as a service
And additionally add to local admins
2. In the SharePoint Administration Center, you must register the created account as a Managed Account and start the Claims to Windows Token Service service (/_admin/Server.aspx)
Also, the application pool, which is used to run the SQL 2012 Reporting Services Service Application, worked from the registered Managed account for C2WTS. You can view and change these parameters on the Service Accounts page (/_admin/FarmCredentialManagement.aspx)
3. Also, then there were no problems, change the dependencies for the Claims to Windows Token service :
4. Restart SharePoint
5. On the SQL server, set the static port for the SQL instance under the article Configure a SQL Server Configuration Manager.
I, for example, have port 1234
Why is it necessary, it is described in detail here
6. Register SPN:
More information about registering SPN for a sequel can be read here.
7. In Active Directory Users and Computers we set up delegation for the svcC2WTS account.
On the Delegation tab, you must select Use any authentication protocol and add the SPNs just registered for the sequel services. It is important that both entries are reflected in this tab.
8. Create a new Data Source with the name of the named SQL instance. To connect, use windows authentication (integrated) or sharepoint user and enjoy a successful connection
1. SharePoint 2010 SP1 with SQL Server 2012 Reporting Services installed
2. SQL Server 2008 R2 with Named Instance on which the base is spinning, from which we need to take information for generating reports. SQL 2012 is configured on article
3. Advanced options:
domain: test.com
- SQL instance name: SP
account for the instance: svcSQL
Task : make it all work using Kerberos
Let's get started
1. Create an account for the Claims to Windows Token Service service (for example, svcC2WTS) in Active Directory and assign it with the following rights on the SharePoint server:
-Act as part of the operating system
-Impersonate a client after authentication
-Log on as a service
And additionally add to local admins
2. In the SharePoint Administration Center, you must register the created account as a Managed Account and start the Claims to Windows Token Service service (/_admin/Server.aspx)
Also, the application pool, which is used to run the SQL 2012 Reporting Services Service Application, worked from the registered Managed account for C2WTS. You can view and change these parameters on the Service Accounts page (/_admin/FarmCredentialManagement.aspx)
3. Also, then there were no problems, change the dependencies for the Claims to Windows Token service :
sc config c2wts depend= CryptSvc4. Restart SharePoint
5. On the SQL server, set the static port for the SQL instance under the article Configure a SQL Server Configuration Manager.
I, for example, have port 1234
Why is it necessary, it is described in detail here
6. Register SPN:
setspn -A MSSQLSvc/server_fqdn:SP test\svcSQL
setspn -A MSSQLSvc/server_fqdn:1234 test\svcSQLMore information about registering SPN for a sequel can be read here.
setspn -A SP/SRSS test\svcC2WTS is a fake SPN7. In Active Directory Users and Computers we set up delegation for the svcC2WTS account.
On the Delegation tab, you must select Use any authentication protocol and add the SPNs just registered for the sequel services. It is important that both entries are reflected in this tab.
8. Create a new Data Source with the name of the named SQL instance. To connect, use windows authentication (integrated) or sharepoint user and enjoy a successful connection
')
Source: https://habr.com/ru/post/181121/
All Articles