Security is hard, but that is not a good reason to do things the easy way. A big challenge for SQL Server DBAs is configuring security for SSRS when faced with the "double-hop" issue. The way to solve this problem is by implementing Kerberos delegation. This course will explain what Kerberos is and why you need it. More importantly, it will provide the knowledge required to configure it and troubleshoot when things go wrong.
Kathi Kellenberger is a SQL Server MVP and a Teammate with Linchpin People. She is the author or co-author of several SQL Server books, including Beginning T-SQL from Apress, and frequently speaks at community events such as PASS Summit and SQL Saturday.
Course Overview Hello everyone. My name is Kathi Kellenberger, and welcome to my course Configuring Kerberos for SSRS. I am an independent database consultant at Linchpin People. When Kerberos Delegation is not configured, SSRS cannot pass the user's credentials to SQL Server, and the connection fails. This is called the double-hop issue. This course will teach you why Kerberos Delegation is so important, how to configure it, and how to troubleshoot the issues. Some of the thing that we'll cover include configuring Kerberos for SSRS in native mode, configuring Kerberos for SharePoint integrated mode, and working with managed service accounts. By the end of this course, you'll understand how Kerberos Delegation works, and you'll know where to look to troubleshoot when things go wrong. Before beginning the course, you should be familiar with managing SQL Server and Reporting Services. I hope you'll join me on this journey to learn about Kerberos Delegation with the Configuring Kerberos for SSRS course at Pluralsight.
Understanding the Double-hop Problem Hello, this is Kathi Kellenberger, and welcome to Configuring Kerberos Authentication for SQL Server Reporting Services. Let's face it, security done correctly is really hard, but that's not a good reason to do things the easy way. In this course, you'll learn how to overcome a very frustrating security issue that most administrators encounter when managing SQL Server Reporting Services. Let's start by looking at an overview of the first module, Understanding the Double-Hop Problem. First, I'll show how SSRS might be configured and how some configurations could lead to challenges with security. I'll show you some easy workarounds that can be used to avoid these security challenges, but keep in mind, however, that these workarounds are not appropriate for many companies and many situations and could violate the security policies that you have in place. I'll describe the lab I've got setup, and I'll be using the lab throughout the course. I'll end the module with a demonstration of the double-hop security issue found with SSRS. So now let's take a look at the double-hop problem.
Understanding Kerberos Authentication In this module, Understanding Kerberos Authentication, we'll learn how Kerberos works, and how about we'll solve the double-hop problem. Let's take a look at we'll cover in this module. First, I'll briefly cover the history of Kerberos as it relates to Windows networks. When Kerberos can't be used, authentication will revert to an older standard called NTLM. I'll explain the difference between NTLM and Kerberos. I'll define some keywords you need to know to understand Kerberos, and I'll list the tools we'll be using for configuration. Finally, I'll show a quick demo before moving on to the next module. Let's take a look at the history of Kerberos.
Configuring Kerberos for SSRS Native Mode In this module, Configuring Kerberos for SSRS Native Mode, I will walk you step-by-step through Kerberos configuration. Hold on tight; this module is loaded with demos. Before we jump into the details, let's take a look at what this module covers. Just like any IT project or task, you need to do the prep work. In this case, it means gathering the information that you'll need to do the configuration, and also, very important to figure out, who will complete the steps involved. Just in case you would like to delegate the work to a non-domain administrator DBA group, I'll show you how to set that up. There are quite a few steps for me to demonstrate, setting up the SPNs, a property on the service account must be set to allow delegation, and SSRS must be configured to allow Kerberos. After that, I'll prove to you that it worked. Let's take a look at the preparation involved with setting up Kerberos delegation.
Using Managed Service Accounts In this module, Using Managed Service Accounts, I'll show you how using a new type of service account to run SQL Server 2012 relater can make your life easier. Before we dive into the details, let's go over what this module covers. First, I'll explain what a managed service account is and the benefits. I'll create a new managed service account and use it to run a SQL Server instance. Then we'll talk about a newer type of account, a group managed service account. We'll see what happens when a SQL Server using one of these accounts is renamed. It's not really difficult to set up this type of account, but if it's not done completely perfectly, they won't work. I'm including a section at the end of the module to help you troubleshoot problems that you may encounter.
Configuring Kerberos for SSRS in SharePoint Mode In this module, Configuring Kerberos for SSRS in SharePoint Mode, I'll explain what needs to be done to get Kerberos configured when SSRS is running on SharePoint. First, I'll explain how SSRS is managed differently when in SharePoint mode. To get Kerberos configured, a service called Claims to Windows Token Service must be set up. I'll walk you through the steps, and then I'll test it to make sure that everything works.
Troubleshooting Kerberos In this module, Troubleshooting Kerberos, I'll talk about ways to correct problems with Kerberos configuration. I'll talk about the type of things that can frequently go wrong and the error messages you might see. Then I'll introduce you to tools that are available to help you track down the issues.