Cannot get to configure Kerberos for Reporting Services

Posted by Ucodia on Server Fault See other posts from Server Fault or by Ucodia
Published on 2012-04-13T10:39:26Z Indexed on 2012/04/13 11:32 UTC
Read the original article Hit count: 174

Context

I am trying to configure Kerberos in the domain for double-hop authentication. So here are the machines and their respective roles:

  • client01: Windows 7 as client
  • dc01: Windows Server 2008 R2 as domain controller and dns
  • server01: Windows Server 2008 R2 as reporting server (native mode)
  • server02: Windows Server 2008 R2 as SQL Server database engine

I want my client01 to connect to server01 and configure a data source that is located on server02 using Intergrated Security. So as NTLM cannot push credentials that far, I need to setup Kerberos to enable double-hop authentication. The reporting service is runned by the Network Service service account and is configured only with the RSWindowsNegotiate options for authentication.

Issue

I cannot get to pass my client01 credential to server02 when configuring the data source on server01. Therefore I get the error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

So I went on dc01 and delegated full trust for any service to server01 but it not fixed the problem. I want to notice that I did not configured any SPNs for server01 because Reporting Service is runned by Network Service and from what I read on the Internet, when Reporting Services is going up with Network Service, SPNs are automatically registered. My problem is that even if that I want to configure SPNs manually, I do not know where I have to set them up. On dc01 or on server01?

So I went a bit further on the issue and tried to trace this problem. From my understanding of Kerberos, this is what should happen on the network when I try to connect the data source:

client01 ---- AS_REQ ---> dc01
         <--- AS_REP ---- 

client01 ---- TGS_REQ ---> dc01
         <--- TGS_REP ----

client01 ---- AP_REQ ---> server01
         <--- AP_REP ----

server01 ---- TGS_REQ ---> dc01
         <--- TGS_REP ----

server01 ---- AP_REQ ---> server02
         <--- AP_REP ----

So captured my local network with Wireshark, but whenever I try to configure my data source from client01 on server01 to pass my credentials to server02, my client never sends a AS_REQ or TGS_REQ to the KDC on dc01.

Questions

So does anyone can tell me if I should configure the SPNs and on which machine does it have to be configured?

Also why client01 never request for a TGT or a TGS to my KDC. Do you think there is something going wrong with the DC role of dc01?

© Server Fault or respective owner

Related posts about authentication

Related posts about kerberos