Cannot get to configure Kerberos for Reporting Services
Posted
by
Ucodia
on Server Fault
See other posts from Server Fault
or by Ucodia
Published on 2012-04-13T10:39:26Z
Indexed on
2012/04/13
11:32 UTC
Read the original article
Hit count: 174
Context
I am trying to configure Kerberos in the domain for double-hop authentication. So here are the machines and their respective roles:
client01
: Windows 7 as clientdc01
: Windows Server 2008 R2 as domain controller and dnsserver01
: Windows Server 2008 R2 as reporting server (native mode)server02
: Windows Server 2008 R2 as SQL Server database engine
I want my client01
to connect to server01
and configure a data source that is located on server02
using Intergrated Security. So as NTLM cannot push credentials that far, I need to setup Kerberos to enable double-hop authentication. The reporting service is runned by the Network Service service account and is configured only with the RSWindowsNegotiate
options for authentication.
Issue
I cannot get to pass my client01
credential to server02
when configuring the data source on server01
. Therefore I get the error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
So I went on dc01
and delegated full trust for any service to server01
but it not fixed the problem. I want to notice that I did not configured any SPNs for server01
because Reporting Service is runned by Network Service and from what I read on the Internet, when Reporting Services is going up with Network Service, SPNs are automatically registered. My problem is that even if that I want to configure SPNs manually, I do not know where I have to set them up. On dc01
or on server01
?
So I went a bit further on the issue and tried to trace this problem. From my understanding of Kerberos, this is what should happen on the network when I try to connect the data source:
client01 ---- AS_REQ ---> dc01
<--- AS_REP ----
client01 ---- TGS_REQ ---> dc01
<--- TGS_REP ----
client01 ---- AP_REQ ---> server01
<--- AP_REP ----
server01 ---- TGS_REQ ---> dc01
<--- TGS_REP ----
server01 ---- AP_REQ ---> server02
<--- AP_REP ----
So captured my local network with Wireshark, but whenever I try to configure my data source from client01
on server01
to pass my credentials to server02
, my client never sends a AS_REQ
or TGS_REQ
to the KDC on dc01
.
Questions
So does anyone can tell me if I should configure the SPNs and on which machine does it have to be configured?
Also why client01
never request for a TGT or a TGS to my KDC. Do you think there is something going wrong with the DC role of dc01
?
© Server Fault or respective owner