Cannot get to configure Kerberos for Reporting Services

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Ucodia on Server Fault See other posts from Server Fault or by Ucodia
Published on 2012-04-13T10:39:26Z Indexed on 2012/04/13 11:32 UTC
Read the original article Hit count: 170

Filed under:
|
|
|

Context

I am trying to configure Kerberos in the domain for double-hop authentication. So here are the machines and their respective roles:

  • client01: Windows 7 as client
  • dc01: Windows Server 2008 R2 as domain controller and dns
  • server01: Windows Server 2008 R2 as reporting server (native mode)
  • server02: Windows Server 2008 R2 as SQL Server database engine

I want my client01 to connect to server01 and configure a data source that is located on server02 using Intergrated Security. So as NTLM cannot push credentials that far, I need to setup Kerberos to enable double-hop authentication. The reporting service is runned by the Network Service service account and is configured only with the RSWindowsNegotiate options for authentication.

Issue

I cannot get to pass my client01 credential to server02 when configuring the data source on server01. Therefore I get the error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

So I went on dc01 and delegated full trust for any service to server01 but it not fixed the problem. I want to notice that I did not configured any SPNs for server01 because Reporting Service is runned by Network Service and from what I read on the Internet, when Reporting Services is going up with Network Service, SPNs are automatically registered. My problem is that even if that I want to configure SPNs manually, I do not know where I have to set them up. On dc01 or on server01?

So I went a bit further on the issue and tried to trace this problem. From my understanding of Kerberos, this is what should happen on the network when I try to connect the data source:

client01 ---- AS_REQ ---> dc01
         <--- AS_REP ---- 

client01 ---- TGS_REQ ---> dc01
         <--- TGS_REP ----

client01 ---- AP_REQ ---> server01
         <--- AP_REP ----

server01 ---- TGS_REQ ---> dc01
         <--- TGS_REP ----

server01 ---- AP_REQ ---> server02
         <--- AP_REP ----

So captured my local network with Wireshark, but whenever I try to configure my data source from client01 on server01 to pass my credentials to server02, my client never sends a AS_REQ or TGS_REQ to the KDC on dc01.

Questions

So does anyone can tell me if I should configure the SPNs and on which machine does it have to be configured?

Also why client01 never request for a TGT or a TGS to my KDC. Do you think there is something going wrong with the DC role of dc01?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about authentication

Related posts about kerberos

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle