SharePoint 2013+ Sqlserver 2014 Kerberos 配置图例, 终极解决方案 已经验证。

SharePoint 2013+ Sqlserver 2014 Kerberos 配置图例。

1,安装数据库,安装方法我就不说了,账户一定要注意。 我下面会有参考实例和账户。

2,建立DNS,如果没有DNS服务器 在本地修改hosts吧。

3,Configure Claims to Windows Token Service Account.(呵呵 中文 是声明为windows令牌服务)

Create an AD account to be used by the Claims to Windows Token Service Account e.g. SP_C2WTS

Open a SharePoint PowerShell prompt as Administrator and run the following command:

$w = Get-SPWebApplication -Identity http://bi.blue.com (Put the URL of your web application)

$w.GrantAccessToProcessIdentity("blue\sp_c2wts") (Put your service account name)

验证一下啊

图例告诉我们OK

Change the account in the SharePoint UI running the Claims to Windows token Service

  1. Navigate to Security in Central Admin,
  2. Click on managed Accounts and add the new C2WTS account as a Managed Account,
  3. Click Security again and Click on Service Accounts,
  4. Click the Drop Down and Select Claims to Windows Token Service,
  5. Select the new Managed Account SP_C2WTS and click OK. (Wait a few minutes for it to complete)
  6. Set the following permissions on all SharePoint servers in the farm (All must be done) – this is completed under Local Security Policy on each server

下一步是到SPfarm 服务器上配置,

  1. Grant Log on as a service (this should have happened automatically)
  2. Impersonate a User (this should have happened automatically)
  3. Act as part of the operating system (If its greyed out then your domain admin will need to update the group policy to allow it)

下图

既然配置到这里了 把其他几个也配置了吧。 如图 单击身份验证后模拟客户端--添加用户或组 把kerberos 账号加进去。

以操作系统方式运行,添加kerberos 账号。

  1. Local admin on all SharePoint servers
  2. STOP and START the Claims to Windows Token Service (From SharePoint UI) on all servers in the Farm. Simply navigate to Services in Farm and select each server from the link in the top right corner and Stop and Start
    each one individually waiting for them to finish

下面 就有意思了, 给应用连接池授权。这个需要灵活,如果个别的账号找不到,或者授权比较麻烦, 你就在这个连接池使用管理员账号, 再把那个权限复制给 管理员账号。

也可以完全按照步骤来做。如下;

Grant permission for the account running the application pool for the Service Application

e.g. Excel Services Service Application, Reporting Services Service Application, etc.

  1. For Analysis services this User must be Granted SQL Analysis Services Administrator access (Unfortunately this is required as Read permission is insufficient for the delegation of credentials)
  2. Check which account is being used by navigating to Central Admin Security and then select Service Accounts and from the drop down list validate each service or application pool.
  3. In my example I have an account SP_Services and that account is granted Admin permissions on Analysis Services and granted “SP_DataAccess” on SQL to the SharePoint web application content database(s).
  4. Validate that the account has the following permissions on each SharePoint server

    (This should be completed automatically but should be validated under the Local Security Policy)

    1. Grant Log on as a service
    2. Impersonate a User
  5. Grant process identity access to the Service account

    $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the
    URL of your web application)

    $w.GrantAccessToProcessIdentity("blue\sp_Services") (Put your service account name)

按照上面步骤 抓图如下,呵呵 步骤 你自己对照一下哈。需要在SP 的server上的 管理员组增加 这个kerberos账号。

设置APP Pool的权限,确认 Claims to Windows Token Service Account 是开启的。

在管理中心--服务器应用程序--管理服务应用程序: 注意 Report Service application 管理账号是 excerService 也就是在IIS出现复杂名称的连接池。这个是可配置的。

配置一下SQL server 2014 Analysis server 的属性  打开数据库--使用实例登录 Analysis 数据库 右键单击 属性添加刚才的  ExcelService 账号,如果没有管理账号的话 也顺便加上吧。下面几个抓图 也把 管理加进去。

执行如下命令 结果如图

  1. Grant process identity access to the Service account

    $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the
    URL of your web application)

    $w.GrantAccessToProcessIdentity("blue\sp_Services") (Put your service account name)

If using PowerPivot – Setup the PowerPivot account

Change the account running the PowerPivot browser service to use an AD Account

(This is completed through the SQL Server Configuration manager) and restart the service (This will take a few minutes and it will not be accessible during this time).

下面这两个账号配置一下确保使用是SQL 管理账号。

配置SPN 不陌生吧 好Come ON

  1. Check for existing Service Principal Name

    (check each account prior to configuring as some may already exist and duplicates / misconfiguration break Kerberos)

    This also impacts SQL connectivity as misconfiguration of Kerberos will throw invalid SSPI context errors in SQL as SQL will automatically use Kerberos if SPN’s are registered. It also self-registers the SPN’s if Local System is used.

    SPN’s have to be set for the NetBIOS (Short name) and FQDN (Fully qualified name)

    e.g. SETSPN –S HTTP/bi.blue.com blue\sp_webapp,  SETSPN –S HTTP/bi blue\sp_webapp

  2. Configure SPN‘s
    1. CONFIGURE SPN‘S (SHAREPOINT SQL SERVER)

      [REQUIRED FOR SQL SERVER FOR SHAREPOINT DATABASES - NOT REQUIRED FOR SQL ALWAYS ON AVAILABILITY GROUPS]

      Details required: SQL Instance name, Static Port and SQL Service account

      e.g. My SQL instance is SQL01\SQL2012 and my service account is SP_SQL and my port is 40000 (Replace the red with your server and account details).

      The 1st one is on my instance name

      setspn -s MSSQLSvc/SQL01:SQL2012 SP_SQL

      setspn -s MSSQLSvc/SQL01.blue.com:SQL2012 SP_SQL

      and the 2nd one is on port

      setspn -s MSSQLSvc/SQL01:40000 SP_SQL

      setspn -s MSSQLSvc/SQL01.blue.com:40000 SP_SQL

      [REQUIRED FOR SQL 2014 ALWAYS ON AVAILABILITY GROUPS ONLY - this is required as a Listener registers in DNS exactly the
      same as a server name]

      This section Details required: Listener name only

      e.g. My Listener is SQLSYNCLISTEN and my service account is SP_SQL and my port is 1433 (This must be 1433 or you will need to
      use a SQL Alias as a SQL Listener does not use SQL Browser).

      The 1st one is the SQL Listener without a port

      setspn -s MSSQLSvc/SQLSYNCLISTEN SP_SQL

      setspn -s MSSQLSvc/SQLSYNCLISTEN.blue.com SP_SQL

      and the 2nd one is with the port [If you use a SQL Alias then any port can be used but then replace 1433 below with the new port number]

      setspn -s MSSQLSvc/SQLSYNCLISTEN SP:1433 SP_SQL

      setspn -s MSSQLSvc/SQLSYNCLISTEN SP.blue.com:1433 SP_SQL

    2. CONFIGURE SPN‘S (SQL Analysis Services Multidimensional) (Server name and Instance required)

      e.g. SQLAS01\Multi

      setspn -s MSOLAPSvc.3/SQLAS01:MULTI SQL_AS

      setspn -s MSOLAPSvc.3/SQLAS01.blue.com:MULTI SQL_AS

      setspn -s MSOLAPDisco.3/SQLAS01 SQL_AS

      setspn -s MSOLAPDisco.3/SQLAS01.blue.com SQL_AS

    3. CONFIGURE SPN‘S (SQL Analysis Services Tabular)

      (Server name and Instance required)

      e.g. SQLAS01\Tabular

      setspn -s MSOLAPSvc.3/SQLAS01:Tabular SQL_AS

      setspn -s MSOLAPSvc.3/SQLAS01.blue.com:Tabular SQL_AS

    4. CONFIGURE SPN‘S (SQL Analysis Services PowerPivot)

      (Server name and Instance required - POWERPIVOT)

      e.g. APP01\POWERPIVOT

      setspn -s MSOLAPSvc.3/APP01:POWERPIVOT SQL_AS

      setspn -s MSOLAPSvc.3/APP01.blue.com:POWERPIVOT SQL_AS

      setspn -s MSOLAPDisco.3/APP01 SQL_AS

      setspn -s MSOLAPDisco.3/APP01.blue.com SQL_AS

    5. CONFIGURE SPN‘S (SQL Server - DataWarehouse)

      (Server name, Instance and Port is required)

      e.g. SQLAS01\SQL_SQLDW and my port is 41000

      setspn -s MSSQLSvc/SQLAS01:SQLDW SQL_SQLDW

      setspn -s MSSQLSvc/SQLAS01.blue.com:SQLDW SQL_SQLDW

      setspn -s MSSQLSvc/SQLAS01:41000 SQL_SQLDW

      setspn -s MSSQLSvc/SQLAS01.blue.com:41000 SQL_SQLDW

    6. HOST HEADER / AAM

      This is the same DNS entry you already configured)

      e.g. http://bi.blue.com and my account is sp_webapp (This is the account that is running the application pool in IIS that requires Kerberos)

      setspn -s HTTP/bi.blue.com sp_webapp

      setspn -s HTTP/bi sp_webapp

    7. FAKE SPN

      (These are the accounts configured to run the Service Application app pools and the Claims to Windows Token Service)

      FAKE SPN’s are used just to enable the delegation tab in Active Directory. (It doesn‘t matter what you use for the service name here - only the accounts matter)

      e.g. sp_services and sp_c2wts

      setspn -s SP/EXCEL sp_services

      setspn -s SP/C2WTS sp_c2wts

参考抓图

把这个几个托管账户 和在域控服务器上的权限提升。中文说明及抓图图

  1. Set Constrained Delegation

    (Constrained delegation must be set for any account running the Service Application pools for the services that require Kerberos as well as the Claims to Windows Token Service account and the Account running PowerPivot SQL Service)

    In my case this is SP_Services and SP_C2WTS and SQL_AS (only
    for PowerPivot Data Sources - this is a change with Excel 2013 as the connection refreshes with the worksheet)

    The Domain Admin is required here and must log in to a Domain Controller.

    1. Find the SP_Services(Replace with your account name) account and click on the Delegation tab

      1. Click on “Trust this user for delegation to specified services only”

      2. Use any authentication protocol
      3. This is where it can get confusing and you need to make sure you have all your service accounts ready that you setup previously.

        (These are the ones you ran SETSPN for)

      4. Start with your first Data Source and type in your service account name (NOT SERVER NAMES) e.g. SP_SQL , SQL_AS, SQLDW_SQL and click OK.

      5. You will then be prompted with all the SPN’s and you need to select only the ones you need here i.e. the ones that are noted above.
      6. The worst case scenario here is if the account you use is utilized for many services and you will see many SPN‘s.
      7. Select the required SPN’s (The ones you added above) and click ok.
      8. Click “Apply” button after each add i.e. when you want to select another account otherwise you will get an error.

      9. Repeat this process selecting each account that you need to delegate to i.e. all the data sources and the web application. It’s all about where you want to allow it to delegate to.
      10. Now select the Claims to Windows Token Service Account e.g. SP_C2WTS (Replace with your account) and repeat the exact steps you did for the SP_Services account. (Technically
        for the SP_C2WTS you can exclude the Web Application but for simplicity sake I made the process the same)
      11. For my PowerPivot Service account SQL_AS I was connecting to a SQL Data Warehouse and my Analysis Services so you only set constrained for the destination
        data source so in my case I looked up SQL_SQLDW and "selected all", clicked ok and applied constrained delegation.

配置思路 参考地址http://blogs.technet.com/b/scottstewart/archive/2014/04/10/kerberos-sharepoint-2013-sql-2012-for-business-intelligence.aspx

  1. Set Constrained Delegation

    (Constrained delegation must be set for any account running the Service Application pools for the services that require Kerberos as well as the Claims to Windows Token Service account and the Account running PowerPivot SQL Service)

    In my case this is SP_Services and SP_C2WTS and SQL_AS (only
    for PowerPivot Data Sources - this is a change with Excel 2013 as the connection refreshes with the worksheet)

    The Domain Admin is required here and must log in to a Domain Controller.

    1. Find the SP_Services(Replace with your account name) account and click on the Delegation tab

      1. Click on “Trust this user for delegation to specified services only”

      2. Use any authentication protocol
      3. This is where it can get confusing and you need to make sure you have all your service accounts ready that you setup previously.

        (These are the ones you ran SETSPN for)

      4. Start with your first Data Source and type in your service account name (NOT SERVER NAMES) e.g. SP_SQL , SQL_AS, SQLDW_SQL and click OK.

      5. You will then be prompted with all the SPN’s and you need to select only the ones you need here i.e. the ones that are noted above.
      6. The worst case scenario here is if the account you use is utilized for many services and you will see many SPN‘s.
      7. Select the required SPN’s (The ones you added above) and click ok.
      8. Click “Apply” button after each add i.e. when you want to select another account otherwise you will get an error.

      9. Repeat this process selecting each account that you need to delegate to i.e. all the data sources and the web application. It’s all about where you want to allow it to delegate to.
      10. Now select the Claims to Windows Token Service Account e.g. SP_C2WTS (Replace with your account) and repeat the exact steps you did for the SP_Services account. (Technically
        for the SP_C2WTS you can exclude the Web Application but for simplicity sake I made the process the same)
      11. For my PowerPivot Service account SQL_AS I was connecting to a SQL Data Warehouse and my Analysis Services so you only set constrained for the destination
        data source so in my case I looked up SQL_SQLDW and "selected all", clicked ok and applied constrained delegation.

再配置 SharePoint 身份验证模式。

  1. Navigate to Central Admin,
  2. Select web applications,
  3. Highlight the Web application (Do not click on the link – click next to it to highlight it and select it),
  4. Select Authentication providers and click Windows,
  5. Scroll down and change NTLM and select Kerberos
  6. Open a Command Prompt as Administrator and run IISRESET (USERS WILL LOSE CONNECTIVITY AND THEIR CURRENT SESSIONS SO DO THIS DURING SCHEDULED DOWNTIME)

重新启动IIS

之后 关闭浏览器 重新登录SP 如果成功 就证明配置完成 并依据开始启作用了。 这里如果没有配置成功 会出现反复登录而 不成功的问题。

时间: 2024-10-04 04:00:08

SharePoint 2013+ Sqlserver 2014 Kerberos 配置图例, 终极解决方案 已经验证。的相关文章

SharePoint 2013+ Sqlserver 2014 Kerberos 配置传奇, 最终的解决方案 验证。

SharePoint 2013+ Sqlserver 2014 Kerberos 配置传奇. 1,安装数据库,我就不多说安装,客户一定要注意. 我将参照以下实施例和账户. 2,建立DNS,假设没有DNSserver 在本地改动hosts吧. 3.Configure Claims to Windows Token Service Account.(呵呵 中文 是声明为windows令牌服务) Create an AD account to be used by the Claims to Wind

[转载]SharePoint 2013测试环境安装配置指南

软件版本 Windows Server 2012 标准版 SQL Server 2012 标准版 SharePoint Server 2013 企业版 Office Web Apps 2013 备注:安装之前,需要各个服务器的IP地址,机器名称设置好,并且已经加入到域中. 一 安装AD域控制器 1. 添加AD服务 a) 打开服务器管理器,选择[添加角色和功能] b) 在[开始之前]页面直接点击[下一步] c) 选择[基于角色或基于功能的安装]后,点击[下一步] d) 选择[从服务器池中选择服务器

SharePoint 2013 SPDistributedCacheService 介绍与配置

SharePoint 2013 SPDistributedCacheService 是SharePoint  server 2013引入的一种缓存机制,它通常用于以下功能的缓存: Newsfeeds Authentication OneNote client access Security Trimming Page load performance (直接影响页面加载和反应速度) 有些Cache 是不通过SPDistributedCacheService 缓存的,例如: Blob Cache

SharePoint 2013 使用JavaScript对象模型配置智能提示

前言 默认在VS2012/2013中编写SharePoint JavaScript 客户端对象模型,都没有智能感知的功能,用起来非常麻烦:其实,我们可以手动配置一下,让JavaScript可以进行智能感知,下面,让我们简单看一下整个过程. 1.在VS的Tools下面,找到Options选项,找到Text Editor下面的JavaScript,选中IntelliSense下面的References,看一下里面有没有~/Scripts/_references.js这一条,如果没有添加上(添加很简单

SharePoint 2013实例1—构建三层服务器场10—功能验证

上几节中我们已经把SharePoint的三层服务器场安装配置完毕.本节我们来简单验证下均衡负载和搜索功能. 生产环境中一般可以采用硬件的均衡负载,或者windows自身的NLB.这里采用DNS轮询的方法来做均衡负载的验证. 1. DNS解析 这里添加了一个xcloud.pw的DNS区域,portal.xcloud.pw这个URL作为网站的首页. 如下添加2个A记录,分别指向2个SPS前端服务器. 2. 配置Web 应用程序 进入SPS管理中心,管理 Web应用程序 如果之前已经配置有默认使用80

SharePoint 2013 安装配置(4)

前一章节详细介绍了SQL Server 2012 R2上安装配置过程. 在这篇文章中,我将向您展示如何在线和离线安装SharePoint 2013前提条件. 以及在安装过程中出现的任何问题. SharePoint 2013 前提条件安装分为在线安装和离线安装,大家可以根据实际生产环境选择部署配置方式: 在线安装SharePoint 2013 必要条件 1.解压安装文件的目录,选择Prerequisite.exe文件,并以管理员身份运行 2.在以下Microsoft SharePoint 2013

SharePoint 2013 Power Pivot 安装详细说明(图解)

SharePoint 2013 Power Pivot 安装配置详细说明 前提必要条件,SharePoint 2013 为企业版本,已经安装成功.数据库为SQL Server BI 或企业版本. 一,安装 1,打开SQLServer 2014  企业版 安装程序 开始安装. 选择安装--全新SQL Server 独立安装或向现有安装添加功能. 选中SQL Server PowerPivot for SharePoint 如下图. 然后下一步,默认实例.如下图 录入账号和密码 下一步,数据库引擎配

[转载]Windows 2012 R2安装SharePoint 2013 手动安装工具软件

之前介绍过在window 2012中安装SharePoint 2013,这次,借着SharePoint 2013 sp1补丁发布之际,介绍下在window 2012 r2中安装SharePoint 2013并打sp1补丁的简单参考,废话不多说,直接进入正文吧. 1.系统的版本,Windows Server 2012 R2 DateCenter版本: 在安装SharePoint之前,我已经完成了所有的准备工作,如:安装操作系统.修改机器名.设置静态Ip.安装FrameWork 3.5.安装IIS.

SharePoint 2013 Distributed Cache Service错误和解决办法

接上篇 SharePoint 2013 SPDistributedCacheService 介绍与配置 本文介绍常见 Distributed Cache Service错误和解决办法. 1.  ErrorCode<ERRCAdmin010>:SubStatus<ES0001>:Specified host is not present in cluster. PS C:> Use-CacheCluster PS C:> Get-CacheHostConfig –Comp