Printed 2017/08/19 10:37PM

Understanding Kerberos, Part I


A get a lot of questions where I work about Kerberos and how it works for SQL Server, whether we're talking about the database engine or Reporting Services. I also see it quite a bit on Twitter. This is a series of posts that looks to explain Kerberos in more detail than a single article or post would. For today we'll just tackle some basic questions I see a lot.

What is Kerberos?

Kerberos, at least as far as computers are concerned, is a security protocol which provides authentication services. Basically, Kerberos helps with the "Who are you?" question. Kerberos was taken from Greek mythology, specifically the name for the three-headed dog, which we usually spell Cerberus.

When did Kerberos come about?

In the Microsoft world, Kerberos was first introduced with the operation system with Windows 2000. However, it was developed at MIT some time in the '80s (at least, Kerberos version 4 was). Therefore, it is not a "Microsoft protocol."

Why did Microsoft start moving to Kerberos?

Quite simply, to solve issues that the previous core security protocol, NTLM (NT LAN Manager), couldn't. Among these:

What is an SPN?

SPN is an abbreviation for Service Principal Name. The SPN is what a client checks out in order to authenticate a server. If what the client finds out about the server doesn't match the SPN it gets from Active Directory, then Kerberos authentication fails (which is what you would want because it means something is wrong). An SPN in Active Directory basically communicates the following information:

Are some SPNs built in?

Yes. There is a HOST SPN that every computer in Active Directory automatically has. It covers quite a few services. However, it does not cover the SQL Server database engine, which used MSSQLSvc, or SQL Server Analysis Services, MSOLAPSvc.3. It also does not cover SSRS if SSRS is running under an account other than Network Service or if you're accessing the SSRS site with something other than the physical name of the server.

Can you use a "common name" for an SPN?

Absolutely. For instance, it would not be unusual to see for a Reporting Services farm.

What are the most common tools for managing SPNs?

The two most common tools, at least the ones I use, are SETSPN and LDP. LDP moreso for finding duplicate SPNs (which would prevent Kerberos authentication from working properly).

Do you have to have special permissions to manage SPNs?

In general, yes. Basically you either have to appear as the computer account for a machine (meaning the service is running as System or Network Service and you can only manage that machine's SPNs) or you have to be a member of the Domain Admins group.

You said, "in general," so does that mean permissions can be assigned?

Yes, Active Directory has a very robust permission delegation structure. So the ability to manage particular SPNs could be accomplished by managing the account those SPNs belong to.


Copyright © 2002-2017 Redgate. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.