Configuring Kerberos Authentication

  • K. Brian Kelley

    SSC Guru

    Points: 114445

    Comments posted to this topic are about the item Configuring Kerberos Authentication

    K. Brian Kelley
    @kbriankelley

  • VincentRainardi

    SSCrazy

    Points: 2905

    Great article Brian. Very structured. Thanks for spending the time writing it.

  • moderis

    Old Hand

    Points: 310

    Wow, this monday some people asked me about this,

    I was looking thrue the web for an concentrated information and there it is 🙂

    thanks a lot.

  • David McKinney

    SSChampion

    Points: 10358

    I've been waiting a long time for an article like this.

    Finally kerberos is explained in words even I can understand.

    Well done!

  • T_VR

    Ten Centuries

    Points: 1361

    Excellent Brian! THANKS

    I have read many articles explaining exactly this, but your's tops the list by far!



    What's this "backup strategy" everyone is on about?

  • SQLPhil

    SSCarpal Tunnel

    Points: 4094

    Brilliant article! I'm due to configure kerberos authentication early next year on one of our servers to shore up security, and this helps clear up a few queries I had about it all. Thanks!

  • Graham_Day

    Ten Centuries

    Points: 1041

    This is by far the clearest explanation of Kerberos and its relevance to SQL Server that I have seen. Many thanks!

  • RichB

    SSCrazy Eights

    Points: 9651

    Truly excellent article, thanks.

  • BarbW

    SSCarpal Tunnel

    Points: 4649

    Very interesting article, very helpful and clearly written. I just set up a Domain/User to run SQL 2000 on a Win2K server had had to reattach the server to the domain and reboot for all settings to take effect and allow Windows Authentication to work using SSMS to connect to server. Does your approach require rebooting?

  • Jack Corbett

    SSC Guru

    Points: 184296

    Great article Brian. Will there be a follow-up on setting up Kerberos delegation? I could use it.


    Jack Corbett Consultant Straight Path Solutions Dont let the good be the enemy of the best. -- Paul FlemingAt best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at workCheck out these links on how to get faster and more accurate answers: Forum Etiquette: How to post data/code on a forum to get the best helpNeed an Answer? Actually, No ... You Need a QuestionHow to Post Performance Problems[/url]Crosstabs and Pivots or How to turn rows into columns Part 1[/url][url url=http://www.sqlservercent

  • Harold Buckner

    Hall of Fame

    Points: 3915

    Great article Brian. I've been working with Kerberos Authenication for a while and I had to scour the internet looking for something that explained it like this.

    One thing we have problems with is a user can log in to their PC and get a ticket. Authenicate to the SQL servers using Kerberos fine, but if for some reason their ticket expires, ( Maybe locking their workstaion instead of loging off over night)their ticket does not automaticlly renew and then they start getting failed logins. The only fix we have found is having the user log off and then back in. Then the ticket gets renewed.

    I'm sure there is something wrong, but how to identify it and then relay it to the network admins is going to be a bear. Do you have any recommendations to point me in a direction?

    Thanks

  • mark.wojciechowicz@gmail.com

    Right there with Babe

    Points: 776

    Hi Brian, Great Article. I just spent the last week setting Kerberos up so this is really synchronicity that this topic is showing up today. You explain it more clearly than any article I have seen out there.

    I know that you did not intend to cover delegation as a topic for this article, but for the folks who are working on this now, you can configure delegation by going to AD, finding the computer record for the server that will be doing the delegation and check the box for allowing delegation.

    Also, if you are setting up a web server, the web.config file needs to be set to use windows authentication and allow impersonation. The impersonation will allow the server to pass your credentials to the next server.

    It most situations where you are just dealing with serving reports, a generic id to connect to the server will work fine, but when you are refining your security model on SQL server to use windows authentication this is critical. Also, if you are having users insert and update records through your web ap, it is critical to have their correct credentials for auditing.

    Thanks again for explaining this concept so well, its making a lot more sense to me. I got into a discussion with another developer over using Kerberos or LDAP and I think this artical hits upon some key concerns.

  • LeeFAR

    SSCarpal Tunnel

    Points: 4634

    Good work Brian. This explanation helps not only in the SQL Server world, but anywhere where Kerberos is required. At first glance and try, Kerberos is a pain to setup. But this article is one of the better ones out there explaining how.

  • K. Brian Kelley

    SSC Guru

    Points: 114445

    barb.wendling (12/11/2008)


    Very interesting article, very helpful and clearly written. I just set up a Domain/User to run SQL 2000 on a Win2K server had had to reattach the server to the domain and reboot for all settings to take effect and allow Windows Authentication to work using SSMS to connect to server. Does your approach require rebooting?

    If you're just setting up Kerberos authentication, rebooting shouldn't be required. The catch is you have to wait for the SPNs to replicate to all the domain controllers as part of the normal replication cycles.

    K. Brian Kelley
    @kbriankelley

  • K. Brian Kelley

    SSC Guru

    Points: 114445

    Jack Corbett (12/11/2008)


    Great article Brian. Will there be a follow-up on setting up Kerberos delegation? I could use it.

    I'll look at writing that up. I earned my wings on that due to Microsoft CRM 3.0. Boy that one hurt. If you're running CRM, SSRS, and the SQL Server all on the same box, you don't have to worry about any of that. But when you're not, for instance, you're trying to scale out like we were, it can become a nightmare. Same is true when you do a load-balanced SSRS web farm.

    K. Brian Kelley
    @kbriankelley

Viewing 15 posts - 1 through 15 (of 89 total)

You must be logged in to reply to this topic. Login to reply