Configuring Kerberos Authentication

  • Comments posted to this topic are about the item Configuring Kerberos Authentication

    K. Brian Kelley
    @kbriankelley

  • Great article Brian. Very structured. Thanks for spending the time writing it.

  • Wow, this monday some people asked me about this,

    I was looking thrue the web for an concentrated information and there it is 🙂

    thanks a lot.

  • I've been waiting a long time for an article like this.

    Finally kerberos is explained in words even I can understand.

    Well done!

  • Excellent Brian! THANKS

    I have read many articles explaining exactly this, but your's tops the list by far!



    What's this "backup strategy" everyone is on about?

  • Brilliant article! I'm due to configure kerberos authentication early next year on one of our servers to shore up security, and this helps clear up a few queries I had about it all. Thanks!

  • This is by far the clearest explanation of Kerberos and its relevance to SQL Server that I have seen. Many thanks!

  • Truly excellent article, thanks.

  • Very interesting article, very helpful and clearly written. I just set up a Domain/User to run SQL 2000 on a Win2K server had had to reattach the server to the domain and reboot for all settings to take effect and allow Windows Authentication to work using SSMS to connect to server. Does your approach require rebooting?

  • Great article Brian. Will there be a follow-up on setting up Kerberos delegation? I could use it.

    Jack Corbett
    Consultant - Straight Path Solutions
    Check out these links on how to get faster and more accurate answers:
    Forum Etiquette: How to post data/code on a forum to get the best help
    Need an Answer? Actually, No ... You Need a Question

  • Great article Brian. I've been working with Kerberos Authenication for a while and I had to scour the internet looking for something that explained it like this.

    One thing we have problems with is a user can log in to their PC and get a ticket. Authenicate to the SQL servers using Kerberos fine, but if for some reason their ticket expires, ( Maybe locking their workstaion instead of loging off over night)their ticket does not automaticlly renew and then they start getting failed logins. The only fix we have found is having the user log off and then back in. Then the ticket gets renewed.

    I'm sure there is something wrong, but how to identify it and then relay it to the network admins is going to be a bear. Do you have any recommendations to point me in a direction?

    Thanks

  • Hi Brian, Great Article. I just spent the last week setting Kerberos up so this is really synchronicity that this topic is showing up today. You explain it more clearly than any article I have seen out there.

    I know that you did not intend to cover delegation as a topic for this article, but for the folks who are working on this now, you can configure delegation by going to AD, finding the computer record for the server that will be doing the delegation and check the box for allowing delegation.

    Also, if you are setting up a web server, the web.config file needs to be set to use windows authentication and allow impersonation. The impersonation will allow the server to pass your credentials to the next server.

    It most situations where you are just dealing with serving reports, a generic id to connect to the server will work fine, but when you are refining your security model on SQL server to use windows authentication this is critical. Also, if you are having users insert and update records through your web ap, it is critical to have their correct credentials for auditing.

    Thanks again for explaining this concept so well, its making a lot more sense to me. I got into a discussion with another developer over using Kerberos or LDAP and I think this artical hits upon some key concerns.

  • Good work Brian. This explanation helps not only in the SQL Server world, but anywhere where Kerberos is required. At first glance and try, Kerberos is a pain to setup. But this article is one of the better ones out there explaining how.

  • barb.wendling (12/11/2008)


    Very interesting article, very helpful and clearly written. I just set up a Domain/User to run SQL 2000 on a Win2K server had had to reattach the server to the domain and reboot for all settings to take effect and allow Windows Authentication to work using SSMS to connect to server. Does your approach require rebooting?

    If you're just setting up Kerberos authentication, rebooting shouldn't be required. The catch is you have to wait for the SPNs to replicate to all the domain controllers as part of the normal replication cycles.

    K. Brian Kelley
    @kbriankelley

  • Jack Corbett (12/11/2008)


    Great article Brian. Will there be a follow-up on setting up Kerberos delegation? I could use it.

    I'll look at writing that up. I earned my wings on that due to Microsoft CRM 3.0. Boy that one hurt. If you're running CRM, SSRS, and the SQL Server all on the same box, you don't have to worry about any of that. But when you're not, for instance, you're trying to scale out like we were, it can become a nightmare. Same is true when you do a load-balanced SSRS web farm.

    K. Brian Kelley
    @kbriankelley

Viewing 15 posts - 1 through 15 (of 90 total)

You must be logged in to reply to this topic. Login to reply