SharePoint 2013 With SSRS 2012 And Constrained Delegation
28 May 2013 10:31 AM
I often get asked about how to configure the SharePoint 2013 BI stack (Excel Services, PerformancePoint and SSRS 2012 integrated mode). To do this configuration Kerberos with constrained delegation is required and often this is the most tricky and unclearly documented piece. In this post I hope to provide some insight into the steps to configure these pieces.
First, I will assume that SharePoint 2013 is installed and for the purposes of my test environment I have set a domain controller, a SQL 2012 server, and two SharePoint 2013 servers (Application and Web).
So the first step I will suggest taking is to install SQL 2012 SP1 on the SQL server as well as the patch from KB 2793634. Without doing this step SharePoint will not show the SQL Reporting Services Service Application when you try to create it in Central Admin and it will not initialize the service in SharePoint. If you have already run into that step because you installed SSRS on SharePoint first, don’t worry; install SP1 for SQL 2012 and the patch on the SQL server and on your SharePoint servers (Yes, I did say your SharePoint servers – When you put SSRS in your farm they have SQL bits on them).
Once you have installed the patches I typically install SSRS on my SharePoint servers next. In the case of this small three server farm the Application server (SPApp2013) will become the server where I plan to run the SSRS engine but the Web server (SPWeb2013) will also get the SSRS add-in installed on it. If I was running more servers in the farm I would need to install the add-in there as well and if I was wanting to have a load balanced SSRS service application I would install the SSRS engine on another server as well. When installing SSRS engine from the SQL Server 2012 media (my preferred method) select the following features:
I haven’t touched Claims to Windows Token Service yet, but it is coming, and yes, required. Once I have the service application up and running I like to go make sure my service is started on the application server. To do this go to System Settings à Manage Services on Server. If it isn’t started, start it on the application server. Next I need to go change the authentication method it will use from NTLM to Kerberos so we can use pass through authentication (otherwise known as the double hop issue). To do this I need to make changes to RSReportServer.config file.
Once I do that I go to the services running in Windows and set the Claims to Windows Token Service to Automatic. Don’t start it here because SharePoint will just stop it as SharePoint services are really controlled from timer jobs and the settings in the configuration database. Instead, I navigate to Manger Services on Server in Central Admin and start the service on SPApp2013. Once it is started an IIS reset or server reboot is required.
Next I move on to the Service Principle Names (SPNs) and Delegations. Because I want to pass credentials through SharePoint/SSRS to the data source I need to make the web application Kerberos as well. Before I make the change in SharePoint I need to have the SPNs and Delegations in place or the web application will not allow access. Earlier I mapped out the Services I need to setup Kerberos for and the service accounts I will use. The syntax for the SPNs (2008 or greater domain controllers) is: SetSPN –S ServiceClass/Host:Port Domain\ServiceAccount. So for this environment I setup (don’t forget to also do FQDN):
Notice there is a lack of OLAP or other database server in this example. In non-test environments often connecting to an OLAP cube or other database server is done. For those instances I just add the appropriate SPNs and add the applicable delegations. In Active Directory the delegations look as like the picture for all the service accounts listed in the table above.
After Kerberos is setup from the Active Directory side I have to setup the web application to use Kerberos rather than NTLM. To do so I navigate to Manage Web Applications in Central Admin, select the web application then Authentication Providers from the ribbon. The dialog to choose the zone appears and I select default. Then scroll down to Claims Authentication Types and change the Integrated Windows Authentication to Negotiate (Kerberos). IIS Reset is always a good step on all SharePoint servers at this point. Then I test to ensure I can still get into my web application. If not, I did something incorrect with Kerberos and need to troubleshoot it.
Once all of that is done I can start my testing to ensure SSRS can pass my credentials to the database server and bring a report back and render it to me as a user. The first step to that is ensuring I have read access to the database. I change that at the SQL Server database that I am trying to access in this case but that will be more defined in real world scenarios. After that I will start Report Builder (for testing purposes I do that on SPApp2013) to create a SSRS report and data source which I will upload into a document library in SharePoint. Below shows the location of report builder in case you are testing the same way.
Once I create the report I save it to a SharePoint document library where the Report Server Integration feature is enabled. Typically I don’t open the report to test if Kerberos is passing credentials, but that is a way as long as you are sure the report works properly. I usually go into the data source (Manage Data Sources) for the report and click Test connection. If it comes back with a Test Successful message I am good and the report should work without an issue.
First, I will assume that SharePoint 2013 is installed and for the purposes of my test environment I have set a domain controller, a SQL 2012 server, and two SharePoint 2013 servers (Application and Web).
So the first step I will suggest taking is to install SQL 2012 SP1 on the SQL server as well as the patch from KB 2793634. Without doing this step SharePoint will not show the SQL Reporting Services Service Application when you try to create it in Central Admin and it will not initialize the service in SharePoint. If you have already run into that step because you installed SSRS on SharePoint first, don’t worry; install SP1 for SQL 2012 and the patch on the SQL server and on your SharePoint servers (Yes, I did say your SharePoint servers – When you put SSRS in your farm they have SQL bits on them).
Once you have installed the patches I typically install SSRS on my SharePoint servers next. In the case of this small three server farm the Application server (SPApp2013) will become the server where I plan to run the SSRS engine but the Web server (SPWeb2013) will also get the SSRS add-in installed on it. If I was running more servers in the farm I would need to install the add-in there as well and if I was wanting to have a load balanced SSRS service application I would install the SSRS engine on another server as well. When installing SSRS engine from the SQL Server 2012 media (my preferred method) select the following features:
- Reporting Services – SharePoint
- Reporting Services Add-in for SharePoint Products
- Management Tools – Basic & Complete
- Install-SPRSService
- Install-SPRSServiceProxy
- get-spserviceinstance -all |where {$_.TypeName -like "SQL Server Reporting*"} | Start-SPServiceInstance
Service: | Service Account: |
http://dragonlair | Campbushnell\svcSPWADragon |
Claims To Windows Token Service | Campbushnell\svc_SPC2WTS |
SSRS Service | Campbushnell\svcSQLSSRS |
SQL Engine | Campbushnell\svcSQLEng |
Excel Services | Campbushnell\svcSPExcel |
Performance Point Service | Campbushnell\svcSPPerfPnt |
- File is located in C:\Program Files\common files\Microsoft Shared\Web Server Extentions\15\Web Services\Reporting
- Change AuthenticationTypes from RSWindowsNTLM to RSWindowsNegotiate
- Save the file
- IIS Reset on all servers
- $w = Get-SPWebApplication -Identity http://dragonlair
- $w.GrantAccessToProcessIdentity("campbushnell\svcSQLSSRS")
- Act as part of the operating system
- Impersonate a client after authentication
- Log on as a service
Once I do that I go to the services running in Windows and set the Claims to Windows Token Service to Automatic. Don’t start it here because SharePoint will just stop it as SharePoint services are really controlled from timer jobs and the settings in the configuration database. Instead, I navigate to Manger Services on Server in Central Admin and start the service on SPApp2013. Once it is started an IIS reset or server reboot is required.
Next I move on to the Service Principle Names (SPNs) and Delegations. Because I want to pass credentials through SharePoint/SSRS to the data source I need to make the web application Kerberos as well. Before I make the change in SharePoint I need to have the SPNs and Delegations in place or the web application will not allow access. Earlier I mapped out the Services I need to setup Kerberos for and the service accounts I will use. The syntax for the SPNs (2008 or greater domain controllers) is: SetSPN –S ServiceClass/Host:Port Domain\ServiceAccount. So for this environment I setup (don’t forget to also do FQDN):
- Setspn -S HTTP/dragonlair Campbushnell\svcSPWADragon
- Setspn -S HTTP/dragonlair.campbushnell.lcl Campbushnell\svcSPWADragon
- Setspn -S MSSQLSvc/SQL2012:1433 Campbushnell\svcSQLEng
- Setspn -S MSSQLSvc/SQL2012.campbushnell.lcl:1433 Campbushnell\svcSQLEng
- Setspn -S MSSQLSvc/SPSQL:1433 Campbushnell\svcSQLEng
- Setspn -S MSSQLSvc/SPSQL.campbushnell.lcl:1433 Campbushnell\svcSQLEng
- Setspn -S SP/C2WTS Campbushnell\svc_SPC2WTS
- Setspn -S SP/SSRS Campbushnell\svcSQLSSRS
- Setspn -S SP/PPS Campbushnell\svcSPPerfPnt
- Setspn -S SP/Excel Campbushnell\svcSPExcel
Account: | Service: | Account Running Service: |
Campbushnell\svc_SPC2WTS | MSSQLSvc Service | campbushnell\svcSQLEng |
Campbushnell\svcSQLSSRS | MSSQLSvc Service | campbushnell\svcSQLEng |
Campbushnell\svcSPExcel | MSSQLSvc Service | campbushnell\svcSQLEng |
Campbushnell\svcSPPerfPnt | MSSQLSvc Service | campbushnell\svcSQLEng |
After Kerberos is setup from the Active Directory side I have to setup the web application to use Kerberos rather than NTLM. To do so I navigate to Manage Web Applications in Central Admin, select the web application then Authentication Providers from the ribbon. The dialog to choose the zone appears and I select default. Then scroll down to Claims Authentication Types and change the Integrated Windows Authentication to Negotiate (Kerberos). IIS Reset is always a good step on all SharePoint servers at this point. Then I test to ensure I can still get into my web application. If not, I did something incorrect with Kerberos and need to troubleshoot it.
Once all of that is done I can start my testing to ensure SSRS can pass my credentials to the database server and bring a report back and render it to me as a user. The first step to that is ensuring I have read access to the database. I change that at the SQL Server database that I am trying to access in this case but that will be more defined in real world scenarios. After that I will start Report Builder (for testing purposes I do that on SPApp2013) to create a SSRS report and data source which I will upload into a document library in SharePoint. Below shows the location of report builder in case you are testing the same way.
Once I create the report I save it to a SharePoint document library where the Report Server Integration feature is enabled. Typically I don’t open the report to test if Kerberos is passing credentials, but that is a way as long as you are sure the report works properly. I usually go into the data source (Manage Data Sources) for the report and click Test connection. If it comes back with a Test Successful message I am good and the report should work without an issue.
No comments:
Post a Comment