FIM 2010 R2 Kerberos Settings

The following section is presented to explain Kerberos and how it pertains to FIM 2010 R2.

What is Kerberos?

The Kerberos authentication protocol provides a mechanism for authentication — and mutual authentication — between a client and a server, or between one server and another server. The Kerberos authentication protocol originated at MIT more than a decade ago, where it was developed by engineers working on Project Athena. The Kerberos protocol is more secure, more flexible, and more efficient than NTLM. The benefits gained by using Kerberos authentication are:

  • Delegated Authentication

  • Interoperability

  • More efficient authentication to servers.

  • Mutual authentication

Kerberos authentication has the following authentication dependencies:

  1. Operating System - client must be XP or later and server must be 2000

  2. TCP/IP connectivity - network connectivity must exist between client, domain controller and target server

  3. DNS - DNS must be functioning for the client to obtain the FQDN. The FQDN is used to access the domain controller.

  4. Active Directory

  5. Time Service

  6. SPN - Service principal names (SPNs) are unique identifiers for services running on servers.

What are SPNs?

Service principal names (SPNs) are unique identifiers for services running on servers. Every service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, clients have no way of locating that service. Without correctly set SPNs, Kerberos authentication is not possible.

An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service's SPN to differentiate it from all of the other services running on that computer.

Because multiple services can run simultaneously under the same account, setting an SPN requires four unique pieces of information. These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.

For each SPN that is set, the following information is required:

  1. The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.

  2. The account under which the service is running.

  3. The computer on which the service is running, including any aliases that point to that computer.

  4. The port on which the service is running (optional if the default port for the service of that type is used such as port 80 for HTTP).

The syntax of an SPN itself is service/hostname:port, where:

  1. Service is the service class of the SPN.

  2. Hostname is the computer to which the SPN belongs.

  3. Port is the port on which the service that the SPN is registered to runs.

How are tickets decrypted

A client makes a HTTP Request to an IIS server running SharePoint. The IIS server denies the request with a 401 Authorization Required and indicates to the client that it supports Kerberos authentication. The client then requests a Service Ticket from the KDC on a Domain Controller. This is done by sending the SPN for that service to the DC. The DC finds the domain account that matches the SPN and creates a ticket for the client. The ticket is encrypted with the password for the domain account of the receiving application, for example the SharePoint service account. The DC returns the Service ticket to the client. The client, then sends the ticket to IIS, in the authentication header to prove the identity of the client. To decrypt the ticket IIS must know the password of the domain account, in this case, the SharePoint service account. The password for this account is encrypted and stored in the applicationHost.config file. IIS will then decrypt the ticket.

Kernel-Mode Authentication

With the release of IIS 7.0 on Windows Server 2008 and IIS 7.5 on Windows Server 2008 R2 a new mode kernel-mode authentication was introduced. This means that the ticket for the responding service is decrypted using the Machine account (Local System) of the IIS Server. It no longer depends on the application pool Identity for this purpose by default. You no longer need to worry about the correlation between HTTP SPNs and the Application pool Identity that was required in the earlier versions of IIS.

By default, UseKernelMode Authentication is set to true automatically on the applicationHost file after the password registration and password reset portals have been installed.

SPNs and the SharePoint Web Application Account

Setspn -S HTTP/fim1 corp\SPServiceSetspn -S HTTP/fim1.corp.contoso.com corp\SPService

SPNs and the FIM Service Account

Setspn -S FIMService/fim1 corp\FIMServiceSetspn -S FIMService/fim1.corp.contoso.com corp\FIMService

SPNs and the FIM Service Database

Setspn –S MSSQLsvc/app1:1433 corp\sqldatabaseSetspn –S MSSQLsvc/app1.corp.contoso.com:1433 corp\sqldatabase

SPNs and Self-Service Password Reset

Setspn -S HTTP/passwordregistration.corp.contoso.com corp\SSPR1$Setspn -S HTTP/passwordreset.corp.contoso.com corp\SSPR1$

SPNs for FIM 2010 R2

Use the following table for quick reference with regard to the required SPNs for FIM 2010 R2.

SPN Account Setspn Syntax Example Description

MSSQLsvc/<SQLDatabase Server>

SQL Database Account

  • Setspn –S MSSQLsvc/app1.corp.contoso.com:1433 corp\sqldatabase

  • Setspn –S MSSQLsvc/app1:1433 corp\sqldatabase

SPN required for the FIM Service database. Allows clients the ability to locate an instance of SQL.

FIMService/<FIM Service Server>

FIM Service Account

  • Setspn –S FIMService/FIM1.corp.contoso.com corp\FIMService

  • Setspn –S FIMService/FIM1 corp\FIMService

SPN required for the FIM Service. Allows clients the ability to locate an instance of the FIM Service.

HTTP/<FIM Portal Alias>

SharePoint Service Account

  • Setspn –S HTTP/FIM1.corp.contoso.com corp\SPService

  • Setspn –S HTTP/FIM1 corp\SPService

This is a requirement because SharePoint runs as a "farm" - even in single-server configurations - you have to run the site and authentication under the app pool account... AND still set up your SPN's.

HTTP/<passwordregistration portal server>

Password Registration Server Account

  • Setspn -S HTTP/passwordregistration.corp.contoso.com corp\FIM2$

The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.

HTTP/<passwordreset portal server>

Password Reset Server Account

  • Setspn -S HTTP/passwordreset.corp.contoso.com corp\FIM2$

The SSPR portals use IIS 7.0/7.5. IIS 7.0/7.5 has an authentication feature - 'Enable Kernel Mode Authentication'. With this feature the Kerberos ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose. The following assumes that the password registration and reset portals are being accessed through a custom host header. In this instance the SPN is required only for the IIS machine account and not for our FIM Password Service account.

HTTP/<FIM CM Server>

FIM CM Web Pool Agent Account

  • Setspn –S HTTP/FIMCM1.corp.contoso.com corp\FIMCMWeb

  • Setspn –S HTTP/FIMCM1 corp\FIMCMWeb

This is a special case even though we are running on IIS 7.0/7.5. In this instance you must ensure that useAppPoolCredentials is set to true. This will force IIS to use the appPoolCredentials to decrypt the ticket. KernelModeAuthentication is still enabled in this instance.

Duplicate SPNs

In general, only one SPN should be set for each service. Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key. Using the –s switch with the Setspn.exe helps ensure that no duplicates are created when you are configuring SPNs. This switch sets the spn only after verifying that no duplicates exist. For additional information on setspn.exe see Setspn.

Delegation

A client might need to let an application or a service connect to other servers or services on its behalf. A client might use a front-end server, for example, that then needs to authenticate with a back-end server. The front-end server needs to authenticate to the back-end server with the client's credentials, because if it authenticated under its own service account, it would have different authorization than the user.

Delegation of authentication allows the client to send its identity in the form of a Kerberos ticket to the front-end server. The front-end server can then impersonate the client and authenticate with the back-end server as if the front-end server were the client.

Delegation is not limited to a single pair of a front-end and a back-end server. A client can delegate its identity to a service that can then authenticate with any number of back-end services. It is also possible for the client to delegate its identity to Service A, and for Service A to in turn delegate the client's identity to Service B, for Service B to delegate the client's identity to Service C, and so on.Delegation is possible only with the Kerberos protocol. Thus, all parties involved in delegation scenarios must use the Kerberos protocol.

In a deployment with multiple FIMServices, ensure that each FIMService has constrained delegation configured so that each FIMService can successfully communicate to each other in order for Workflow Approvals to work properly. Approval Responses from users can come from any Portal or if Exchange is enabled from the FIMService that is polling. In all cases, the Approval Response will be directed to the FIMService machine that processed the original Request so cross-server communication: FIMPortal -> FIMService AND FIMService -> FIMService must work properly.

The following sections will provide some additional information regarding delegation for the FIM Service, the SharePoint Service account, and the Self-Service Password Registration and Rest Web application accounts. Also, be aware that the Delegation tab will not be present on a user’s properties until an SPN is set on that account. So if you do not see a Delegation tab, check to ensure that an SPN has been set on that account. This can be done by using a SetSpn.exe with a –l switch. The following will list all of the SPNs on the CORP\FIMService account.

Setspn –l corp\fimservice

Delegation and SharePoint Web Application Pool Account

Delegation is required on the SharePoint service account. The following example shows how to turn on delegation for a SharePoint Web Application Pool Account named CORP\SPService in a domain named corp.contoso.com. Use the following procedure to enable delegation on the SharePoint Service account,

To turn on Delegation for CORP\SPService

  1. Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com, expand ServiceAccounts and in the center, right-click SharePoint Service, and then select Properties.

  3. On the SharePoint Service Properties, select the Delegation tab.

  4. In the middle, select Trust this user for delegation to specified services only.

  5. Make sure Use Kerberos only is selected and click Add. This will bring up the Add Services dialog box.

  6. On the Add Services dialog box, click Users or Computers. This will bring up the Select Users or Computers dialog box.

  7. In the Select Users or Computers dialog box, enter FIM Service and click Check Names. This should resolve with an underline to the FIM Service account. Click OK. This will close the Select Users or Computers dialog box.

  8. On the Add Services screen, select FIM Service under Available Services: and click OK. This will close the Add Services dialog box.

    Constrained Delegation

  9. On the SharePoint Service Properties screen, click Apply.

  10. Click OK.

Delegation and FIM Service Account

Delegation is required on the SharePoint service account. The following example shows how to turn on delegation for a FIM Service Account named CORP\FIMService in a domain named corp.contoso.com. Use the following procedure to enable delegation on the SharePoint Service account,

To turn on Delegation for FIM Service Account

  1. Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  2. In the Active Directory Users and Computers MMC, from the tree-view on the left, expand corp.contoso.com, expand ServiceAccounts and in the center, right-click SharePoint Service, and then select Properties.

  3. On the SharePoint Service Properties, select the Delegation tab.

  4. In the middle, select Trust this user for delegation to specified services only.

  5. Make sure Use Kerberos only is selected and click Add. This will bring up the Add Services dialog box.

  6. On the Add Services dialog box, click Users or Computers. This will bring up the Select Users or Computers dialog box.

  7. In the Select Users or Computers dialog box, enter FIM Service and click Check Names. This should resolve with an underline to the FIM Service account. Click OK. This will close the Select Users or Computers dialog box.

  8. On the Add Services screen, select FIM Service under Available Services: and click OK. This will close the Add Services dialog box.

    Constrained Delegation

  9. On the SharePoint Service Properties screen, click Apply.

  10. Click OK.

Delegation and Self-Service Password Reset

The web application pool account(s), or the FIM Password Service account(s) does not need any SPNs set on it. Only the server that runs the FIM Password Reset and Registration portals may need additional SPNs. Likewise, the FIM Password Service account(s) do not need to be setup for delegation. This is because the FIM Service account is already aware of the FIM Password Service account. For more information on the FIM Service and portal communication see the FIM 2010 R2 Password Registration Portal and FIM 2010 R2 Password Reset Portal topics.

Enforcing Kerberos on the FIM Portal

The FIM Portal can be configured to only accept Kerberos Authentication. Use the following procedure to enforce Kerberos on the FIM Portal.

To Enforce Kerberos for the FIM portal

  1. Log on to FIM Server as CORP\Administrator.

  2. Navigate to the following directory: C:\inetpub\wwwroot\wss\VirtualDirectories\80.

  3. Locate the Web.config file, right-click and select Open. This will bring up a pop-up that states Windows cannot open this file and it will have two options. Choose Select a program from a list of installed program, and then click OK.

  4. Select Notepad, and click OK. This will open the config file in Notepad.

  5. At the top, select Edit, Find, type the following text in in the box, and then click Find Next:
    <resourceManagementClient

  6. There should be only one instance and it will look like the following Before image. Insert requireKerberos=”true” in the line so it looks like the After image.

    Web Config Before

    Web Config After

  7. At the top of the Notepad, select Save. Close Notepad.

  8. Click Start, click All Programs, click Accessories, and then click Command Prompt. This will launch a Command Prompt window.

  9. In the Command Prompt window, type the following text, and then hit Enter:
    iisreset
    This will stop and then restart IIS. Once this completes, close the Command Prompt window.