i have configured kerberos authentication when accessing to file server.
there is no need for logging in when i map drive and acccess to the file server
Just a curious question, if i can add additional server name to be used for authentication
for example.
currently my file server name is server01
when i map network drive through server01 / IP address, there is no issue.
when i tried to access through a server name server02, then i get an error in mapping the drive.
is there any way i can do this by allowing multiple server name to be allowed for kerberos authentication ?
thanks in advance for any advise
You can map as many file shares as possible you want with Kerberos authentication on a Windows domain joined system if the file servers hosting the file shares are joined to the same domain as the client Windows system accessing them.
Thus, you may have multiple file servers in your domain environment but they all should be joined to the AD domain for the Kerberos authentication to work successfully and let the users accessing and mapping the file shares authenticate through it as Kerberos needs a KDC (Key Distribution Center) due to which Active Directory authentication is required.
Please find the below dependencies for Kerberos authentication to work successfully: -
Operating System --> Later then Windows 2000 for client and Windows 2003
TCP/IP Network Connectivity --> Should exist between DC, client, and the target server
Domain System --> DNS must be functioning and accessible for the client
Active Directory Domain --> Necessary to use Kerberos authentication
Time Service --> Time source should be same and synchronized on all the network computers
Service Principal Names --> Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network
Also, refer this document for more details.
Related
"a specified logon session does not exist. it may already have been terminated" after i joined the device to azure active directory
-i can't access our shared folder in our server after i joined the device to azure AD and use office 365 account (Please see click the link below to see the error image for your reference), but if i use local administrator of the device i can access the file server using the credentials with no problem, please note that we don't have an premises active directory or GPO, kindly help me.
a specified logon session does not exist. it may already have been terminated
Instead of specifying just "binos" as your username, add hostname with back-slash like so:
yourhostname\binos
In most cases, this will fix that error.
To access the share, the server would also need to be azure ad joined. which you cannot do with windows server, you would need azure ad Domain Services (AD DS) on azure, then join your file server to that.
Only Windows 10 devices can be "azure ad-joined devices"
If you don't want to do that, you could create a azure file store, and secure it using your azure ad / rbac, then map that on your devices.. that would probably work too.
I've inherited a mess from the IT "professional" I replaced and have been unable to successfully lobby for resources to setup a proper domain. I have Windows 10 PC's that are configured as "organizational" PC's not Personal, which allows our users to sign-in with their office365 accounts.
However when they do this they are logged in via AzureAD\ Domain, I'm certain this is the reason they cannot access the shared drives my organization has been using. I would very much like to keep using this AzureAD setup but if I cannot access local network resources it won't work for me.
I've searched around but maybe I haven't been asking the right question to find a solution to my problem, or it's possible one doesn't exist which would be unfortunate.
Has anyone ran into this issue?
Is there a way to access non-AzureAD domain resources from an AzureAD\User Account?
You will need a DC (a virtual machine (VM) in the cloud or a physical server).
That DC has Azure Active Directory (AAD) Connect installed and configured on it. That creates an account in AD that synchronizes accounts and passwords with AAD.
When a computer joined to AAD logs in it sends the login request to AAD. AAD then validates that authentication request against the information synchronized from AD.
If you have workstations and laptops joined to AAD and they try to access a share on a server that is in a different domain than what AAD synchronizes with you are going to need to provide credentials that exist in the server which hosts the resources, you are trying to access.
There are a few right ways to do this as,
If the clients are in a single location and will always be in the same location as the DC then join them to the domain regularly. For clients that will be used in other locations join those computers to AAD and install AAD Connect in the DC.
If you want to move all the servers out of your office spin up a VM for your DC in Azure and deploy a cloud firewall in front of your VM. Create a Site-to-Site Virtual Private Network (VPN) between the cloud firewall and your office firewall. Now join computers that will always be in the office to the domain like normal, join computers that are going to be used remotely to AAD, and install AAD Connect on the DC.
Refer: Windows 10 AAD Azure ad domain joined & SMB share, where similar discussion has been done
I have a question about installing SQL server and a SP2016 development farm. I can install both but my boss asked me questions about installing SPN (Service Principal Name) in the AD. But I don't know why and how an SPN is linked with SQL and SharePoint.
I've done some research on the web and got some terms "Kerberos" but I installed SharePoint with NTLM. Help me understand why SPNs would be useful in this case.
What is a Service Principal Name?
The SPN represents the service entry point into your SQL server for clients to find (using DNS) when they will be using Kerberos authentication.
SPNs are written as a service followed by the fully-qualified DNS name of the IP host the service is running on, (and sometimes optionally, appended with the Kerberos realm name appended to the end). For example if your SQL server were named 'sqlserver1' and your AD domain name was 'acme.com' would be written as: MSSQLsvc/sqlserver1.acme.com.
The SPN itself is found inside the Kerberos database, and clients during the authentication process reach out to DNS to find the IP target host and the Kerberos database (KDC) holding the service principal, grab a Kerberos service ticket from the KDC and use that to single sign-on authenticate to the server running on the target service named in the SPN.
Configuring SPNs
In AD, in the properties of the computer object representing your SQL server, you will add the SPN, and optionally configure Kerberos delegation for that service. You could optionally add the SPN to a user account running the SQL service in AD instead.
In your scenario, Kerberos should actually be the primary authentication method, with NTLM used only as a fallback. If you setup up DNS, AD, Kerberos delegation and the target server correctly, you should never have to fallback to NTLM. With SharePoint, you would use Kerberos to SSO into SharePoint, and then you could optionally allow Kerberos delegation for that same user account to be able to run SQL statements own the SQL DB server as themselves.
None of this is for the faint of heart, and I have actually not setup this precise scenario myself, I just know the underlying concepts; instead my experience is mainly setting up Kerberos SSO to Active Directory authentication to web applications running on Linux platforms. But you asked what an SPN was for and that's what I've answered.
Further Reading
I googled and found this link for you for actually setting up your scenario, it talks about configuring SharePoint with Active Directory with SQL server using Kerberos delegation: Plan for Kerberos authentication in SharePoint 2013
I have windows server running ADFS server. I want to Connect to ldap server on it. My questions are
Does running ADFS Server already have LDAP Server running or need to do anything for that? I believe it is running already because I could see open port 389 and 636.
Assuming LDAP server is running, I was trying to connect to it using Google App Directory Sync to get list of users However I was not able to authorize. Is there any default credentials to connect? Or steps to get credentials for LDAP server?
Thanks
An ADFS server is not an Active Directory server - ADFS only extends Active Directory's infrastructure. Ports 389 and 636 are available because ADFS supports the LDAP and LDAPS protocols for communication, and as such, ADFS can retrieve user attributes from Active Directory, and it can also authenticate users against Active Directory. If you already have a directory server running, you need to add it to ADFS as an account store.
There are no default credentials - just use an administrative account that exists in your Active Directory store, as mentioned in point one.
To clarify on terminology for ADFS:
Account Store in ADFS: This is the account store that ADFS authenticates the user against with some form of credential (e.g. Username/password). By default ADFS connects to the Active Directory Domain Services and adds it as a special account store that cannot be deleted. So, any users in this active directory forest or in it's trusted subsystem can authenticate to ADFS. So far, ADFS only supported Active Directory as an account store and nothing else. With Windows Server 2016, it now supports connecting any LDAP v3 compliant directory as an account store. ADFS does not open LDAP ports as it is not an LDAP server. If ADFS were collocated with a domain controller, you would see LDAP ports open.
Attribute Store in ADFS: This a store where you can augment additional information about the user AFTER the user authenticates. By default ADFS has a default attribute store for ADDS that is setup by virtue of the install. Beyond this, it has in-built adapters that can be instantiated to connect to SQL or ADLDS (lightweight directory service). It also has an extensible API to connect to any other attribute store of your choice via .NET. People connect to Oracle/SAP data base, FIM metaverse etc.
#Srikanth: You will use the ADFS claims language or the UI to query for additional data using the attribute store model. In the UI, you would see it when you configure the issuance authorization rules or the issuance claims rules.
Hope that helps
Sam (#MrADFS)
I was troubleshooting a SQL Server 2008 R2 today and the server was generating a ton of connection errors from multiple services. In looking at how the server had been setup the user had a number of services set to run under specific login credentials. The client had setup within the configuration manager the SQL Server default instance to run under the account someusername#somedomain.org with a set password
I saw this used in a number of locations including the SQL Server Analysis Service SQL Server Agent as well as within the IIS app pools and other windows services that communicate with SQL Server. Looking at the SQL console logs the server was churning out failed login errors on the minute.
In the past I have always setup these service accounts using either Network Service (for intranet deployments) or a domain account somedomain\somename that is provisioned to work as a service account. The email address which was being used was not provisioned as a SQL Server login but there was a domain user account domain\someusername added as a SQL Server login on the server. To me these are not the same in SQL Server, domain\someusername != someusername#somedomain.org is that incorrect to assume?
I am in the process of setting everything to a baseline by resetting all the services to use NetworkService so I can at least get everything working properly.
My question is, are there restrictions on using special characters in login's for SQL Server? I had always thought that you did not want( or could not ) use special characters for creating logins such as an email addresses. I know when registering an IIS machine against SQL you can use the machine name as domain\machinename$. It seems to me that an email address is not a valid domain account as it could be an alias etc and that you would want to explicitly use a valid domain user/service account.
Can anyone provide me some reference material on what is allowed? When I search msdn or google I get more results on SQL injections or escaping passwords. I just want to have a more solid understanding of what is allowed as it pertains to a SQL Server login, as well as what a documented best practice is moving forward so when explaining what to do or what not to do I have some legit reference.
The client has the server set to use mixed mode authentication but it looks as if they are trying to set everything up to rely on windows authentication for connectivity to the server.
thanks for any insight,
-cheers
User Account Objects have two names - a User Principal Name and a SAMID - both of which must be unique in the Forest. These can be seen in the Account tab in Active Directory Users and Computers.
The User Principal Name consist of the logon name followed by a UPN Suffix. For example, andrea#adventure-works.com. UPN Suffixes are properties of the Forest and are unrelated to email domains (though for sanity's sake, they should match email addresses :-).
The SAMID consists of the NetBIOS name of the Active Directory domain followed by the logon name (pre-Windows 2000). For example ADVENTURE-WORKS\andrea.
Most software accepts both types of name but a few accept only one or the other.