SSO setup using Kerberos on windows server - active-directory

I am new to SSO, We had a application using java implementation of kerberos SSO. Now we need to migrate the application to some other machine. I need to know what changes will be required in:
1. Service account in Active directory used for authentication.
2. Keytab files
3. Can the same AD principle name be used or a new one will be required.
Please assist with appropriate steps which are needed to be followed.
Appreciate your help!
Thanks.

If you use service account in AD then I would expect not big changes:
DNS record for this service
Moving keytab to the new server
If machine account is in use then you would need:
Reconfigure DNS
Remove SPN from the current machine account
Generate keytab for a new machine

Related

Azure on prem data gateway for logic app sign in account

I have a customer server, who does not want us to access their server but to connect the logic app to the server I need to install the on prem data gateway and configure it. I have created a user in active directory for the respective subscription with contributor access. I don’t want to share these details to the customer to enter while configuring the data gateway as they can use the same to login. What shall I do now ?
i would suggest just having a logmein or teamviewer session with them when they are installing the data gateway, so that you can type in the credentials.
if this is not possible, may I suggest you try to give them an aad account to install the gateway as, then after the gateway is installed, change the account password
Please Note: I have not tested this second option, and there does not appear to be any specific documentation about that account, but there is no indication that it needs to be active or password must be current.

Domain account for LDAP authentication without change ability

I have set up a Mediawiki for our small local domain (abc.local) on a linux VM (just for internal use). Our local domain controller is a Win Server 2008 R2. I've setup the Mediawiki LDAP Authentication extensions so that i can restrict editing of our Wiki to only domain Users. I've configured the Mediawiki LDAP configuration to use the domain Administrator credentials for this authentication.
Is there a way to create another account that can do this user authentication but can't change anything? Sort of like a "read-only" Administrator account?
thanks,
russ
An account can't be "read-only" and also "Administrator". It's one or the other.
"Authentication" can only ever be done with the user's own credentials. There is no special kind of account that lets you authenticate other accounts. All it needs credentials for is to look up accounts on the domain. So you only need a read-only account, which is basically any account that can authenticate on your domain.
So just create an account specifically for Mediawiki and use that.

Install - SharePoint server - SQL and SPN

I have a question about installing SQL server and a SP2016 development farm. I can install both but my boss asked me questions about installing SPN (Service Principal Name) in the AD. But I don't know why and how an SPN is linked with SQL and SharePoint.
I've done some research on the web and got some terms "Kerberos" but I installed SharePoint with NTLM. Help me understand why SPNs would be useful in this case.
What is a Service Principal Name?
The SPN represents the service entry point into your SQL server for clients to find (using DNS) when they will be using Kerberos authentication.
SPNs are written as a service followed by the fully-qualified DNS name of the IP host the service is running on, (and sometimes optionally, appended with the Kerberos realm name appended to the end). For example if your SQL server were named 'sqlserver1' and your AD domain name was 'acme.com' would be written as: MSSQLsvc/sqlserver1.acme.com.
The SPN itself is found inside the Kerberos database, and clients during the authentication process reach out to DNS to find the IP target host and the Kerberos database (KDC) holding the service principal, grab a Kerberos service ticket from the KDC and use that to single sign-on authenticate to the server running on the target service named in the SPN.
Configuring SPNs
In AD, in the properties of the computer object representing your SQL server, you will add the SPN, and optionally configure Kerberos delegation for that service. You could optionally add the SPN to a user account running the SQL service in AD instead.
In your scenario, Kerberos should actually be the primary authentication method, with NTLM used only as a fallback. If you setup up DNS, AD, Kerberos delegation and the target server correctly, you should never have to fallback to NTLM. With SharePoint, you would use Kerberos to SSO into SharePoint, and then you could optionally allow Kerberos delegation for that same user account to be able to run SQL statements own the SQL DB server as themselves.
None of this is for the faint of heart, and I have actually not setup this precise scenario myself, I just know the underlying concepts; instead my experience is mainly setting up Kerberos SSO to Active Directory authentication to web applications running on Linux platforms. But you asked what an SPN was for and that's what I've answered.
Further Reading
I googled and found this link for you for actually setting up your scenario, it talks about configuring SharePoint with Active Directory with SQL server using Kerberos delegation: Plan for Kerberos authentication in SharePoint 2013

IIS to SQL Server kerberos auth issues

We have a 3rd party product that allows some of our users to manipulate data in a database (on what we'll call SvrSQL) via a website on a separate server (SvrWeb).
On SvrWeb, we have a specific, non-default website setup for this application so instead of going to http://SvrWeb.company.com to get to the website we use http://application.company.com which resolves to SvrWeb and the host headers resolve to the correct website.
There is also a specific application pool set up for this site which uses an Active Directory account identity we'll call "company\SrvWeb_iis". We're setup to allow delegation on this account and to allow it to impersonate another login which we want it to do. (we want this account to pass along the AD credentials of the person signed into the website to SQL Server instead of a service account.
We also set up the SPNs for the SrvWeb_iis account via the following command:
setspn -A HTTP/SrvWeb.company.com SrvWeb_iis
The website pulls up, but the section of the website that makes the call to the database returns the message:
Cannot execute database query.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
I thought we had the SPN information set up correctly, but when I check the security event log on SrvWeb I see entries of my logging in, but it seems to be using NTLM and not kerberos:
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Any ideas or articles that cover this setup in detail would be extremely appreciated!
If it helps, we are using SQL Server 2005, and both the web and SQL servers are Windows 2003.
There are several possible reasons for kerberos failures which includes lack of SPN and duplicate SPN as well.
If SQL is running under custom account you would need to add SPN for SQL as well.
Also keep in mind, you should be adding SPN for the FQDN which is the host (A) entry in DNS and not a CNAME.
Check the value of NTAuthenticationProviders
http://support.microsoft.com/kb/215383
Try DelegConfig which would show what is missing if its SPN or something else.
http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

Use Azure VM Sql server database as source for Azure Analysis Services model

is it possible to use a database created in a Azure VM as a data source for model which is created in Azure Analysis Services?
So far, when I specify connection properties for the model in the web designer and test connection, I get an error stating "a connection was successfully established with the server, but then an error occurred during the login process. (provider SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
I can connect to the server via SSMS and via RDP.
I created a self-signed certificate in the azure key vault and was able to make the SQL server use it. However I can't seem to find out how to make use of it when connecting the model.
Does anyone know if it's possible and if so, what should I do to make it work?
In the end I managed to make it work. For anyone with similar problem, I will write my solution below.
For the error "The certificate chain was issued by an authority that is not trusted" - just as discussed in the thread linked by TJB in comment, this was because I did not have a CA signed certificate, but a self-signed one.
A CA signed certificate from Azure would probably solve the issue, but I tried the Let's Encrypt site (also linked in the other thread). The issue I had with Let's Encrypt was that I had a windows server, while they natively support linux-based systems.
However I found an article by Daniel Hutmacher called Encrypting SQL Server connections with Let’s Encrypt certificates which was solving the very issue I had.
(as for the client tool, the current version is different from the one described in the article, but you can still download the old version on github. I used the lastest november 2017 release). With this I was able to generate and add a CA signed certificate to SQL server.
At this point, I created a model in Azure Analytics Services, used Azure Database as type of source/connection and filled in the connection to my VM SQL server. I saw my database tables, but when I tried to query data, I got a new error, stating that the AAS need an On-premise data gateway set up.
The Microsoft docs Install and configure an on-premises data gateway describes how to install on-premise data gateway on the VM, but if you are like me and use personal account for azure, you will have issues binding your account to the gateway. The solution as hinted here is to create a new account in Azure Active Directory (I created a new user and registered it under my azure custom domain, so the login looked like XXX#zzz.onmicrosoft.com). I gave the user admin role, so as to temporarily avoid any azure permission setbacks. Next I added the user to my subscription via Subscriptions -> "My_subscription" -> Access Control (IAM) and assigned an owner role to the AD user.
Now back on my VM I could bind the new user's account to the gateway (don't forget to change the gateway's region to your preferred region before finishing the setup).
Next, on Azure I created an "on-premise data gateway" service (do note you need to select same region as the one which your VM gateway is located under). I am not sure now, if only the new AD user I created could see the gateway, so in case you do not see it, try the AD user as well.
Last but not least, in the Azure Analytics services I went to the "on-premises data gateway" settings and set it to use the one I just created.
With this I was able to create the model and query the data from database.
Note:
In the model web designed for analytics services I happened to be logged in under the AD user, not under my personal account. Attempting to change the account to my personal one ended up in login failure, however after a few such attempts and opening multiple web designers in separated tabs, I correctly logged in under my personal account. After a while I could no longer replicate the issue.
I guess the issue may have been that I was logged in to Azure under both my personal account and the AD user at the same time in same browser when setting eveything up.

Resources