Kerberos Constrained Delegation (KCD) authenticates user access to both Files Shares and SharePoint sites without requiring an Active Directory password.
Requirements
To implement KCD for the Good Share, your environment must meet the following prerequisites:
l Your Good Dynamics infrastructure must meet the version requirements specified underGood Dynamics Requirements.
l Your Good Share Server will need the following additional inbound ports available (not blocked by any firewall):
o 17080 to the Good Proxy server
o 17433 to the Good Proxy server
l Kerberos authentication must be enabled in SharePoint.
l IP addresses cannot be used when referring to SharePoint URLs and file shares.
Summary of Process
Enabling KCD authentication for accessing SharePoint sites and File Shares using Good Share entails three primary steps:
1. Finding the Application Pool Identity and port number for each SharePoint web application.
2. Creating the Service Principal Names (SPN) in Active Directory.
3. Adding KCD constraints in Active Directory.
Finding the Application Pool Identity and Port Number
To determine the Application Pool ID and port number for all the web applications containing SharePoint sites that will be made available to share:
1. Create a list of all web apps that need to be shared through Good Share.
2. Open IIS Manager on each SharePoint server. If a web application was extended to create alternate access mappings, it may not include any additional unique port numbers.
3. Find the Application Pool Identity in the Application Pools list view (pictured) or in Central Administration >
Security > Configure service accounts.
Appendix C – Configuring KCD for Good Share
Caution:For KCD to work properly in most instances, the Application Pool Identity user must be the same for all application pools whose applications will be accessed by Good Share. This means you cannot have different application pools running under different users.
4. Find the port numbers for each of the web apps listed in the Web Applications view (pictured next). You can also look in the Alternate Access Mappings view.
5. Navigate to Central Administration > Application Management, choose the web application, then click Authentication Providers in the ribbon bar. Make sure that the authentication type for each web application is set to Windows and that Kerberos is enabled. Authentication Type is set/verified as pictured next.
Appendix C – Configuring KCD for Good Share
Note: In certain scenarios, switching to Negotiate (Kerberos)may also require enabling Kernel-mode authentication in IIS for the corresponding IIS site. For additional information, see MSDN'sSPN Checklist for Kerberos Authentication.
Creating Service Principal Names (SPNs) in Active Directory
To create SPNs in AD for the SharePoint locations and the Good Share user:
1. Create a dedicated user that will run as Good Share. In the example here, the user is <domain>\Good ShareUser.
2. Set the password for GoodShareUser to not expire and do not require a password change for logging on.
3. Create a Service Principal Name (SPN) for each web application that will need to be shared using cmdlets like the following:
setspn –S HTTP/SPHOST:PORT domain\AppPoolUser setspn –S HTTP/SPHOST.FQDN:PORT domain\AppPoolUser setspn –S HTTP/SPHOST domain\AppPoolUser
setspn –S HTTP/SPHOST.FQDN domain\AppPoolUser
If the port is a default port (80 or 443), omit the first two lines above.
Note: Some lines only need a host name while others need a fully qualified host name.
If the application pool identity is for a built-in user such as Network Service, then specify the host name instead of domain\AppPoolUser as follows:
setspn –S HTTP/SPHOST:PORT domain\SPHOST setspn –S HTTP/SPHOST.FQDN:PORT domain\SPHOST setspn –S HTTP/SPHOST domain\SPHOST
setspn –S HTTP/SPHOST.FQDN domain\SPHOST
Important:If you are using SSL, the SPN must refer to HTTPS, rather than HTTP.
4. Create a SPN for the Good Share process user as follows:
setspn –S HTTP/GSSHOST domain\GEMSDocsUser setspn –S HTTP/GSSHOST.FQDN domain\GEMSDocsUser Appendix C – Configuring KCD for Good Share
Here, <GSSHOST> is the host name of the Good Share server.
Note: An HTTP service (IIS, etc.) need not be running on the GSS machine, and the lines above are strictly needed to enable the Delegation tab in the User’s Properties tab in Active Directory.
Adding Kerberos Delegation Constraints in Active Directory
To create Kerberos constrained delegations for the GoodShareUser for each SPN:
1. Open the AD Users and Computers manager and look under Users to find GoodShareUser.
2. Right-click GoodShareUser and select Properties.
3. Click the Delegation tab.
4. Enable both Trust this user for delegation to specified service only and Use any authentication protocol, then click Add.
Appendix C – Configuring KCD for Good Share
5. Click Users or Computers in the Add Services pop-up.
6. In the Select users or Computers pop-up, enter the SharePoint Application Pool Identity user name and click OK.
7. Select all the services corresponding to the SharePoint web applications running under the username entered in Step 6, omitting the HTTP service, and click OK.
Appendix C – Configuring KCD for Good Share
You'll now see the services to which GEMSDocsUser can provide delegated credentials listed in DelegationUser Properties.
8. Click Add and repeat steps 2 through 7 above, although instead of choosing the application pool identity user, choose the computer account for the SharePoint server. When you choose the services, select HOST and http as shown below and click OK to add each computer account to the list of services.
Appendix C – Configuring KCD for Good Share
The delegated services are now listed in the DelegationUser Properties window.
You're now ready to repeat Steps 4 through 8 for each SPN in Active Directory.
Adding Kerberos Constraints for File Shares
The main difference between sharing files and sharing SharePoint sites consists of delegation to the Good Share computer account and not to the Good Share process user; i.e., GoodShareUser.
To add Kerberos contraints for a user's file shares:
1. Under Computers in AD's Users and Computers, right-click the Good Share computer, select Properties, then open the Delegation tab.
Appendix C – Configuring KCD for Good Share
2. Click Add, then click the Users or Computers button, enter the name of the server containing the file share requiring access and click OK. Then in the list of services, select cifs and click OK.
Repeat for each File Share server requiring access via KCD.
3. To make these configuration changes take effect right away, reboot any servers with network shares.
Note: Since Kerberos tokens are cached, rebooting is the only sure way to make sure all delegation changes are received on the machines. In lieu of a reboot, you will have a wait of up to ten hours for the changes to
propagate to all the needed servers.
Enabling KCD on the Good Share Server
To enable Kerberos constrained delegation on the machine hosting Good Share:
1. Open Settings, open the Security Settings tab, then enable KCD and enter the Good Proxy location.
2. Grant the Act as part the operating system privilege to GoodShareUser in the Local Security Setting tab.
Appendix C – Configuring KCD for Good Share
For comprehensive guidance from Microsoft, seeKerberos Constrained Delegation for Windows Server.
Appendix C – Configuring KCD for Good Share