Wednesday 24 July 2013

SSRS integration mode in SharePoint for new web application.


Once you configured SSRS with integration mode. If you create new web application and want to use SSRS there. Every time you have to go to SharePoint Central admin and in general Setting you have to activate feature from there (for new site collection under new web application). We understand we can go to site collection level and activate Reporting feature from there. But also need to require to go central admin and from SharePoint Central Admin > General Application Settings > click Reporting Services Integration you have to activate feature from as well. Why this is require. Because if you see after doing central admin steps if you notice it will show following message.

 Access for SSRS service account to farm successfully added.

 





 

But one thing will always come in mind. Why every time needs to go there and do centraladmin activity every time. If we want to do for only new web app. Its true. You can do for new web application for following Power shell command. In this way it will not impact other web applications which are running previously.

Powershell command is:

              $SPSite= this is thesite collection url where you want to give access to SSRS service account.

                $webapp = Get-SPWebApplication $SPSite
$ApplicationAccount = Service Account of SSRS.

                $webapp.GrantAccessToProcessIdentity($ApplicationAccount)

 

 

Other way:

You can follow other way is go to central admin and select Web application from application management and add Service account with FULL Rights under user policy setting.

 

Tuesday 23 July 2013

Kerberos Authentication Setup in SharePoint Environment



Kerberos Authentication Setup at Small SharePoint Farm
Kerberos setup is really easy. Once you will know what is happening in every step you can easily Setup Kerberos authentication without any problem. Here I am taking a small SharePoint environment having 1 APP server, 1 WEB Server, 1 SQL Server.

SharePoint Farm Topology:

1 APP Server: eg: app.domain.com
1 WEB Server: eg: web.domain.com
1 SQL Server: eg: sql.domain.com
SQL service is running with : domain\sqlservice
1 Central Admin: http://app:8888.domain.com
1 Web application (host header): http://testapp.domain.com
http://testapp.domain.com is running with app pool with domain account: domain\apppool
*Here no service is running with computer account so we don’t need to computer account delegation.

End Result:

Setup Kerberos Authentication only for web application (Not for central admin, in some scenario its require but here I am not mentioning that)

Major Steps:

1. Create SPN for app pool account.
2. Create SPN for SQL server service account.
3. Trust for delegation of app pool account.
4. Central admin go to web properties and as per zone set Negotiate authentication for web applciaiton.
Create SPN for app pool account.
Application (http://testapp.domain.com) is running with domain\apppool account. So we have to create SPN for application pool account. Syntax as below:
App Pool Account: domain\apppool
Application: http://testapp.domain.com
SPN:
You can use Power shell, adsi edit or Command Prompt to create these SPNs.
HTTP/testapp.domain.com domain\apppool
(*If you are using port no. Then you can use syntax: HTTP/servername.domain.com:portno domain\apppool eg: HTTP/webapp1:4444 domain\weapppool1 and HTTP/webapp1.domain.com:4444 domain\webapppool1 . It is best practice if you create both spn with server name and fully qualified name.)
Create SPN for SQL server service account:
Check SQL service running with which account at my example it is running with domain\sqlservice.
SPNs
Setspn –S MSSQLSvc/ sql.domain.com domain\sqlservice
Setspn –S MSSQLSvc/ sql.domain.com domain:1433 domain\sqlservice
(*Default port of SQL is 1433, if you have different port no. Then modified accordingly)

Trust for delegation of app pool account:
Once you create SPN for any account Delegation Tab will activate at account properties:
Trust delegation for app pool account domain\apppool
Go to active directory and make following changes for domain\apppool account.
Under Delegation Tab:
Select Trust this user for delegation to any service (Kerberos only)
Central admin go to web properties and as per zone set Negotiate authentication for web application:
Login to central admin.
Go to Web application properties and set Negotiate authentication for web application (http://testapp.domain.com)
Kerberos Setup has been done.

Testing:
You can use fiddler or other Kerberos Tester tool. But best way is login to eventvwr of web server and under security you can see Kerberos authentication will display for user login.