5 Replies Latest reply on Feb 8, 2019 11:09 AM by lmlcoch

Kerberos configuration - SPN, Delegations for services

Hello everyone,

I’m currently working on Kerberos authentication in my workplace domain test environment and faced some problems with configuration. I hope some of you, more experienced in this topic guys could help me with it, cause I’m not sure if understand everything correctly.

• Domain architecture:
1. PI Server machine (later called PI-srv);
2. PI AF Server + PI Web API + PI Vision machine (later called AF-srv);
3. SQL Server machine (later called SQL-srv);

• I’ve made following Services Domain Accounts with user privileges and used them to run corresponding services:
1. AF Services;
2. AF Analysis Services;
3. PI Vision;
4. PI Web API;
5. PI Web API Crawler;
6. SQL Service;

My questions concern mainly configuring my Active Directory objects for delegation, so please correct me if I’m getting something wrong:

(fragment of PI Server 2018 Installation and Upgrade Guide)

1. For AF Service Account:

1. Should I make a delegation for PI Server Service from PI-srv?

b. It's no use to make a delegation for AF Service from AF-srv, right?

c. If no external data for AF (e.g. for AF Table), reside in SQL Server at the moment, there is no need to make delegation for SQL service from SQL-srv, right?

2. For PI Web API Service Account:

1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv?
2. Should I make the same delegations for PI Web API Crawler Service account?

3. For PI Vision Service Account:

1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv?

(It should be mentioned that I’ve already changed Identity to that custom PiVision Service Acc. in Application Pools in IIS; also disabled Anonymous Authorization and enabled Windows Auth.)

4. For Analysis Service Account:

1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv, or it's enough to configure foregoing AF Service in point 1.?

5. Should I add any other delegation to mentioned Service Accounts? (I’ve read this article: Kerberos and Delegation (Only does 1 jump in PiVision) and Matthew also added HTTP Service)

1. Is this point about following entries? Because in that case I had blank entries:

1. (continued) But the “setspn -l domain\account_name” command returned nothing before ADSI Edit configuration.

I realise that it's pretty big, complex question, but I would be very grateful if someone will help with this.

Thanks in advance and have a nice day!

-Bartosz

• Re: Kerberos configuration - SPN, Delegations for services

With Kerberos delegation, the one thing you always need to consider is what services are front-ends (i.e. services directly accessed by client users) and what services are back-ends (indirectly accessed by client users).

Consider a scenario where end user Domain\Joe opens up his web browser, connects to PI Vision and views a trend showing PI Point data:
Joe's PC (web browser) > PI Vision > PI Data Archive

PI Vision is the front-end service (directly accessed by Domain\Joe - the end user), PI Data Archive is the back-end service.

But how do we get Joe's credentials to PI Data Archive?

This is where Kerberos Delegation comes into play. Kerberos Delegation is the ability of the front-end service (PI Vision, in this case) to obtain Kerberos ticket to a specific service (PI Data Archive, in this case) on behalf of the end user (Joe, in this case).

Joe's PC (web browser) > Kerberos Authentication: provide HTTP/PIVisionServerName ticket to > PI Vision > Kerberos Delegation: obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

To make this flow possible, three things are needed:

1. HTTP SPN needs to be created for the PI Vision service and assigned to the service account running PI Vision service.

HTTP is a built-in SPN class defined by Microsoft. All OSIsoft web apps (Vision, WebAPI, WebParts) use this SPN class for Kerberos authentication. Keep in mind SPN class has no bearing on what protocol is used by the WebApp, i.e. even if your Web Application is using HTTPS instead of HTTP, the SPN class is always HTTP!

To create an SPN, execute:
setspn -s HTTP/PIVisionServerName Domain\VisionServiceAccount

setspn -s HTTP/PIVisionFQDN Domain\VisionServiceAccount

where:
HTTP is the SPN class, always the same for OSIsoft Web Apps!
PIVisionServerName is the short name of PI Vision server

PIVisionFQDN is the fully qualified name of PI Vision server

VisionServiceAccount is the service account running PI Vision Application Pools

So for example, if your PI Vision server name is pi-viz1.mydomain.local and myDomain\Vision-svc service account is running PI Vision AppPools, you would run:

setspn -s HTTP/pi-viz1 myDomain\Vision-svc

setspn -s HTTP/pi-viz1.mydomain.local myDomain\Vision-svc

If you use DNS alias (type: Host A)  instead of the server name to access PI Vision, just create SPN for the alias. See KB01574 for details.

2. PIServer SPN needs to be created for PI Data Archive (pinetmgr) service and assigned to the service account running PI Data Archive (pinetmgr) service.

It's largely the same story as with PI Vision in step 1. The only difference is the SPN class, which is always PIServer for OSIsoft's PI Data Archive.

So for example, if your PI Data Archive server name is pi-da1.mydomain.local and myDomain\pi-svc service account is running PI Network Manager service on the PI Data Archive server, you would run:

setspn -s PIServer/pi-da1 myDomain\pi-svc

setspn -s PIServer/pi-da1.mydomain.local myDomain\pi-svc

By default, PI Network Manager runs under the built-in nt service\pinetmgr account, so the PIServer SPN is created for the computer object rather than a specific account.

setspn -s PIServer/pi-da1 myDomain\pi-da1$setspn -s PIServer/pi-da1.mydomain.local myDomain\pi-da1$

The \$ at the end indicates it's a computer object.

3. PI Vision Service account needs to be able to delegate to PI Data Archive.

There's several options for delegation settings. Check out KB01222 for details.

The gist of it is:
- Do NOT use Unconstrained Kerberos Delegation (ability to obtain a Kerberos ticket to ANY service on behalf of the end user)!
- Use Constrained Kerberos Delegation

- Protocol Transition (sometimes also called "Use any Authentication Protocol") allows the front-end service to obtain a Kerberos ticket to back-end service on behalf of the end user, even if the initial authentication to front-end service wasn't Kerberos, for example:

Joe's PC (web browser) > NTLM Authentication > PI Vision > Kerberos Delegation WITH Protocol Transition:  obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

This can be very useful and we recommend customers go for this option as it provides more robust solution and the cyber security risk is acceptable (since Protocol Transition only works with Constrained Delegation).

--

Keep in mind that for simple direct connection such as PI System Management Tools open on a client PC connecting to PI Data Archive, only Kerberos Authentication happens. There's no Kerberos Delegation happening:

Joe's PC (PI System Management Tools) > Kerberos Authentication: provide PIServer/PIDataArchiveServerName ticket to > PI Data Archive

Kerberos Delegation ONLY occurs in double-hop scenarios such as we discussed above.

In OSIsoft world as far as Kerberos Delegation goes:
PI Data Archive (sometimes also called PI Server) is always a back-end.
PI Asset Framework Server (sometimes also called PI AF Server) can be both front-end (Client > AF > linked table hosted in a SQL Server) and back-end (Client > WebAPI > AF).

PI Web API and PI Vision are always front-end services.

PI Crawler, PI Analysis, PI Notifications (and other services users don't directly interact with) are never involved in Kerberos delegation process.

Hope this helps. Let me know if you have any questions.

6 of 6 people found this helpful
• Re: Kerberos configuration - SPN, Delegations for services

Hi Lubos,

Thanks for a straightforward answer, that explains a lot. So that means that PI Web API and PI Vision services (and every other HTTP service, if on the same machine) have to be running under same service account...?

Could you also tell me, if I have to enable Protocol Transition for PI Vision, why isn't it necessary for logging into PI Web API?

Thanks a lot, once again

-Bartosz

• Re: Kerberos configuration - SPN, Delegations for services

1. So that means that PI Web API and PI Vision services (and every other HTTP service, if on the same machine) have to be running under same service account...?
LM >> Yes since they would be sharing the same SPN - HTTP/machineName. You could create DNS Aliases for both Vision and WebAPI, which would allow you to run them under different service accounts (as they'd be using different SPNs - HTTP/VisionAlias and HTTP/WebAPIAlias).

I recommend using the same account to run both services as it makes configuration easier. That said, I would also recommend not using the WebAPI instance running on PI Vision server for anything other than PI Vision related things (search, XY Plot, Events Table).

If you want to use WebAPI for custom apps, install a separate WebAPI instance on another server.

2. Could you also tell me, if I have to enable Protocol Transition for PI Vision, why isn't it necessary for logging into PI Web API?

LM >> Protocol Transition only comes into play in the Kerberos Delegation process. It affects both PI Vision and PI Web API (or any other service) in the same way.

Kerberos Delegation:
With Protocol Transition enabled:

Joe's PC (web browser) > NTLM Authentication > PI Vision OR PI Web API > Kerberos Delegation WITH Protocol Transition (NTLM != Kerberos >> protocol transition required AND enabled):  CAN obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

Joe's PC (web browser) > Kerberos Authentication > PI Vision OR PI Web API > Kerberos Delegation WITHOUT (Kerberos = Kerberos >> protocol transition not required) Protocol Transition:  CAN obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

Without Protocol Transition enabled:

Joe's PC (web browser) > NTLM Authentication > PI Vision OR PI Web API > Kerberos Delegation WITHOUT Protocol Transition (NTLM != Kerberos >> protocol transition required BUT not enabled)CAN'T obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

Joe's PC (web browser) > Kerberos Authentication > PI Vision OR PI Web API > Kerberos Delegation WITHOUT Protocol Transition (Kerberos = Kerberos >> protocol transition not required):  CAN obtain PIServer/PIDataArchiveName ticket on behalf of the end user and pass it to > PI Data Archive

So unless you can guarantee Kerberos won't fall back to NTLM in your environment (e.g. your domain doesn't allow NTLMv1 and NTLMv2 at all, and you don't need to connect from other domains or external networks where Kerberos doesn't work), Protocol Transition is there to save the day.

With proper Kerberos Constrained Delegation configured, Protocol Transition benefits win over potential security risks, in my opinion.

1 of 1 people found this helpful
• Re: Kerberos configuration - SPN, Delegations for services

I've found out that I can obviously add the port after host name, so the first question is closed.

• Re: Kerberos configuration - SPN, Delegations for services

Ports can indeed differentiate SPNs. However, with HTTP it's a bit more complex. By default, modern Web Browsers don't make requests for HTTP SPNs with the port included.
You can change it via the Windows registry or browser settings, but using a custom DNS Alias instead of a custom port is just a much better solution overall.

e.g. for Chrome, see Kerberos SPN generation section within the Chromium dev documentation - HTTP Authentication.

1 of 1 people found this helpful