AnsweredAssumed Answered

Kerberos configuration - SPN, Delegations for services

Question asked by golbar on Feb 7, 2019
Latest reply on Feb 8, 2019 by lmlcoch

Hello everyone,

I’m currently working on Kerberos authentication in my workplace domain test environment and faced some problems with configuration. I hope some of you, more experienced in this topic guys could help me with it, cause I’m not sure if understand everything correctly.

 

  • Domain architecture:
  1. PI Server machine (later called PI-srv);
  2. PI AF Server + PI Web API + PI Vision machine (later called AF-srv);
  3. SQL Server machine (later called SQL-srv);

 

  • I’ve made following Services Domain Accounts with user privileges and used them to run corresponding services:
    1. AF Services;
    2. AF Analysis Services;
    3. PI Vision;
    4. PI Web API;
    5. PI Web API Crawler;
    6. SQL Service;

 

My questions concern mainly configuring my Active Directory objects for delegation, so please correct me if I’m getting something wrong:

(fragment of PI Server 2018 Installation and Upgrade Guide)

1. For AF Service Account:

  1. Should I make a delegation for PI Server Service from PI-srv?

b. It's no use to make a delegation for AF Service from AF-srv, right?

c. If no external data for AF (e.g. for AF Table), reside in SQL Server at the moment, there is no need to make delegation for SQL service from SQL-srv, right?

 

2. For PI Web API Service Account:

  1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv?
  2. Should I make the same delegations for PI Web API Crawler Service account?

 

3. For PI Vision Service Account:

  1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv?

(It should be mentioned that I’ve already changed Identity to that custom PiVision Service Acc. in Application Pools in IIS; also disabled Anonymous Authorization and enabled Windows Auth.)

 

4. For Analysis Service Account:

  1. Should I make a delegation for PI Server Service from PI-srv as well as for AF Service from AF-srv, or it's enough to configure foregoing AF Service in point 1.?

 

5. Should I add any other delegation to mentioned Service Accounts? (I’ve read this article: Kerberos and Delegation (Only does 1 jump in PiVision) and Matthew also added HTTP Service)

 

6. Extra question about ADSI Edit Tool:

  1. Is this point about following entries? Because in that case I had blank entries:

  1. (continued) But the “setspn -l domain\account_name” command returned nothing before ADSI Edit configuration.

 

I realise that it's pretty big, complex question, but I would be very grateful if someone will help with this.

 

Thanks in advance and have a nice day!

 

-Bartosz

Outcomes