Thursday, October 20, 2011

Kerberos Constrained Delegation (KCD) or as I like to call it, less funthan chewing glass.

In my last post I briefly mentioned some issues I was having when attempting to configure SSRS and SharePoint for SSO by means of a ForeFront Threat Management Gateway. Well, after a few days of phone tag with Microsoft, and countless hours spent troubleshooting the Kerberos delegation chain, we finally found the solution. According to best practices it is highly recommended that if using Kerberobs with SSO via TMG, you only grant the TMG delegation rights to the required backend servers/services in AD. This would help stem the fallout should the TMG be compromised and start wreaking havoc upon your network. What is not mentioned is the fact that once you configure KCD by choosing to specify what services the TMG server can delegate to, you force yourself into using constrained delegation from that point back. If you attempt to configure any of the service accounts for the backend servers (such as SSRS) with "Delegate to any service" permissions, the delegation will fail from that point back, which is why the SSRS connections to its respective SQL and SSAS data sources were failing when accessed via the TMG but successful when accessed by circumventing the TMG using a hosts file. Hopefully this little tidbit will prevent future SSO hopefuls from having to spend 3 days on the phone with Microsoft in order to make it work.