RE: Constrained Delegation with MIT Kerberos

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Constrained Delegation with MIT Kerberos

Jeffries, Joseph L
Christopher, Simo and others,

Thank you for your responses!  Here is our environment:



Windows Active Directory (ldap, single domain)  All of our users that need to access reports are in this directory.

Oracle 12 C database server on Linux - We row level security implemented, so we need to know the user that is running the report to make sure they can only see data they have access too.



We have two application servers that basically just display reports with Oracle data:

1) SQL Server Reporting Service (does not require constrained delegation, so we use Full Delegation) This server connects just fine use MIT Kerberos as client to our backend Oracle database.

--This server is the issue as it requires “constrained delegation”.

2) Microsoft Power BI Server On-Prem (this software requires constrained delegation)



Below is a screen shot of where in Active Directory where you assign a server to use constrained delegation for another server\service.  I do not know what the “service type” should be and do I need to create a SPN (Service Principle Name) for “MIT Kerberos”.  If so what are the parameters.



[cid:image001.png@01D4EDFF.3F6DA260]





Let me know if there is any other information that would help.



Thanks,

Joseph







-----Original Message-----
From: Simo Sorce <[hidden email]>
Sent: Friday, April 5, 2019 10:42 AM
To: Jeffries, Joseph L <[hidden email]>; Christopher D. Clausen <[hidden email]>; [hidden email]
Subject: Re: Constraint Delegation with MIT Kerberos



Constrained delegation in MIT Kerberos required database configuration support.

This is not available in plain DB2, only available if you use a backend like LDAP.

FreeIPA (or Red Hat Identity Management) support Constrained delegation for example.



HTH,

Simo.



On Fri, 2019-04-05 at 14:38 +0000, Jeffries, Joseph L wrote:

> Thanks Christopher.  I have followed this and can get it to work, but when I add MIT Kerberos into the mix it does not work.  According to Microsoft 3 Tier Kerberos support there needs to be a service or spn configured for MIT Kerberos to do Constraint Delegation.  So I am looking for documentation or cook book on how to configure MIT Kerberos to do Constraint Delegation.

>

> Thanks,

> Joseph

>

> -----Original Message-----

> From: Christopher D. Clausen <[hidden email]<mailto:[hidden email]>>

> Sent: Friday, April 5, 2019 9:21 AM

> To: Jeffries, Joseph L <[hidden email]<mailto:[hidden email]>>;

> [hidden email]<mailto:[hidden email]>

> Subject: Re: Constraint Delegation with MIT Kerberos

>

> For Active Directory:

> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs

> .microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerber

> os-constrained-delegation-overview&amp;data=02%7C01%7CJoseph.Jeffries%

> 40minnstate.edu%7Cd15c04a14fcb47bb811d08d6b9dd53b4%7C5011c7c60ab446ab9

> ef4fae74a921a7f%7C0%7C0%7C636900757578665869&amp;sdata=kl3QgHZ8mAVIt99

> juv0k3Fik3wteRZcP37aoExOScsg%3D&amp;reserved=0

>

>

> <<CDC

>

> On 4/5/2019 8:35 AM, Jeffries, Joseph L wrote:

> > I did not get a response from anybody.  Does anybody have instructions for setting up Constraint Delegation on any platform?

> >

> > Thanks,

> > Joseph

> >

> > -----Original Message-----

> > From: [hidden email]<mailto:[hidden email]> <[hidden email]<mailto:[hidden email]>> On Behalf

> > Of Jeffries, Joseph L

> > Sent: Wednesday, April 3, 2019 8:47 AM

> > To: [hidden email]<mailto:[hidden email]>

> > Subject: Constraint Delegation with MIT Kerberos

> >

> > Hello All,

> > I am new to Kerberos and I am trying to setup Constraint Delegation with MIT Kerberos.  I do have Full\Open Delegation working, but one of the servers (Microsoft Power BI Server OnPrem) requires Constraint Delegation.  I have not found instructions for setting Constraint Delegation up in a Windows server environment.  Could someone share the instructions, if they exists or provide me the steps to make this work?

> >

> > Thank you in advance!

> >

> > Joseph

>

> ________________________________________________

> Kerberos mailing list           [hidden email]<mailto:[hidden email]>

> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail

> man.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&amp;data=02%7C01%7CJoseph.

> Jeffries%40minnstate.edu%7Cd15c04a14fcb47bb811d08d6b9dd53b4%7C5011c7c6

> 0ab446ab9ef4fae74a921a7f%7C0%7C0%7C636900757578665869&amp;sdata=SkRvdW

> hLrn5mR%2FSY%2FSTJ7gaakwOoGNTNnAOs7QQ%2B0cQ%3D&amp;reserved=0



--

Simo Sorce

Sr. Principal Software Engineer

Red Hat, Inc





________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos