4.7 Configuring Kerberos Delegation for a Distributed Control Center Environment

NetIQ Corporation recommends distributing Control Center components across computers to improve performance. If you plan to use Windows authentication to authenticate users between Control Center and the QDBs it manages in a distributed Control Center environment, configure Kerberos constrained delegation to ensure successful communication between Control Center components and QDBs. If Kerberos constrained delegation is not properly configured, connections between Control Center components and QDBs will fail with the following error:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

To avoid this error, complete the following tasks:

  • Prepare each QDB computer and the CCDB computer to authenticate using Kerberos.

  • Configure the SQL Server service for each QDB computer and the CCDB computer to be trusted for delegation.

  • Configure the CCDB computer to impersonate the SQL Server service for each QDB computer that connects to Control Center.

To prepare the QDB and CCDB computers to authenticate using Kerberos:

  1. Set TCP/IP and Named Pipes as the preferred client protocols on the SQL Server and ensure that TCP/IP is listed first.

  2. Determine the TCP dynamic port number the SQL Server service uses and verify that it is not blocked by a firewall.

  3. Ensure that the SQL Server service is running under a domain account.

  4. (Conditional) If you are running Microsoft Windows Server 2008, 2008 R2, or 2012, run the following commands to create the required service principal names:

    setspn -A MSSQLSvc/{fully-qualified_domain_name_of_the_QDB_or_CCDB_computer}:{SQL_Server_name\instance} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{fully-qualified_domain_name_of_the_QDB_or_CCDB_computer}:{port_on_which_the_SQL_ Server_service_runs} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{NETBIOS_name_of_the_QDB_or_CCDB_computer}:{SQL_Server_name\instance} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{NETBIOS_name_of_the_QDB_or_CCDB_computer}:{port_on_which_the_SQL_ Server_service_runs} {domain_account_name_under_which_the_SQL_Server_service_runs}

To configure the SQL Server service to be trusted for delegation:

  1. On the domain controller, in Active Directory Users and Computers, right-click the domain account under which the SQL Server service runs and select Properties.

  2. On the Delegation tab, select the following options:

    • Trust this user for delegation to specified services only

    • Use Kerberos only

  3. Click Add.

  4. Click Users and Computers.

  5. Enter the name of the domain account under which the SQL Server service runs and click OK.

  6. Select the MSSQLSvc entries associated with the QDB or CCDB computer and click OK.

  7. (Conditional) If the SQL Server service will connect to Control Center across a firewall, run the following commands to register the required service principal names:

    setspn -A MSSQLSvc/{fully-qualified_domain_name_of_the_QDB_or_CCDB_computer}:{DNS_service_port} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{NETBIOS_name_of_the_QDB_or_CCDB_computer}:{DNS_service_port} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{fully-qualified_domain_name_of_the_QDB_or_CCDB_computer}:{kerberos_ticket_granting_ service_port} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{NETBIOS_name_of_the_QDB_or_CCDB_computer}:{kerberos_ticket_granting_service_ port} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{fully-qualified_domain_name_of_the_QDB_or_CCDB_computer}:{time_service_port} {domain_account_name_under_which_the_SQL_Server_service_runs}

    setspn -A MSSQLSvc/{NETBIOS_name_of_the_QDB_or_CCDB_computer}:{time_service_port} {domain_account_name_under_which_the_SQL_Server_service_runs}

  8. Restart the SQL Server service on the QDB or CCDB computer.

To configure the CCDB computer to impersonate the SQL Server service for connected QDB computers:

  1. In the Local Security Policy application of Administrative Tools, select Local Policies > User Rights Assignment.

  2. Right-click Impersonate a client after authentication and select Properties.

  3. Click Add User or Group.

  4. For each QDB computer that connects to Control Center, enter the name of the domain account under which the SQL Server service runs and click OK.

To verify that components are using Kerberos delegation:

  1. On the command queue service and QDB computers, run the following command:

    osql -E -S {CCDB_SQL_Server_name\instance}

  2. From the osql command prompt, run the following query:

    select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid
GO

    The query should return the values TCP and KERBEROS.

  3. On the command queue service and CCDB computers, run the following command:

    osql -E -S {QDB_SQL_Server_name\instance}

  4. Repeat Step 2.