Identity delegation for Visio Services (SharePoint Server 2010)
Applies to: SharePoint Server 2010
Summary: In this scenario, you add a Visio Services service application to the SharePoint Server environment and configure Kerberos constrained delegation to allow the service to refresh data from an external SQL Server data source in a Visio Web drawing.
Note
If you are installing on Windows Server 2008, you may have to install the following hotfix for Kerberos authentication:
A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used (https://support.microsoft.com/kb/969083)
Scenario dependencies
To complete this scenario you will need to have completed:
Scenario 1: Core Configuration
Scenario 2: Kerberos authentication for SQL OLTP
Configuration checklist
Area of Configuration | Description |
---|---|
Active Directory Configuration |
Create Visio Services service account Configure SPN on Visio Services service account Configure Kerberos constrained delegation for servers running Visio Services Configure Kerberos constrained delegation for the Visio Services service account |
SharePoint Server configuration |
Start Claims to Windows Token Service on Visio Services Servers Grant the Visio Services service account permissions on the web application content database Start the Visio Services service instance on the Visio Services server Create the Visio Services service application and proxy |
Verify Visio Services Constrained Delegation |
Configure the Visio services cache settings Create document library to host test Visio Diagram Create a test Visio web drawing with SQL Server data connected shapes Publish the Visio drawing to SharePoint Server and refresh data connection |
Scenario environment details
Kerberos constrained delegation paths
In this scenario, we will configure the SharePoint Server Visio Services application servers and service accounts for Kerberos constrained delegation to the SQL Server service.
SharePoint Server logical authentication
Authentication in this scenario begins with the client authenticating with Kerberos authentication at the web front end. SharePoint Server 2010 will convert the Windows authentication token into a claims token using the local Security Token Service (STS). The Visio service application will accept the claims token and convert it into a Windows token (Kerberos) using the local Claims to Windows Token Service (C2WTS) that is a part of Windows Identity Foundation (WIF). The Visio service application will then use the client’s Kerberos ticket to authenticate with the backend data source.
Step-by-step configuration instructions
Active Directory configuration
Create Visio Services service account
As a best practice, Visio Services should run under its own domain identity. To configure the Excel Service Application, an Active Directory account must be created. In this example, the following accounts were created:
SharePoint Server service | IIS App Pool Identity |
---|---|
Visio Services |
vmlab\svcVisio |
Create Visio Services service account
Configure SPN on Visio Services service account
Kerberos constrained delegation must be configured if Visio Services is going to delegate the client’s Windows identity to back end data source. In this example Visio services will query data from a SQL Server transactional database as the client therefor Kerberos delegation is required.
The Active Directory Users and Computers MMC snap-in is typically used to configure Kerberos delegation. To configure the delegation settings within the snap-in, the Active Directory object being configured must have a service principal name applied; otherwise the delegation tab for the object will not be visible in the object’s properties dialog. Although Visio Services does not require a SPN to function, we will configure one for this purpose.
On the command line, run the following command:
SETSPN -S SP/VisioServices svc\VisioServices
Note
The SPN is not a valid SPN. It is applied to the specified service account to reveal the delegation options in the AD users and computers add-in. There are other supported ways of specifying the delegation settings (specifically the msDS-AllowedToDelegateTo AD attribute) but this topic will not be covered in this document.
Configure Kerberos constrained delegation for Visio Services
To allow Visio Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS.
Each server running Visio services must be trusted to delegate credentials to each back-end service Visio will authenticate with. In additional, the Visio services service account must also be configured to allow delegation to the same back-end services.
In our example the following delegation paths are defined:
Principal Type | Principal Name | Delegates To Service |
---|---|---|
User |
Vmlab\svcVisio |
MSSQLSVC/MySqlCluster.vmlab.local:1433 |
*User |
Vmlab\svcC2WTS |
MSSQLSVC/MySqlCluster.vmlab.local:1433 |
**Computer |
Vmlab\vmsp10app01 |
MSSQLSVC/MySqlCluster.vmlab.local:1433 |
* Configured later in this scenario
** Optional. Constrained delegation on the computer account is only required when running the C2WTS as Local System
To configure constrained delegation
Open the Active Directory Object’s properties in Active Directory Users and Computers.
Navigate to the Delegation tab.
Select Trust this user for delegation to specified services only.
Select Use any authentication protocol. This enables protocol transition and is required for the Visio service account to use the C2WTS.
Click the add button to select the service principal allowed to delegate to.
Select User and Computers.
Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service.
Note
the service account selected must have a SPN applied to it. In our example the SPN for this account was configured in a previous scenario.
Click OK. You will then be asked to select the SPNs you would like to delegate to.
Select the services for the SQL Server cluster and click OK.
You should now see the selected SPNS in the services to which this account can presented delegated credentials list.
Repeat these steps for each delegation path (Computer and User) defined in the beginning of this section.
Verify MSSQLSVC SPN for the Service Account running the service on the SQL Server (performed in Scenario 2)
Verify the SPN for Analysis Services service account (vmlab\svcSQL) exists with the following SetSPN command:
SetSPN -L vmlab\svcSQL
You should see the following:
MSSQLSVC/MySqlCluster MSSQLSVC/MySqlCluster.vmlab.local:1433
SharePoint Server configuration
Configure and Start the Claims to Windows Token Service on Visio Graphics Servers
The Claims to Windows Token Service (C2WTS) is a component of the Windows Identity Foundation (WIF) which is responsible for converting user claim tokens to windows tokens. The Visio graphics service uses the C2WTS to convert the user’s claims token into a windows token when the services needs to delegate credentials to a back-end system which uses Windows authentication. WIF is deployed with SharePoint Server 2010 and the C2WTS can be started from Central Administration.
Each Visio Graphics Service application server must run the C2WTS locally. The C2WTS does not open any ports and cannot be accessed by a remote caller. Further, the C2WTS service configuration file must be configured to specifically trust the local calling client identity.
As a best practice you should run the C2WTS using a dedicated service account and not as Local System (the default configuration). The C2WTS service account requires special local permissions on each server the service runs on so be sure to configure these permissions each time the service is started on a server. Optimally you should configure the service account’s permissions on the local server before starting the C2WTS, but if done after the fact you can restart the C2WTS from the Windows services management console (services.msc).
To start the C2WTS
Create a service account in Active Directory to run the service under. In this example we created vmlab\svcC2WTS.
Add an arbitrary Service Principal Name (SPN) to the service account to expose the delegation options for this account in Active Directory Users and Computers. The SPN can be any format because we do not authenticate to the C2WTS using Kerberos authentication. It is recommended to not use an HTTP SPN to avoid potentially creating duplicate SPNs in your environment. In our example we registered SP/C2WTS to the vmlab\svcC2WTS using the following command:
SetSPN -S SP/C2WTS vmlab\svcC2WTS
Configure Kerberos constrained delegation on the C2WTS services account. In this scenario we will delegate credentials to the SQL Server service running with the MSSQLSVC/MySqlCluster.vmlab.local:1433 service principal name.
Configure the required local server permissions that the C2WTS requires. You will need to configure these permissions on each server the C2WTS runs on. In our example, this is VMSP10APP01. Log on to the server and give the C2WTS the following permissions:
Add the service account to the local Administrators Groups.
In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:
Act as part of the operating system
Impersonate a client after authentication
Log on as a service
Open Central Administration.
In Security, in the Configure Managed Service Accounts section, register the C2WTS service account as a managed account.
Under services, select Manage services on server.
In the server selection box in the upper right corner, select the server(s) that is or are running the Visio Graphics Service. In this example it is VMSP10APP01.
Find the Claims to Windows Token Service and start it.
Go to Manage Service Accounts in the Security section. Change the identity of the C2WTS to the new managed account.
Note
If the C2WTS was already running before configuring the dedicated service account, or if you need to changes the permissions of the service account after the C2WTS is running you must restart the C2WTS from the services console.
In addition, if you experience issues with the C2WTS after restarting the service it may also be necessary to reset the IIS application pools that communicate with the C2WTS.
Add Startup dependencies the WIF C2WTS service
There is a known issue with the C2WTS where it may not automatically start up successfully on system reboot. A workaround to the issue is to configure a service dependency on the Cryptographic Services service:
Open a Command Prompt window.
Type: sc config "c2wts" depend= CryptSvc
Find the Claims to Windows Token Service in the services console.
Open the properties for the service.
Check the Dependencies tab. Make sure Cryptographic Services is listed:
Click OK.
Grant the Visio Services service account permissions on the web application content database
A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the Visio Graphics Service account access to the portal web application’s content database by using Windows PowerShell.
Run the following command from the SharePoint 2010 Management Shell:
$w = Get-SPWebApplication -Identity http://portal
$w.GrantAccessToProcessIdentity("vmlab\svcVisio")
Start the Visio Graphics Service instance on the Visio server
Before creating a Visio Services service application, start the Visio services server service on the designated Farm servers.
Open Central Administration.
Under services, select Manage services on server.
In the server selection box in the upper right hand corner select the server(s) running Visio Services. In this example it is VMSP10APP01.
Start the Visio Graphics Service.
Create the Visio Graphics Service application and proxy
Next, configure a new Visio Services service application and application proxy to allow Web applications to consume Visio Services (if one does not already exist):
Open Central Administration.
Select Manage Service Applications under Application Management.
Select New, and then select Visio Graphics Service.
Configure the new service application. Be sure to select the correct service account (create a new managed account if the Visio service account is not in the list).
Verify Visio Graphic Service Constrained Delegation
Configure the Visio services cache settings
By default, the Visio Graphics service will cache the web drawings it renders for web clients for a number of minutes based on the service’s cache settings. To test delegation we will configure the service to not cache drawings to easily check data refresh in a Visio web drawing.
Note
Disabling the rendering cache is not recommended for production environments. Remember to re-enable the cache once you have completed testing delegation in Visio
Open Central Administration.
Select Manage Service Applications under Application Management.
Select the Visio Graphics Service application created in the previous step.
Select Global Settings.
In the Minimum Cache Age setting, set the cache to 0 (no cache).
Note
Setting the minimum cache age to 0 is for testing purposes only and should not be used in a production environment.
Create document library to host a test Visio Web Drawing
Navigate to the portal application (http://portal). Create a new document library to host a test Visio workbook.
Create a test Visio web drawing with SQL Server data-connected shapes
Start Visio 2010.
Create a new Basic Diagram in the General section under Home.
On the Data Ribbon Tab, select Link Data to Shapes.
In the data selector dialog box, select Microsoft SQL Server database.
Specify the SQL Server cluster created in Scenario 2 and select Windows Authentication.
Select the Test database and the Sales Table.
Specify a friendly name for the connection and save the connection to the document library created in the previous step.
In the Data Selector dialog, select the newly created connection and press Finish.
You should now see the external data window at the bottom of the drawing window with the sample data that was created earlier.
Drag the first data row onto the drawing surface. This will create a new shape that is linked to the data row. Note that the test drawing is meant to test delegation and is not meant to demonstrate how to create a fully functioning, production ready web drawing.
Publish the Visio drawing to SharePoint Server and refresh the data connection
Publish the drawing to the test SharePoint document library. On the File tab click Save and Send, Save to SharePoint, Browse for a location, and then Web Drawing.
Browse to the test document library, specify a name for the test drawing, and then click Save.
The drawing opens in the browser.
In the refresh disabled notification, select Enable (always).
The data connection should automatically refresh and no errors should occur.
Open SQL Server Management Studio and modify the data row displayed in the web drawing.
Refresh the data connection by pressing the Refresh button at the top of the drawing window. If delegation is configured correctly you should see your data refresh.