Chapter 38. Successfully implementing Kerberos delegation
Kerberos delegation is a method of securely transferring a user’s credentials from the client’s PC to the middle application tier such as a web server, then on to a back-end database tier. In this chapter, I’ll explain some of the issues, talk about the prerequisites, and discuss the steps of implementing Kerberos delegation in your environment.
I first became interested in digging deeper into Kerberos delegation when I asked a group of approximately 50 database professionals the following question at a local PASS chapter meeting: “How many people have attempted to set up Kerberos delegation?” I was shocked to see so few hands, and then shocked again after hearing that not one of them was successful.
I’ve implemented Kerberos with a client for a scaled-out SharePoint and Reporting Services environment and ran into little difficulty doing so. It did take time to troubleshoot, but in the end there was victory. So why was I so successful? I think it was partially due to a fantastic relationship with the system administrator, who was patient, curious, and not operating a systems environment in fire-fighting mode. I also had an old colleague who’d traveled the Kerberos delegation path before and forwarded us some notes and resources. I’m indebted to Goran and Richard for their help in the past, in turn making this chapter possible.
