I recently had the need to configure Kerberos constrained delegation for SQL Server Reporting Services 2012 (SSRS) that was running in SharePoint Integrated Mode in a SharePoint 2010 farm. SSRS reports needed to leverage the “XML” data source and consume the SharePoint web services (such as “listdata.svc”). The documentation for configuring this scenario is scattered (most Kerberos examples show delegation to a backend database server or SSAS), so hopefully this post will save some time and effort tracking down the pieces.
- SSRS and the Claims to Windows Token Services (C2WTS) are each configured as domain accounts (separate accounts, if following the principle of least privilege)
- SharePoint address used as the “XML” data source by the SSRS report resolves to a WFE server in the farm
- SSRS is configured to run on an application server in the SharePoint farm
- Create “dummy” service principal names (SPNs) for the SSRS service account and the C2WTS service account (this enables the “Delegation” tab on those accounts). NOTE: Duplication of SPNs is not allowed, so each “dummy” SPN must be unique.
- SetSPN –S SP/<unique SPN> <domain>\<SSRS account> (Example: SetSPN –S SP/SSRS.dummy mydomain\svc_ssrs)
- SetSPN –S SP/<unique SPN> <domain>\<C2WTS account> (Example: SetSPN –S SP/Claims.dummy mydomain\svc_spclaims)
- Act as part of the operating system
- Log on as a service
- Impersonate a client after authentication