locked
Untrusted Domain BI setup RRS feed

  • Question

  • I am setting up a Share Point 2013 environment where half my user are on a separate domain that does not have a trust relationship with the domain the servers are on.  This site is for data presentation via reporting services, excel services, performance point etc.   I need help designing the security architecture.  On a basic level deciding between NTLM and kerberos.   So the users from the untrusted domain are going to be falling back to NTLM anyway as I understand it so it seems like I might as well just go with the simpler protocol.   But,  there are places where I've seen that say excel services, performance point etc. require C2WTS to translate claims to windows credentials and C2WTS requires kerberos.    I'm unsure if these means you need kerberos everywhere or just directly related to the services or even if this statement is accurate.  It's fine if our services authenticate to the data providers (all on the trusted domain) with a separate id from the users.  That's what we do now.

    I have set up a Share Point 2010 setup using kerberos.   It was difficult.  Working with my domain folks to get the SPNs and delegation setup is painful and we have had continual problems with powerpivot authentication.  So I have some motivation to try something different on our new platform if it makes sense.    I was hoping claims based authentication would fix some of it, but it looks like it doesn't impact the BI stuff much.

    Any advice anyone has on how to set this up  will be greatly appreciated. 

    One other bonus topic.  I do have a SAML authenticator available that works across both domains.  Could I use this to authenticate users, which as I understand it won't support kerberos, and still have all my BI tools work?  Right now the users on the untrusted domain have to log in when they come into Share Point.   This would solve that I think and also solve authentication which we pass the users through to some items that are already authenticated via this other provider.   Am I totally off track here?

    Somehow, the security in Share Point doesn't click with me and I'm hoping there is someone out there with a deeper understanding who can guide me a bit.

    Wednesday, September 2, 2015 4:56 PM

Answers

  • NTLM cannot perform a double-hop, so your data source will have to have a username/password integrated into it (and of course, SSRS doesn't support Secure Store, so you can't use that).

    There is a great document here that goes over BI auth for SharePoint 2013. It should help guide you through the options, but NTLM is out. Your guy apparently doesn't know about double-hop scenarios and why NTLM doesn't work with it (hence why you needed Kerberos configured), so I'd take his opinion with a grain of salt :)


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Dean_Wang Monday, September 21, 2015 9:52 AM
    • Marked as answer by Dean_Wang Wednesday, September 23, 2015 9:24 AM
    Wednesday, September 2, 2015 5:42 PM

All replies

  • You'll encounter nothing but headaches with NTLM as NTLM is unable to perform a double-hop (that is, user authenticates to SharePoint, then needs to authenticate to the data source).

    Instead, you'll have to use the Secure Store Service, but that is incompatible with SSRS, as an example. While you're mentioning SharePoint 2010 as your current environment, do keep in mind that SAML doesn't work with C2WTS, and PowerPivot/PowerView doesn't function with SAML in SharePoint 2010 (it does in SharePoint 2013).


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 2, 2015 5:17 PM
  • Thanks for the quick response. 

    My new environment is Share Point 2013, so I only have to worry about what works there.   So perhaps SAML is a possibility?  I had not looked at it before because of the issue you point out with powerpivot, but just found out that might not be and issue with 2013.   We do a lot of SSRS.   Basically, for most of our stuff we use a separate Id from the users for access to data sources.   Lots of unattended services accounts.  I'd rather have the user ids going through but with the untrusted domain, I've never gotten that working across the board.  I'm thinking Kerberos or a SAML/Kerberos mix.   I've got one guy on my team that is really pushing the NTLM.   His view is that we won't have any issue because we are authenticating with separate ids to the data sources anyway and I'm thinking the double hop issue is going to come up and get us anyway.  

    Wednesday, September 2, 2015 5:38 PM
  • NTLM cannot perform a double-hop, so your data source will have to have a username/password integrated into it (and of course, SSRS doesn't support Secure Store, so you can't use that).

    There is a great document here that goes over BI auth for SharePoint 2013. It should help guide you through the options, but NTLM is out. Your guy apparently doesn't know about double-hop scenarios and why NTLM doesn't work with it (hence why you needed Kerberos configured), so I'd take his opinion with a grain of salt :)


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Proposed as answer by Dean_Wang Monday, September 21, 2015 9:52 AM
    • Marked as answer by Dean_Wang Wednesday, September 23, 2015 9:24 AM
    Wednesday, September 2, 2015 5:42 PM
  • Hi dh,

    Is there any update?

    Best Regards,

    Dean Wang


    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, September 10, 2015 7:45 AM