How to configure Visio Graphics Services in SharePoint Server 2010 for Kerberos authentication

Article ID: 2723977 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

This article describes how to configure Visio Graphics Services in Microsoft SharePoint Server 2010 for Kerberos authentication.

MORE INFORMATION

Create Visio Services service account

As a best practice, Visio Services should run under its own domain identity. To configure the Excel Service Application, an Active Directory account must be created. In this example, the following accounts were created:
 
Collapse this tableExpand this table
SharePoint Server serviceIIS App Pool Identity
Visio Servicesvmlab\svcVisio


Configure SPN on Visio Services service account

Kerberos constrained delegation must be configured if Visio Services is going to delegate the client’s Windows identity to back end data source. In this example Visio services will query data from a SQL Server transactional database as the client therefor Kerberos delegation is required.

The Active Directory Users and Computers MMC snap-in is typically used to configure Kerberos delegation. To configure the delegation settings within the snap-in, the Active Directory object being configured must have a service principal name applied; otherwise the delegation tab for the object will not be visible in the object’s properties dialog. Although Visio Services does not require a SPN to function, we will configure one for this purpose.

On the command line, run the following command:

SETSPN -S SP/VisioServices svc\VisioServices
 
Collapse this tableExpand this table
 Note:
The SPN is not a valid SPN. It is applied to the specified service account to reveal the delegation options in the AD users and computers add-in. There are other supported ways of specifying the delegation settings (specifically the msDS-AllowedToDelegateTo AD attribute) but this topic will not be covered in this document.


Configure Kerberos constrained delegation for Visio Services

To allow Visio Services to delegate the client’s identity Kerberos constrained delegation must be configured. It is required to configure constrained delegation with protocol transition for the conversion of claims token to windows token via the WIF C2WTS.

Each server running Visio services must be trusted to delegate credentials to each back-end service Visio will authenticate with. In additional, the Visio services service account must also be configured to allow delegation to the same back-end services.

In our example the following delegation paths are defined:
 
Collapse this tableExpand this table
Principal TypePrincipal NameDelegates To Service
UserVmlab\svcVisioMSSQLSVC/MySqlCluster.vmlab.local:1433
*UserVmlab\svcC2WTSMSSQLSVC/MySqlCluster.vmlab.local:1433
**ComputerVmlab\vmsp10app01MSSQLSVC/MySqlCluster.vmlab.local:1433

* Configured in How to configure Claim to Windows Token Services in SharePoint 2010 with Kerberos Authentication

** Optional. Constrained delegation on the computer account is only required when running the C2WTS as Local System

To configure constrained delegation

1.       Open the Active Directory Object’s properties in Active Directory Users and Computers.

2.       Navigate to the Delegation tab.

Collapse this imageExpand this image
2723995


3.       Select Trust this user for delegation to specified services only.

4.       Select Use any authentication protocol. This enables protocol transition and is required for the Visio service account to use the C2WTS.

5.       Click the add button to select the service principal allowed to delegate to.

 
Collapse this imageExpand this image
2723996


6.       Select User and Computers.

 
Collapse this imageExpand this image
2723997


7.       Select the service account running the service you wish to delegate to. In this example it is the service account for the SQL Server service.


Collapse this tableExpand this table
 Note:
the service account selected must have a SPN applied to it. In our example the SPN for this account was configured in a previous scenario.

8.       Click OK. You will then be asked to select the SPNs you would like to delegate to.

Collapse this imageExpand this image
2723998


9. Select the services for the SQL Server cluster and click OK.

10. You should now see the selected SPNS in the services to which this account can presented delegated credentials list.

 
Collapse this imageExpand this image
2723999


11.   Repeat these steps for each delegation path (Computer and User) defined in the beginning of this section.



Grant the Visio Services service account permissions on the web application content database

A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the Visio Graphics Service account access to the portal web application’s content database by using Windows PowerShell.

Run the following command from the SharePoint 2010 Management Shell:

$w = Get-SPWebApplication -Identity http://portal
$w.GrantAccessToProcessIdentity("vmlab\svcVisio")


Start the Visio Graphics Service instance on the Visio server

Before creating a Visio Services service application, start the Visio services server service on the designated Farm servers.

1.       Open Central Administration.

2.       Under services, select Manage services on server.

Collapse this imageExpand this image
2724001


3.       In the server selection box in the upper right hand corner select the server(s) running Visio Graphics services. In this example it is VMSP10APP01.

Collapse this imageExpand this image
2724002


4.       Start the Visio Graphics Service.

Collapse this imageExpand this image
2724003






Create the Visio Graphics Service application and proxy

Next, configure a new Visio Graphics Services service application and application proxy to allow Web applications to consume Visio Graphics Services (if one does not already exist):

1.       Open Central Administration.

2.       Select Manage Service Applications under Application Management.

Collapse this imageExpand this image
2724004


3.       Select New, and then select Visio Graphics Service.

Collapse this imageExpand this image
2724005


4.       Configure the new service application. Be sure to select the correct service account (create a new managed account if the Visio service account is not in the list).

Collapse this imageExpand this image
2724006


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2723977 - Last Review: June 22, 2012 - Revision: 3.0
APPLIES TO
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2723977

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com