Flowing Identity in the Microsoft BI Stack using Claims
Transcription
Flowing Identity in the Microsoft BI Stack using Claims
Flowing Identity in the Microsoft BI Stack using Claims-based Authentication If you are adopting Active Directory Federation Services (ADFS) as a method of user authentication for SharePoint 2013 and desire to implement role based (per-user) security with Microsoft Business Intelligence (BI) tools accessing enterprise data sources, one challenge you’ll find is bridging the gap between SAML-based authentication used by ADFS and the proprietary Windows Authentication used by enterprise data sources, like SQL Server Analysis Services (SSAS). This problem is important because more and more organizations are adopting claims-based authentication for internal and/or external user access. Any back-end system that does not support SAML claims can become inaccessible without implementing some kind of translation system between SAML and the system’s native authentication mechanism. Custom solutions can be created, but they can be cumbersome to manage. Also, user mapping is error prone and introduces another point of failure. White Paper Matt Youngstrom Greg Moser Jared Zagelbaum “…more and more organizations are adopting claims-based authentication for internal and/or external user access." Introduction The complexity required in translating authentication methods can be mitigated if one is willing to accept a many-to-one mapping of users to a single service account. However, with the reduced management headaches, you also lose the ability to track usage and restrict authorization at a per-user level. This can be an unacceptable risk, especially if you are in a heavily regulated business in which security and data privacy compliance is of utmost importance. Even in less regulated environments, the practice of mapping roles to service accounts requires that multiple copies of each data visualization definition be maintained for each unique emulated role. Better yet to leverage OOTB data security included in enterprise tools like SSAS, and maintain this security at the source layer. This ensures that the visualization tools used by developers or business users are the consumers of security, and not entrusted with the role of enforcing data authorization. This white paper looks at the SAML to proprietary problem within the context of ADFS, SharePoint, and SSAS. It will examine the problem in detail, show a solution, and provide a roadmap for its implementation. It does not provide instructions for installing the various components; references will be made to the relevant TechNet articles within the context of this white paper for installation instructions. ADFS is different in that it only interacts with other systems using SAML. While SAML succeeds in simplifying proprietary authentication methods into a single crossplatform standard, it also requires that all target systems implement SAML, which is not yet a reality. SharePoint is able to work with SAML authentication. Whereas in 2010 it was an option, in SharePoint 2013 all users are only represented in SAML internally to SharePoint regardless of the originating authentication mechanism. When a SharePoint service application like Excel Services needs to authenticate with an external system that does not support SAML claims (in this case SSAS), a service running in SharePoint called the Claims to Windows Token Service (C2WTS) converts the user’s SAML claim back to a Windows token. But the C2WTS will not convert any SAML claim to a Windows token; it is hard-coded to verify that the SAML claim was generated based on a Windows token. If not, no Windows token is generated and authentication with SSAS fails. The following diagram summarizes this process by illustrating what happens when a user authenticated with a Windows token accesses an Excel workbook (with an SSAS data source and a specified per-user connection) through Excel Services. Notice the presence of the Secure Token Service (STS), which is responsible for initially converting the user’s Windows token into a SAML token for Examining the Issue SharePoint consumption. This is an internal, OOTB process Traditionally, Single-Sign-On (SSO) solutions provide created by an administrator at the farm level to map user “drivers” that allow a user’s identity to be translated into a ids to stored credentials (which in our case defeats the format that the target system requires. As an SSO solution, purpose of what we are trying to accomplish). to SharePoint, and is different from the STS that can be 1 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication DESKTOP SERVER INTERNET BROWSER Excel Workbook 1 IPrincipal SHAREPOINT WEB FRONT-END SHAREPOINT SECURE TOKEN SERVICE 2 Excel Web Access IClaims Principal SHAREPOINT APP SERVER Excel Services 3 Content Database 4 CLAIMS TO WINDOWS TOKEN SERVICE Excel Workbook 4.5 5 DOMAIN CONTROLLER (AD) SSAS Kerberos Constrained Delegation configured If the authentication method originating with the request is not Windows Authentication (at #1 above), such as ADFS, the orange line effectively stops at #4 (though in actuality an anonymous Windows Token is generated despite failing to create a Windows token for the user and that anonymous token is passed to SSAS instead). The Solution Because ADFS is of concern, we need to transition from ADFS-generated SAML Claims to Windows Tokens prior to authenticating to SharePoint. In other words, what is needed is this: WINDOWS TOKEN ADFS-generated SAML Claim WINDOWS TOKEN Sharepoint-generated SAML Claim WINDOWS TOKEN 2 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication WINDOWS TOKEN SSAS “The added peace of mind gained from being able to track SSAS access on a per-user basis is well worth the configuration and effort, especially if your business is highly regulated and depends on a well thought-out data privacy strategy.” One way to solve this problem is using a reverse proxy The new WAP server role’s purpose is to proxy server that would inspect the incoming request, reformulate authentication requests to designated applications on it, and pass it on to the target application, which in this case behalf of ADFS (utilizing Kerberos constrained delegation) is SharePoint. Microsoft has had products that provided and redirect the user if successfully authenticated. These such functionality, such as the Unified Access Gateway target applications can use SAML for authentication or (UAG). However, UAG is expensive, bulky, and slated Windows Authentication. In the case of the latter, WAP for retirement. Fortunately, in the latest incarnation of converts the ADFS SAML Token into a Windows Token Windows Server 2012, dubbed R2, a new feature has been before forwarding the request onto the target application. added called the Web Application Proxy (WAP) which is Given our scenario, this is exactly what is needed. capable of meeting our solution requirements. Implementation To prove that this does indeed work, an environment was built utilizing Windows Azure for infrastructure. The following diagram shows the server farm and its components: SHAREPOINT DATA WAREHOUSE / BI Windows Server 2012 SQL Server 2012 SP1 Enterprise DBEngine, SSAS Windows Server 2012 SharePoint 2013 Web Front-End/Application Server Windows Server 2012 2012 R2 Web Application Proxy Windows Server 2012 SQL Server 2012 SP1 Enterprise SharePoint Content Database Server Windows Server 2012 2012 R2 ADFS HTTPS EndPoint DOMAIN CONTROLLERS Windows Server 2012 Windows Server 2012 Primary Domain Controller Backup Domain Controller 3 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication Internet The process was tested using a SharePoint Business Excel workbook (note that the internet’s DNS would be Intelligence site with an Excel workbook connected to updated such that requests to the SharePoint-enabled web an SSAS Cube (specifying a per-user connection). The application are directed to the WAP but for the sake of the diagram below describes what happens when the user POC, we configured our local hosts file in lieu of making tries to authenticate to the SharePoint site and access the internet DNS changes): Windows SHAREPOINT DATA WAREHOUSE / BI 3 Windows Server 2012 SQL Server 2012 SP1 Enterprise DBEngine, SSAS Windows Windows Server 2012 SharePoint 2013 Web Front-End/Application Server Windows Server 2012 2012 R2 Web Application Proxy SAML Windows Server 2012 SQL Server 2012 SP1 Enterprise SharePoint Content Database Server Windows Server 2012 2012 R2 ADFS HTTPS EndPoint SAML 3 2 1 Internet 1) When browsing to the site’s URL, the login screen for ADFS appears (either the out-of-the-box screen or a custom login screen) as though the user was logging into ADFS. When the user enters credentials, the WAP authenticates against the ADFS directory and then, if authentication is successful, and if the proxy is configured to redirect to a windows authentication-enabled web application, it converts the ADFSgenerated SAML token to a Windows token and passes the Windows token to the target SharePoint windows authentication-enabled web application. 2) SharePoint then takes the Windows token and converts it back to a SAML token for internal use via its own internal STS. When a request is made to view an Excel workbook with a connection specifying per user identity to an SSAS Cube, Excel Services utilizes the C2WTS to convert the SharePoint-generated SAML token successfully back to a Windows token (because in this case the SAML token was generated based on a Windows token). 3) Authentication then proceeds to SSAS which, if the user has the appropriate access, is successfully authenticated using Windows authentication. 4 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication 1) T he user navigates to the URL of the target application and is directed to the WAP 2) T he WAP communicates with the ADFS server and redirects the user to ADFS 3) A DFS displays the ADFS login page 4) T he user enters credentials 5) I f authenticated, ADFS communicates back to the WAP that it’s OK to redirect to the target site 6) T he WAP passes the user’s credentials to the SharePoint web application and proxies subsequent HTTP requests to and from SharePoint Another way of looking at this: SHAREPOINT Name: SPWEBAPP1 Windows Server 2012 SharePoint 2013 Web Front-End & App Server Web App 6 5 Windows Server 2012 R2 Web Application Proxy 2 Windows Server 2012 R2 ADFS 3 ADFS Login Page 4 1 Installation Configuration As was mentioned in the introduction, detailed While you can gain most of what you need to know from instructions for installation are not provided. Please refer the installation documentation, the following configuration to the following TechNet articles for ADFS, WAP, and areas were not straightforward, and so they are detailed SharePoint 2013 installation planning and instructions. here for your reference. Keep in mind that the amount ADFS of configuration depends on how the environment is scaled to meet usage demands, so in some ways this is http://technet.microsoft.com/en-us/library/ only representative of the environment noted above and dd807092(v=ws.10).aspx not for your particular implementation. Nonetheless, the WAP http://technet.microsoft.com/en-us/library/dn383659.aspx environment referenced in this white paper is intentionally simple, and allows you to easily extrapolate what you need from the basic artifacts it contains. SharePoint 2013 on Azure IaaS http://www.microsoft.com/en-ca/download/details. aspx?id=38428 5 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication Kerberos In order for the initial SAML token from ADFS to be converted to a windows token, the target web application must be configured for windows authentication. But the environment as a whole needs to be configured for Kerberos and specifically for constrained delegation. While a discussion on Kerberos is beyond the scope of this post, here is a high-level overview of the configuration: 1) S ervice Principal Names (SPN) needed to be set up for the following: a. The target SharePoint web application b. The SSAS service 2) B oth the WAP and the ADFS servers need to be able to delegate to the target SharePoint web applications. 3) E xcel Services needs to be able to delegate to SSAS. 4) T he C2WTS needs to be able to delegate to SSAS. The following diagram shows this in more detail: SHAREPOINT DATA WAREHOUSE / BI Name: SPWEBAPP1 Name: SQLBI1 Windows Server 2012 Windows Server 2012 SharePoint 2013 SQL Server 2012 SP1 Enterprise Web Front-End & App Server Web App Pool Service Account: DOMAIN\SP_FARM_DB SSAS Service Account: DOMAIN\ SQLBISERVICE Excel Service App Pool Service Account: DOMAIN\SP_BI* Claims to Windows Token Service (C2WTS) Service Account: DOMAIN\C2WTS* Windows Server 2012 SQL Server 2012 SP1 Enterprise SPN: MSOLAPSVC.3/SQLBI1.int DOMAIN\SQLBISERVICE SPN: MSOLAPSVC.3/SQLBI1 DOMAIN\SQLBISERVICE Name: WEBPROXY1 Name: ADFS1 Windows Server 2012 R2 Web Application Proxy Windows Server 2012 R2 ADFS SPN: HTTP/spwebapp1.int DOMAIN\SP_FARM_DB SPN: HTTP/spwebapp1 DOMAIN\SP_FARM_DB Constrained Delegation: COMPUTER: WEBPROXY1 -> HTTP/SPWEBAPP1 Constrained Delegation: SERVICE ACCOUNT: DOMAIN\C2WTS -> MSOLAPSVC.3/SQLBi1 Constrained Delegation: COMPUTER: ADFS1 -> HTTP/SPWEBAPP1 Constrained Delegation: SERVICE ACCOUNT: DOMAIN\SP_BI -> MSOLAPSVC.3/SQLBi1 * 2 "dummy" SPNs must be created for DOMAIN\SP_BI and DOMAIN\C2WTS so that the delegation tab appears in the account properties in the Active Directory Users and Computers snap-in OR utilize PowerShell to configure constrained delegation. 6 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication Domain Name System The internet domain name system (DNS) needs to be configured such that: 1) T he domain name for the SharePoint web application is mapped to the IP address of the WAP SharePoint Domain Name -> IP Address of WAP ADFS Domain Name -> IP Address of WAP 2) T he domain name for the ADFS server is mapped to the IP address of the WAP Secure Sockets Layer In general, it is recommended to utilize SSL whenever possible. For the purposes of the WAP and ADFS, however, two certificates for SSL are required for securing the wire between: 1) t he WAP and ADFS 2) t he WAP and the SharePoint Web Application Without these certificates, the WAP will not communicate with either system. SSL encryption elsewhere is not required, but recommended. SHAREPOINT Name: SPWEBAPP1 SharePoint SSL Cert Windows Server 2012 SharePoint 2013 Web Front-End & App Server ADFS SSL Cert Web App 6 SSL 5 SSL Windows Server 2012 R2 Web Application Proxy 2 SSL 3 Windows Server 2012 R2 ADFS SSL 4 SSL 1 SSL Both certificates must be installed in the "Personal" as well as "Trusted Root Certification Authorities" in the Computer Certificates snap-in on the WAP 7 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication ADFS Login Page Conclusion While this method bridges the gap between utilizing ADFS for login and windows authentication for SharePoint, at the end of the day the WAP is a proxy. Clients never really access the target SharePoint site directly; all traffic is handled through the proxy. Each time a new web application in SharePoint is added that will be used externally, you will need to register it in the WAP configuration so that the WAP knows how to proxy requests based on their target addresses. Still, this is a fairly small price to pay for being able to utilize the strengths of ADFS-based authentication with the ability to use back-end systems that require credential delegation to operate correctly. The added peace of mind gained from being able to track SSAS access on a per-user basis is well worth the configuration and effort, especially if your business is highly regulated and depends on a well thought-out data privacy strategy. About Magenic Founded in 1995 by the same technical minds that still run the company, Magenic focuses on the Microsoft stack and mobile application development. Visit us at magenic.com or call us at 877.277.1044 to learn more or to engage Magenic today. 8 | Flowing Identity in the Microsoft BI Stack using Claims-based Authentication