Home Analysis Services Azure Microsoft Windows Server Constrained Delegation in Azure

Constrained Delegation in Azure

January 12, 2018
Read


Problem statement:
Impersonate on SSAS (SQL Server Analysis Service) without:

  • User's password 
  • Sysadmin permission

What is Constrained delegation? 

Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services. When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user. This requires domain administrator privileges to configure a domain account for a service and is restricts the account to a single domain.

Basically, it is Kerberos based authentication system which allows usage of services as different user.



How to configure?
Refer to the links in references.

High level:
  • Create SPNs for servers for which we need to setup mutual trust
  • In Active Directory, set up constrained delegation 

How I used it in a SharePoint based reporting system?
  • From Azure service passed User Principal Name (UPN) to On-Premise service 
  • In On-Premise service implemented logic to impersonate based on user’s identity 

How it internally works?
  1. When UPN is received and impersonation request is made, On-Premise service requests Active Directory to provide Kerberos token for that user
  2. Active Directory provides token to On-Premise service 
  3. On-Premise service passes token to server hosting SSAS and provides data only for that user
References:

  • https://technet.microsoft.com/en-us/library/cc720385(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/cc995228.aspx 



Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.