Knowing the Fundamentals is the Key to Great Performance …

I’m constantly amazed at the lack of realisation by people that you have to invest time and effort in understanding and mastering the fundamentals if you really want to be good at something.

I’ll give you three examples from my experience Software Development, Swimming and Music.

Software Development.  In order to be good at software development and to move beyond the ‘code monkey’ level, where we all start, we need to grasp the fact that our software sits on top of other software, so in order to really understand how our programs are going to function in  real systems, we must understand and master the fundamentals of those systems.  For example, to be really good at configuring SharePoint you really need to be good at configuring Kerberos.  In order to be good at configuring Kerberos, you really need to understand the principles of what is going on. It’s not enough to say “Oh you run setspn and then click the radio button to allow Delegation to all Kerberos Services”.  It’s true that will work – some of the time, but if you hit an issue, unless you understand why you do that, you’ll never be an “expert” in that area. It’s just an example.  Another example is understanding things like Regular Expressions or XSLT – if you don’t understand why they work the way they do, you’ll never master them, know when they can be used or their limitations.  I think I heard or read Spencer Harbar say once that he is astounded how many people don’t actually understand the basic way that the Windows operating system works or how AD works or DNS, yet we’re working with these things all the time.

Swimming.  I swim a bit, my son swims a lot. He’s really good at Butterfly. It’s perceived to be the ‘hardest stroke’, and in a race, it can be physically very demanding, but to actually swim it, I found out this evening is actually really easy.  Our Swimming Club’s Head Coach Mark Wilmot has mastered the fundamentals, he knows how the swimming strokes work and as such I was somewhat startled at first this evening when he said “butterfly is easy”, by the end of the session I believed him.  I’ve seen many swimming coaches teach butterfly by concentrating on the arms, focussing on getting the arms out of the water.  Mark was totally different to all but one coach I’ve heard in my recollection(apologies to any other coaches who’ve also taught this who I know).  He focussed on the kick. “All the power comes from the kick, and it’s simple, One, Two, One, Two, One,  Two … let you arms follow – kick in, kick out, kick in , kick out, One, Two” over and over again he said it. He got us to go up and down not worrying about the arms, just that kicking rhythm “One, Two, One, Two …”.  You know what?  By the end , my arms were starting to be driven by my legs and the effort diminished considerably.  The Coach at Swim Therapy in Leicester Matt, said the same thing and Matt has been instrumental in getting my son’s Buterfly out of a rut and back on track for National Qualification time this year, we hope. It’s because they know the fundamentals.

Music.  Lastly, another example of mastering the fundamentals was demonstrated to me by my older son who plays the Drums.  I’ve always loved the fantastic drum beat on Deep Purple’s “You Fool No One” courtesy of Ian Paice.  I’ve always thought that would be a real stretch for my lad to play.  But, his drum teacher understood and could teach the fundamentals, called rudiments in drumming, and my son learnt those thoroughly, so a few months back I said “listen to this” and played him the Deep Purple track. He listened and said “Oh that’s easy – it’s just a paradiddle like this …” and played it beat perfect almost immediately. I was impressed! But looking back on it, it’s just because he knows and has mastered the fundamentals.

It takes time, dedication, but it’s worth it.  Learn the Fundamentals …


Dave Mc

Kerberos Authentication Not Working

Well there could be a large number of reasons why your Kerberos Delegation may not appear to be working, but I’m just going to quickly cover one reason here and it’s to do with DNS names.  I had this issue today and it took me a while to drag it out of my memory, but I got there eventually.

If you have a single-part host header for your website such as http://myintranet then you MUST define two SPNs for your site if you want to run it under Kerberos.  So if your root fully qualified domain name (FQDN) is mydomain.local and your Application Pool account name for your Web Application which you want to run under Keberos is  mydomain\myapppoolaccount, then you must declare the following two SPNs:

setspn -S HTTP/myintranet mydomain\myapppoolaccount
setspn -S HTTP/myintranet.mydomain.local  mydomain\myapppoolaccount

The reason is you don’t have a ‘dot’ in your domain name, so Kerberos decides that the SPN is actually referring to a machine name, even though it isn’t, and sticks the DNS suffix on the end of the transited service, so if you don’t declare the FQDN SPN, Kerberos will fail.

Fell for this one today and cost me some time.  Once I declared the second FQDN SPN everything clicked in.


Dave Mc

Configuring Kerberos for SharePoint. A Couple of Tips …

I’ve been back in the Kerberos Configuration Groove lately. Yes that, multi-step process which foxes so many people.   If you have to engage in this process then I recommend a few things:

If you’re not already aware of it I strongly recommend that you download  a copy of the “Configure Kerberos Authentication for SharePoint 2010 Products” from Microsoft from here and keep it close.

Try to get to understand the process of what is happening rather than just follow by rote.  You’ll find you fix errors much easier.  The document I just mentioned really helps.

Bear in mind that a few things in the document are a bit of overkill IMHO … two in particular are:

Having a domain account running the Claims to Windows Token Service.  I personally would just let this run as  “Local Service”.  Before you security guru’s start jumping all over me on that one, I’ll refer you to the document which says that the account which runs the C2WTS has to be a Local Administrator, Act as Part of the Operating System, Log On As A Service and Impersonate a Client After Authentication.  Also the C2WTS has no remote access capability, as you have to run it on every server which runs Excel Services or PerformancePoint Services.   If this is the case  why on earth have a domain account?  Surely it’s more secure to have one less domain account to worry about, and if you have your LocalSystem account hacked I think you have bigger fish to fry …

On the Reporting Services Configuration the document recommends using Constrained Delegation to Any Authentication Protocol.  This is not necessary if you are connecting to SQL Server and to Analysis Services as the document example is doing.  You only need Constrained Delegation for Kerberos.  Trust me, try it, it works fine.  Using any authentication protocol is less secure than Kerberos Only and SSAS and SQL Server don’t understand things like claims at the moment, so it’s totally pointless.

Other than that the document whilst a weighty tome at over 200+pages, is a very good reference.  I only hope as we move forward that Microsoft manage to simplify the process so that some pages can be removed …


Dave Mc

Reporting Services Integrated Mode Error

I was getting pretty recently a problem with Reporting Services Integrated Mode with SharePoint 2010, it was this …

I’d set up SSRS to work with Kerberos Authentication in SharePoint 2010 Integrated Mode and it all seemed to be working perfectly in that reports rendered through SharePoint worked perfectly.  I then left it a while and came back to it and started getting “Cannot create a connection to data source” error.  Looking further my data sources were failing to connect with the error “Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’.” Oh dear. Kerberos right?  Did some digging around and checking, nothing seemed to be wrong.

Then I logged onto the server hosting the Report Server and navigated to the Report Server URL directly, blow me, the report rendered correctly … hmmm.  Went back to my workstation logged onto the SharePoint site and opened the report in Integrated mode and blow me, report rendered fine.  Did an iisreset and restarted the Reporting Services service, back came the “Login failed for user ‘NT AUTHORITY\ANONYMOUS LOGON’.” error …

The problem?

It came down to the browser in the end. My SharePoint 2010 URL needed to be in the “Local Intranet” Zone.  Once I did this the issue dissappeared and the reports would always render correctly.  Reading around I found this article from 2006 which indicates that this is ‘the’ thing to do. Not too sure about that, certainly in a cross-domain issue it doesn’t seem to work, a combination of Basic Authentication and Trusted Zone seems to work in that particular case.  Anyhow, if you get seemingly temperamental behaviour of Kerberos Authentication with Reporting Services in that now it works, now it doesn’t, try switching your URL to be in the ‘Local intranet’ zone either locally or via Group Policy.

[Update : 14 Jul 2011 Looks like you also have to have the SSRS URL you use in the Trusted Sites Zone – thanks to Paul Lynch for this amendment]


Hope that helps


Dave Mc