Configure SharePoint 2010 to use Kerberos authentication
Disabled the firewall service on all computers.
K1 Computer
K2 computer
SharePoint 2010 server is installed as Standalone. The SQL Server instance for SharePoint is k2\SharePoint.
SQL Server 2008 R2 standard edition installed in K2 is for the test purpose.
All three computers can access the sharepoint site at http://k2.
Install SharePoint Designer 2010 on K2 computer--SharePoint 2010 server
Install SQL Server 2008 R2 onto K2 computer
Both instances (K2\SharePoint and K2\Standard) are using Windows Authentication.
Create a external list based on ExpressType1
Administrator on all three computers can access the external list that is based on expressType1.
"Connect with User's Identity" does not mean that only Administrator can use the connection. The connection object will use the identity when the user logs onto SharePoint site.
SharePoint Designer 2010
New External Content Types: QueenType1
Add a connection to Queen SQL Server
The SharePoint computer can access the external list pointing to Queen SQL Server.
Queen and K1 computers cannot access the external list pointing to Queen SQL Server.
Create a new external type with SQL Server connection to K2\Standard instance
Create an external list based on the new type
You must run "Set Object Permissions" in 'Business Data Connectivity Service' for aaa\administrator. If not, "access denied by Business Data Connectivity" shows.
From SharePoint computer, I can access all the three external lists.
From Queen computer, I can access both external list "ExpressProducts and StandardPayment". When clicking QueenCourses external list, "Login failed for user 'NT AUTHORITY\Anonymous Logon" message displays.
Change the identity that is used for the service or application pool
Register a Managed Account in SharePoint Central Administration
Central Administration---Security--General Security---Configure managed accounts
SharePoint 2010 Central Administration---Security--General Security---Configure service accounts
SQL Server Instance k2\SharePoint
The NT AUTHORITY\NETWORK\SERVICE is by default assigned to db_owner, SharePoint_Shell_access, and WSS_Content_Application_Pools database roles.
Configure aaa\sam to be the member of db_owner,SharePoint_Shell_access, and WSS_Content_Application_Pools database roles.
setspn.exe -A http/k2 aaa\sam
setspn.exe -A http/k2.aaa.com aaa\sam
If the SharePoint server hosts many web applications (e.g. http://k2:2000, http://k2:3000), as long as the application pools are using the same registered account aaa\sam, the Service Principal Name registration is still the same. Don't register as "setspn.exe -A http/k2:2000 aaa\sam. If you do, you cannot access http://k2:2000.
Active Directory Users and Computers
The MSSP is for Microsoft SharePoint Service.
Grant aaa\Nicole the read/write permissions to all three databases
Grant aaa\Nicole the permissions to all three external types
Nicole can access the three external lists from all three computers.
But when you access http://k2 from a computer that is not part of the AAA domain, you cannot see the external list that retrieves data from Queen computer. "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'".
The following link might be helpful.
Download DelgConfig V2 Beta by Brian-Murphy-Booth