SharePoint 2013+ Sqlserver 2014 Kerberos 配置图例, 终极解决方案 已经验证。

SharePoint 2013+ Sqlserver 2014 Kerberos 配置图例。

1，安装数据库，安装方法我就不说了，账户一定要注意。 我下面会有参考实例和账户。
2，建立DNS，如果没有DNS服务器 在本地修改hosts吧。 
3，Configure Claims to Windows Token Service Account.（呵呵 中文 是声明为windows令牌服务）
      Create an AD account to be used by the Claims to Windows Token Service Account e.g. SP_C2WTS
      Open a SharePoint PowerShell prompt as Administrator and run the following command:
      $w = Get-SPWebApplication -Identity http://bi.blue.com (Put the URL of your web application)
      $w.GrantAccessToProcessIdentity("blue\sp_c2wts") (Put your service account name)

验证一下啊

图例告诉我们OK

Change the account in the SharePoint UI running the Claims to Windows token Service

1. Navigate to Security in Central Admin,
2. Click on managed Accounts and add the new C2WTS account as a Managed Account,
3. Click Security again and Click on Service Accounts,
4. Click the Drop Down and Select Claims to Windows Token Service,
5. Select the new Managed Account SP_C2WTS and click OK. (Wait a few minutes for it to complete)
6. Set the following permissions on all SharePoint servers in the farm (All must be done) – this is completed under Local Security Policy on each server

下一步是到SPfarm 服务器上配置，

1. Grant Log on as a service (this should have happened automatically)
2. Impersonate a User (this should have happened automatically)
3. Act as part of the operating system (If its greyed out then your domain admin will need to update the group policy to allow it)

下图

既然配置到这里了 把其他几个也配置了吧。 如图 单击身份验证后模拟客户端--添加用户或组 把kerberos 账号加进去。 

以操作系统方式运行，添加kerberos 账号。

1. Local admin on all SharePoint servers
2. STOP and START the Claims to Windows Token Service (From SharePoint UI) on all servers in the Farm. Simply navigate to Services in Farm and select each server from the link in the top right corner and Stop and Start each one individually waiting for them to finish
   

下面 就有意思了， 给应用连接池授权。这个需要灵活，如果个别的账号找不到，或者授权比较麻烦， 你就在这个连接池使用管理员账号， 再把那个权限复制给 管理员账号。

也可以完全按照步骤来做。如下；

Grant permission for the account running the application pool for the Service Application

e.g. Excel Services Service Application, Reporting Services Service Application, etc.

1. For Analysis services this User must be Granted SQL Analysis Services Administrator access (Unfortunately this is required as Read permission is insufficient for the delegation of credentials)
2. Check which account is being used by navigating to Central Admin Security and then select Service Accounts and from the drop down list validate each service or application pool.
3. In my example I have an account SP_Services and that account is granted Admin permissions on Analysis Services and granted “SP_DataAccess” on SQL to the SharePoint web application content database(s).
4. Validate that the account has the following permissions on each SharePoint server
   (This should be completed automatically but should be validated under the Local Security Policy)
   1. Grant Log on as a service
   2. Impersonate a User
5. Grant process identity access to the Service account
   $w = Get-SPWebApplication -Identity