When we were at TechEd Europe we were looking for those things that some of you may have missed and the things that were a bit out of the ordinary.
We managed to persuade one of the Office 365 team to take us on a virtual tour of their data centre which they had in Lego format at the event. This is probably as close to a real tour of a Microsoft data centre as you can get as camera’s are not allowed inside the real ones!
Find out more about Office 365 or and try out the new Office release.
Read how two of our Office 365 customers are seeing direct and indirect benefits to their business from their move to cloud based services from Microsoft.
D7 Consulting deployed Microsoft Office 365 to improve the reliability of email messaging and enable employees to share and collaborate on documents more easily. Nucleus found this enabled D7 to increase employee productivity and improve customer service while reducing technology costs.
ROI: 1138% Payback: 1 month Average annual benefit: $64,613
D7 Consulting Case Study (PDF)
Naumac moved its contractors and consultants to Office 365 so they could have more professional and consistent tools for electronic communication and collaboration. Nucleus found the company was able to increase productivity and position itself for rapid growth while avoiding the resource requirements of an on-premise deployment.
ROI: 525% Payback: 2 months Average annual benefit: $46,400
Naumac Case Study (PDF)
These studies, conducted by independent technology research and advisory firm Nucleus Research, share the financial statistics of our customers investment in Office 365 including: annual return on investment, payback period, average annual benefit and average annual total cost of ownership.
More customer stories can be found on our website, www.office365.com.
Over the last month I have been on tour with Dell showing what Hyper-V can do for small/medium businesses, and later this week I’ll be with them in Falmouth. The argument they put forward for Hyper-V is really simple:
You might argue that Hyper-v isn’t as good as the other stuff you can buy, and that’s OK with me as long as you can prove that for the scenario you have in mind you are getting what you are paying for be that performance, security, manageability etc.
As far as performance goes I think that getting an application like SQL Server or Exchange to run in a virtual machine at about 90% of the speed of the physical server the virtual machine runs on is an acceptable loss and is competitive with other hypervisors. You’ll want to test this yourself, but remember to compare like with like for example your compute, network and storage setting should be the same.
You might wonder if Hyper-V is secure? anecdotal evidence suggests that it is as secure as anything else because if it wasn’t you’d be able to reply to this post with the evidence from a competitors website or blog. For best practice on securing Hyper-V please refer to this earlier post of mine
However in the manageability space Hyper-V by itself runs out of road once you end up with more than X virtual machines – where X will depend on your infrastructure the size of the IT team etc. but if you have more than a hundred virtual machines, you’ll need to be very well organised or use additional software. Microsoft have a suite of tools called System Center (currently System Center 2012) and this is also has a DataCenter edition, licensed per physical server allowing you to manage however many virtual machines you have on there, but more importantly it’s designed to manage your applications. By this I mean deploying them, monitoring them, etc. rather than just looking at the health of the virtual machine they are running in.
I don’t see this lack of manageability as a problem for smaller businesses as many of them don’t have that many virtual machines and your organisation might well be OK just using Hyper-V and the tools that Dell provide with their servers and EqualLogic SANs.
Many things change with Windows Server 2012 and while the big headlines have been about massive improvements in scale for the next version of Hyper-V, that’s not really relevant for the smaller business. Rather it is things like multi server management with specific tools in the new Server Manager to monitor, and even update servers in a group. Powershell 3 has extensive support for managing all aspects of your servers from one place.
That’s not to say there’s nothing in Hyper-V, for smaller business and my top 3 would be:
So before you pay out for tools for virtualisation or management, see what you get included in Windows Server, and whether the return you get from additional software be that a different hypervisor or management tools is justified in your business with your IT team.
Finally the release Windows Server 2012 is end of August, so if you are planning a server procurement now you may well find it is shipped with it. To be ready for that rather than just downgrading to an earlier version, have a look at the Windows Server 2012 content on the Microsoft Virtual Academy and/or have download the Release Candidate
Chris Testa-O'Neill is a Senior Consultant for Coeo Ltd, a leading provider of SQL Server Managed Support and Consulting in the UK and Europe. He is a Microsoft Most Valuable Professional (MVP) for SQL Server, sole author of the MCTS SQL Server 2008 Microsoft E-Learning courses and technical reviewer for SQL Server 2012 BI Official Microsoft courses for Microsoft Learning. He is heavily involved with the SQL Server community as a speaker and an organiser of SQLBits, a Regional Mentor for SQLPASS and he runs his own user group in Manchester, UK. As well as being certified as a SQL Server MCDBA, MCTS and MCITP in all tracks. Chris is also a Microsoft Certified Trainer, and a Microsoft Certified Systems Engineer in Windows 2000 and Windows 2003. In his spare time Chris loves playing in a band as a guitarist/lead vocalist. You can contact Chris at firstname.lastname@example.org or on twitter as @ctesta_oneill.
Part III of a highly available business intelligence environment deals with the important consideration of configuring authentication mechanisms within the infrastructure.
Detailed information can be found in the Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products white paper. This article deals with the key concepts and considerations that need to take place when planning authentication, delegation and impersonation.
Authentication is the process of verifying the identity of a user on a network.
Three forms of authentication can be configured when building a SharePoint farm which supports a SQL Server 2012 highly available BI environment. Kerberos, NTLM and Claims Based authentication. PowerPivot for SharePoint at the moment does not support Claims Base Authentication. For brevity, this authentication method in not explored.
The differences between Kerberos and NTLM are analogous to a scenario such as visiting a theme park like Blackpool Pleasure beach or Disneyworld.
NTLM (NT Lan Manager)
When I was a young lad, my parents would take me for a day trip to Blackpool Pleasure Beach. In those days, you were free to walk around the theme park. If you wanted to go on a ride, you were challenged. Meet the height requirement for the ride, pay your cash and you were allowed to enjoy what the ride had to offer. Once completed, you could then go to another ride where once again you were given the same challenge. Meet the height requirement and pay your cash. If you could not meet this challenge you were unable to get on the ride.
This is similar with NTLM authentication, except the challenge is to provide a correct user name and password to gain access to a network resource. The process of repeating authentication challenges can be cumbersome to users. This is where Kerberos can help.
Kerberos is an authentication protocol that is designed to provide a single sign-on environment to reduce the repetitive nature of NTLM authentication.
Today, Blackpool Pleasure Beach is enclosed within a security fence. As a result, when you go to a theme park such as Blackpool Pleasure Beach or Disneyworld, the authentication takes place at the entrance of the theme park, or the ticket booth. It is here where you are challenged. Pay your cash and the ticket booth operator will provide you with a ticket (or wristband) that is valid for the day. Adults will receive a different ticket to children.
The result of receiving the ticket means that should you wish to go on a ride, then all you have to do is show your ticket at the entrance of the ride. The ride is programmed to accept the correct tickets and reject tickets that are not valid.
Kerberos works in a similar way. You authenticate against a Domain Controller (ticket booth) in a domain (Blackpool Pleasure Beach/Disneyworld), which will issue you a session ticket (ticket) should you meet the challenge (username and password). Once you have this ticket, you will present it to network resources such as SQL Server or a File Server (a ride). If you are in the list on the resource then you will get access.
*Note I am ignoring resource permissions here as that is a separate topic known as authorisation.
Kerberos provides convenience in that you only have to authenticate once, the session ticket that you are presented with contains information that will be presented to the resource when you access it and is valid for 8 hours. And Kerberos provides additional capabilities that are very important when setting up a highly available BI environment:
Delegation Kerberos delegation is the process of giving an Active Directory account permissions to perform a task. An example could be the ability to impersonate another user account.
Kerberos impersonation is the process of one account impersonating the credential of another account. Delegation of this permission must be done first for impersonation to work.
So back at Blackpool Pleasure Beech, my entire family have got their tickets and are enjoying the rides. When it comes towards lunch time we need to get cash out of the cash machine to pay for lunch. What normally happens is that while I take my kids on another ride, I will give my wife my cash card. This very act is delegation, as I am giving my wife permission to be me when she goes to the cash machine on my behalf. When she gets to the cash machine and types in the four digit PIN code to access my account. The very act of her typing in the PIN code is impersonation as she is impersonating my credentials
So how does this apply to a highly available BI environment?
Let’s remind ourselves of the environment we discussed in the second part of this series of blog posts
This software and hardware is collectively used together to create the following environment.
Should a user want to access a PowerPivot, Report Builder or PowerView report that uses a back end source databases shown at the bottom of the diagram. Kerberos, delegation and impersonation will be required if you must retain the identity of the user who originally made the request for the report. The steps of maintaining the users credentials over two or more connections is referred to as a double hop and there becomes a requirement to delegate the rights to authenticate as a given users identity. Kerberos works with this scenario as a user authenticates using their password only once when they log onto the domain. After that it is the session ticket that is used to authenticate. As a result we have the ability to delegate control of a user’s or even workstations session tickets.
Therefore, should a user connect to an application such as PowerPivot, Report Builder or PowerView that accesses data in a backend database, by default a connection will be made using the service account of the application. If there is a need to audit access against the backend database. It will audit the fact that the service account accessed the backend and not the user who made the request for the report.
In order to retain the identity of the user who originally made the request for the report, we have to perform a number of tasks:
Exposing Applications as Active Directory objects
When a computer is joined to an Active Directory domain, this process will create an object within Active Directory automatically. When a person joins a company, an account will be manually created in Active Directory to provide a logical representation of the individual as a user object. The purpose of doing this is so that these objects can be secured within the organisation’s domain.
Like user accounts, applications are not necessarily registered within Active Directory automatically. As a result, we must manually register an application within Active Directory. This is done using the setspn command line tool. SPN is a service principal name and is the name by which a Kerberos client uniquely identifies an instance of an application for a given target computer. There are many ways that SetSPN can be used. However, in the context of exposing SQL Server 2012 BI applications in Active Directory, the following syntax is used:
Setspn –S <service class>/<host>:<port> <service account name>
Setspn –S <service class>/<host>:<port> <service account name>
<service class> denotes the name of the service or application. If it is SQL Server then the <service class> is MSSQLSvc. Analysis Services is MSOLAPSvc.3 and Reporting Services would be HTTP
<host> is the fully qualified domain name or netbios name an which the application is running. The recommended practice is that each application should have two entries: one for fully qualified domain name and one for NetBIOS.
<port> is optional and is used to define the port on which the service is running. This should be used when multiple instances of an application is running
<service account name> is the service account that is defined for the application
As a result, If there is a default SQL Server instance running on a computer named CoeoSQL.Coeo.Local under the service account Coeo\SQLService, two spn’s would be registered as follows
For the fully qualified domain name it would be:
Setspn –S MSSQLSvc/CoeoSQL.Coeo.Local:1433 Coeo\SQLService
Setspn –S MSSQLSvc/CoeoSQL.Coeo.Local:1433 Coeo\SQLService
For the NetBIOS name it would be:
Setspn –S MSSQLSvc/CoeoSQL:1433 Coeo\SQLService
Setspn –S MSSQLSvc/CoeoSQL:1433 Coeo\SQLService
If it was a default Reporting Services instance on the same computer using the service account Coeo\RSService it would be:
Setspn –S HTTP/CoeoSQL.Coeo.Local: Coeo\RSService Setspn –S HTTP/CoeoSQL:1433 Coeo\RSService
Setspn –S HTTP/CoeoSQL.Coeo.Local: Coeo\RSService
Setspn –S HTTP/CoeoSQL:1433 Coeo\RSService
These will register service principal names within Active Directory that can then be delegated. As a result, start to draft up a list of applications, fully qualified domain name and their associated service accounts for any applications that will be subjected to the double hope issue
Using Delegation to setup impersonation
The act of creating SPNs will enable a new tab in the user account properties in Active Directory named Delegation. It is here that you will be able to setup delegation so that credentials can be forwarded from one service to another. However, make sure in the user account properties in the Account tab that the option “Account is sensitive and cannot be delegated” is not selected as this means delegation cannot be setup. Within the Delegation tab, the check box must be selected for “Trust this user for delegation to the specified service only”. This is known as constrained delegation. Once selected, choose Kerberos and click on ADD to add the service to which the account can be delegated to as shown in the following graphic.
Setting up SPNS and delegations will need to be done for all applications that will subject to the double hop issue that was outlined earlier.
So now we have an understanding of the key concepts of authentication, delegation and impersonation; and have an understanding on the impact of these concepts on a SQL Server 2012 Highly Available environment. The key considerations when dealing with this setup is provided by the best advice I received from Adam Saxton (Twitter | Blog), Senior Escalation Engineer based at the Microsoft CSS.. He states that when undertaking this activity, you should come up with a checklist:
Once you have answered these questions you will be able to set up the right SPNs and Delegation to ensure that a user’s credential is passed through to back end data sources.
Disclaimer: You should not hand over your cash card as it will compromise your security. And no children or partners were harmed in the making of this blog J
Some additional useful resources:
Steve Plank our resident Windows Azure guru has been getting creative and has just released this video showing the new elements of Virtual Machine Manager included in the June update for Windows Azure.
You can find out even more about using Windows Azure virtual machines and the IaaS architecture in this “Introduction to Windows Azure” article.
Try out Windows Azure free for 90 days now!
In case you weren’t following yesterday’s Worldwide Partner Conference announcements over in Toronto yesterday here’s what was announced.
Windows 8 and Windows Server 2012 will be released to manufacturing (RTM) during the first week of August. This will be made available to hardware partners at this time. General availability (GA) will be by the end of October.
If you would like more information on this please take a look on the Windows Team Blog where they share the announcement.
Need to find out more about Windows Server 2012? You can read all about it here.
Need Windows Server 2012 RC Resources? You can get all you need from here.
Need Help? Windows Server 2012 RC Forum is here, or prefer Social Media? Join Windows Server Facebook Group here.
Need to learn more about Windows Server 2012? You can register for the free MVA (Microsoft Virtual Academy) here for online learning courses.
* Did you know that you can try Windows Server 2012 on Windows 8 via Virtualization? Windows 8 now comes with Hyper-V, which originally came with Windows Server 2008 (reference). However, Windows 8 now uses the same new and latest Hyper-V 3.0 that’s found on Windows Server 2012. The latest version of Windows 8 is RP (Release Preview = RC), but even the earlier version, Windows 8 CP (Consumer Preview = Beta), also came with Hyper-V version 3.0. Need more information about Hyper-V on Windows 8? You can find it here. You can get Windows 8 RP ISO (x86 or x64) from here.
Need Help? Windows 8 Forum is here.
As you know, System Center 2012 has been available for a few months now. As always Microsoft partners are crucial in the success of our solutions and Veeam Software is one of those important partners
Veeam is an ISV specialising in virtualization management and backup. In particular, Veeam Management Pack (MP) enables SCOM users to monitor their VMware hardware infrastructure directly from System Center.
If System Center is your management platform of choice, then you’ll be able to monitor ALL your infrastructures (physical and virtual – Hyper-V and VMware) and manage your alerts from a single tool, with no need to multiply your management systems. You’ll make one more step toward ending the complexity of heterogeneous environments. As part of the System Center 2012 Launch, Veeam now offers 10 free perpetual licenses of the Veeam Management Pack to any System Center 2012 customer.
Got System Center? Got VMware? Just ask for your free Veeam MP licenses now and link them together!
For more information, please visit: http://www.veeam.com/sc2012 .If you have any questions, please speak to Nicolas Savides (email@example.com) and Julie Caulfield (firstname.lastname@example.org).
By working remotely just a few times each week you save money, time and carbon emissions. Find out how much you and your company could be saving right now with this interesting infographic: http://www.anywhereworking.org/FutureWorldofWorking/
If that’s not enough easy to use collaboration comes of age with tools such as instant messaging and video conferencing using services such as Lync.
"…with presence and instant messaging, we were making decisions faster from the beginning." The Wise Group.
Employees get a single, user-friendly interface with easy access to common functions such as dial pad, visual voicemail, contact list and active conversations. Simply, it gives users powerful communications options across PC, phone and web browser. Discover what Microsoft Lync can do for you and your business as part of our free Office 365 trial
Still not convinced? Take a look at these interesting and insightful case studies showing how costs have been saved in well known organisations such as COSLA and BAA Heathrow.
The last time I tried to write a program was when I was at university using a program called Delphi. I knew back then that I wasn’t going to set the world on fire with my jqueries and there was nothing rapid about my application development. My peers in our software development team tell me that technology has moved on since then and the whole process is much faster. They are working with people wanting to develop applications for Windows 8 and you could be one of them.
The team has set up a series of camps to help individuals develop their first Windows 8: The Windows 8 Camps have been designed to show you how to build a Windows 8 app. You can tailor the day to make it as personally productive and rewarding as possible. You can work on your own projects with assistance from Windows 8 experts, network with others and also have the option of attending short tutorial sessions on Windows 8 related topics.
Win 8 Agenda:
Welcome & Explanation of the Day’s Format
Windows 8 Overview – UX, Store & Opportunity
Hands On Labs
(.NET and HJC)
App Migrating and UX Reviews
Windows 8 App Features 1
Windows 8 App Features 2
For the committed only to continue their labs/migrating.
These events are hands-on and flexible so you can tailor the day to suit what you need; from working on your own project with assistance from our Windows 8 experts to networking with others and attending short tutorial sessions. Our tutorial sessions will include topics such as the ‘Basics of the OS and interaction with the OS’, ‘Metro style UX’
Find out more and book your place:-
Thursday 19th July, London: Windows 8 DevCamp
Friday 20th July, London: Windows 8 DevCamp
Saturday 21st July, London: Windows 8 DevCamp
Tuesday 24th July, London: Windows 8 DevCamp
Wednesday 25th July, London: Windows 8 DevCamp
Thursday 26th July, London: Windows 8 DevCamp
To help get a headstart before attending these events why not try out Windows 8 Release Candidate for free now and get the tools onto your machine to get started writing Windows 8 Applications here – these are also free!
Having had a week at TechEd Europe it is no surprise that last week was a busy one full of exciting new content as well as the latest updates from the event.
There are lots of opportunities with the content above to learn, win and try thing out. So why not try something new or get up to speed with the latest technologies.