Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

ProClarity and Kerberos Delegation

advertisement 
Microsoft ProClarity and Kerberos
Delegation
Microsoft SharePoint BI Support
June 23, 2011
Applies to:
Microsoft ProClarity Analytics Server (PAS)
Microsoft ProClarity Dashboard Server (Dashboard)
SQL Server Analysis Services (SSAS)
Summary
This paper will outline the steps for solving the “double hop” problem and will outline the
configuration of Integrated Windows authentication in the case of separate web and data
servers. The goal is to configure the Microsoft ProClarity Analytics Server (PAS) web server
IIS Application Pool service account to delegate user credentials to SQL Server Analysis
Services (SSAS) – thus avoiding the need to use Basic authentication or combine the web
and data servers together.
Contents
Summary ....................................................................................................................................................... 1
Introduction .................................................................................................................................................. 2
Setup ............................................................................................................................................................. 3
Prerequisites ........................................................................................................................................ 3
Configuration Steps....................................................................................................................................... 3
SQL Server Analysis Services Configuration ......................................................................................... 3
Using a local computer account for the SSAS service .......................................................................... 3
Adding a SSAS SPN ............................................................................................................................... 4
Internet Information Services Configuration ....................................................................................... 5
Adding an IIS SPN ................................................................................................................................. 7
Client Configuration ............................................................................................................................. 8
Testing Your Configuration................................................................................................................... 9
Troubleshooting ............................................................................................................................................ 9
Conclusion ................................................................................................................................................... 14
Introduction
When PAS and SSAS are deployed on separate machines and you would like to secure data based on
user credentials without a logon prompt – you must configure Kerberos delegation. The double-hop
(one hop from the client machine to the web server and another hop to the data server) problem is an
intentional security restriction to discourage Active Directory objects from acting on behalf of other
security accounts.
Active Directory provides an option through Kerberos delegation to pass the user’s credentials from the
client, to the PAS web server, and then to other resources including SSAS. This process is referred to as
Kerberos delegation.
Note: These settings will affect PAS and the Dashboard servers and not the Desktop or Web
Professional clients. The Professional clients connect directly to SSAS to execute queries and do not
experience the double hop problem.
Setup
Prerequisites

Review the section “Infrastructure Requirements” in Troubleshooting Kerberos Delegation
Prior to these configuration steps, your environment should have the following prerequisites met. If any
of these items are not configured, delegation will not function correctly.

Check your Active Directory Forest and Domain functional levels. They should be set to Native
or 2003/2008.

Kerberos delegation can function between trusted forests and domains. The resource forest or
domain (PAS/Dashboard) must trust the user forest or domain. Windows 2000 Server does not
support Forest trusts.

Review the following document - How to configure SQL Server 2005 Analysis Services to
use Kerberos authentication.
Configuration Steps
SQL Server Analysis Services Configuration
NOTE: There are two common tools for editing SPN entries in Active Directory - AdsiEdit.msc and
setSPN.exe. SPNs must be registered by a domain administrator with permissions. More information on
SetSPN can be found here.
1. Add the client user’s account to the SSAS role for the cube data being queried by the PAS views. You
may test this user’s access with the Professional client.
Using a local computer account for the SSAS service
1. Check the SQL Server Analysis Services (MSSQLSERVER) service to find out what account is being
used to start the service.
If your SSAS service is running under a local computer account, such as LocalSystem, or was ever started
under that account, it is likely this account will already have SPN entries.
Note: You can use the tools mentioned above to check the current SPNs. For example, you could use
the following syntax with setSPN.exe to verify the SPNs of a LocalSystem computer account on a server
called MyDataServer.

SetSPN –L MyDataServer
You will likely see SPN entries in the following form:

MSOLAPSvc.3/MyDataServer

MSOLAPSvc.3/MyDataServer.Company.com
If you only see the HOST service type, it CANNOT be used in place of MSOLAPSvc or MSOLAPSvc.3.
Adding a SSAS SPN
1. If you do not see the correct SPNs, you can add them. SetSPN examples:

setspn -a MSOLAPSvc.3/MyDataServer MyDataServer

setspn -a MSOLAPSvc.3/MyDataServer.Company.com MyDataServer
Note: Use MSOLAPSvc.3 for SSAS 2005 and MSOLAPSvc for AS 2000.
2. If the SSAS service is using LocalSystem and not a domain user account, you must set the computer
account for the data server in Active Directory to be trusted for delegation.
3. You must now restart the SSAS service.
Using a domain user account for the SSAS service
1. Check the SQL Server Analysis Services (MSSQLSERVER) service to find out what account is being
used to start the service.
2. List the SPNs for a for the service account.

SetSPN –L <domainAccount>
3. If you do not see the OLAP service listed on this domain user account, you must register the SPNs.
See Adding an SPN.
4. You must now restart the SSAS service and you may have to force or wait for replication of the
information to other domain controllers in the network.
Note: SQL Server 2005 Analysis Services and later can operate as a named instance. If you are using a
named instance the following SPN formats apply.

MSOLAPSvc.3/serverHostName:instanceName

MSOLAPSvc.3/serverHostName.Fully_Qualified_domainName:instanceName
Internet Information Services Configuration
1. Edit the PAS global.asa (located at \Inetpub\wwwroot\PAS by default) file on the web server.
Search for the property “pool.negotiateauthenticationmethod” and be sure it is set to “true”. Save
the file and close it.
Using a local computer account for the web service application pool
1. Verify which account is running the IIS application pool which contains the PAS application.
If your IIS web server application pool running the PAS application is running under a local computer
account, such as NETWORK SERVICE or was ever started under that account, it is likely this account will
already have SPN entries.

SetSPN –L MyWebServer
You will likely see SPN entries for this local service account in one of the following forms:

HOST/<serverName>

HOST/<serverName>.<domainName>

HTTP/<serverName>

HTTP/<serverName>.<domainName>
Note: The HOST service type can substitute for HTTP on the web server.
2. If there are no SPNs listed you must add them. See Adding an IIS SPN.
3. You must set the Active Directory web server computer account to be trusted for delegation if using
a local computer account.
4. The IIS service must be restarted.
Configuring Web Server Active Directory Properties
Using a domain user account for the web service application pool
1. Verify which account is running the IIS application pool which contains the PAS
application.
If your IIS web server application pool is running under a domain user account you will need
to verify that this account is trusted for delegation and configure SPNs.
2. Verify that an SPN has been configured for this account.

HTTP/<serverName>

HTTP/<serverName>.<domainName>
3. If there are no SPNs listed you must add them.
Adding an IIS SPN

setspn -a HTTP/MyDataServer MyDataServer

setspn -a HTTP/MyDataServer.Company.com MyDataServer
4. Configure the PAS virtual directory in IIS to use Integrated Windows Authentication. Basic can
additionally be selected and this is recommended in most PAS and Dashboard configurations.
5. The web server IIS service must be restarted and then clear the PAS cache.
Notes: If your web server has an alias, such as a CNAME record in DNS, you must register this alias as a
SPN on your computer or service account.
If the IIS web server application pool is using a domain user account, you do not need to set the web
server computer account to be trusted for delegation.
Note: Windows Server 2008 has moved some authentication duties to the operating system kernel level
to improve performance. You may have to set the PAS application pool to use the LocalSystem account.
Please see the updated documentation in the PAS 6.3.2217.x SP2 release.
When using a service account for the application pool in 2008, you will need to set
useAppPoolCredentials to True on the PAS virtual directory. If useKernelMode is set to True, then
Kerberos service ticket decryption fails and you will be prompted for credentials and unable to
authenticate. Alternatively, you can disable kernel mode authentication, but this is not recommended.
Client Configuration
User Accounts
1. User accounts by default should not need additional configuration. You may want verify that the
“Account is sensitive and cannot be delegated” box is NOT checked in the Active Directory account
properties.
2. Have the users log out and back in to their client machine after changing any properties and before
running Kerberos Delegation tests. This will clear cached Kerberos tickets. You may also use the
Kerbtray utility to clear Kerberos tickets without logging out and back in.
Client Computers
1. From the client machine (browser) make sure Internet Explorer is set to use Integrated
Authentication as shown in Figure 1.7. Also, verify that Internet Explorer is set to bypass proxy
services for local addresses. Finally, add the PAS web site to the Trusted Sites zone.
2. Have the end user log off and log on or use kerbtray.exe to clear cached security tickets.
Checking Client Browser Properties
Testing Your Configuration
Once you have completed these steps, ensure your SSAS security is set correctly, and test the delegation
by attempting to access a data view in the Microsoft ProClarity Web Standard client from a client
machine. Do not test from web server or data server as this would only be a single hop test.
If you see an error in the Web Standard client to the effect of “The page could not be opened because
the cube could not be found”, please continue reading the following troubleshooting section.
Troubleshooting
Confirm a Kerberos Delegation Issue
It is important to first be sure that Kerberos delegation failure is indeed the cause of the error you are
receiving in the Microsoft ProClarity Web Standard client. Many of the other possible causes of this
error can be eliminated from consideration using the following steps:
1. Restart all machines involved in the Kerberos Delegation setup. This will force services to be
restarted, which is required after SPN changes, and Kerberos ticket caches to be cleared.
2. Attempt to access the PAS view by using a browser on the PAS server itself. This will eliminate one
of the credential hops and you should be able to see the data. If you can see the data from the
server but not the client, then the problem may be with your Kerberos delegation implementation
and please continue troubleshooting. If you cannot see data, Kerberos delegation may not be the
issue.
3. Check the Event Viewer Security logs on the web and data servers. The logs will report successes
and failures and can identify if Kerberos or NTLM is being used.
4. Clear the PAS cache to be sure you are making a data request to the cube and not pulling from the
cache on the web server.
5. Check to be sure you cube security is set correctly and your test user is a member of a role that has
access to the cube. It is recommended that you temporarily grant your test user membership to the
server Administrator role to help eliminate cube security as a cause of any connection problems.
6. Check that the web server can communicate with the data server and that firewall ports are open.
It is recommended that you temporarily disable firewalls to help eliminate them as possible causes
of any connection problems. If there are firewalls between the client, web server and data server,
be sure that they have the correct ports open.
7. Set the PAS virtual directory to basic authentication only. Using Basic authentication will remove
the need for delegation to the SSAS service from the client computer.
Troubleshooting Kerberos authentication to SSAS service:
If you're confident that the problem appears only when attempting to use Kerberos delegation, there
are a few things to confirm.
1. Review the setup steps above to be sure your SPN entries are correct and that the data server, web
server and client machines have been properly configured for delegation.
2. You can check your SPNs and test for duplicates using a tool called DHCheck.
3. Another tool called DelegConfig is available from Brian Murphy-Booth’s website. This is an
excellent tool that creates a virtual directory and web page on the PAS web server and can help you
identify delegation problems.
4. Use the MDX Sample Application from Analysis Services 2000 on the web server to test a Kerberos
connection to Analysis Services. If the tool connects successfully when forced to use Kerberos, then
you likely have configured SPN entries for the SSAS service correctly. To test a Kerberos connection,
modify the “Provider” field when connecting to a server, as shown in this example:
Testing Kerberos with the MDX Sample Application
5. Review the section “Diagnosing delegation Problems: Four Checklists” in Microsoft’s
Troubleshooting Kerberos Errors: http://download.microsoft.com/download/1/e/e/1ee86ce4-82344aa1-94f4-a37039837729/Troubleshooting_Kerberos_Delegation.DOC
Troubleshooting Kerberos on the web server:
Once you have confirmed that you are able to authenticate to the SSAS service using Kerberos, test the
Microsoft ProClarity Web Standard again from a client machine. If you continue to see the error that
the cube could not be found, there may be some additional configuration steps necessary on the web
server.
1. An IIS metabase entry specifying the authentication headers available for the web site needs to be
checked to ensure Kerberos is the default security protocol option. You may check this with any IIS
metabase browser, or from the IIS metabase xml file directly. Metabase Explorer from the IIS 6
Resource Kit may be the easiest to use.
For the IIS service where the PAS virtual directory is located (in this case the default website) be sure the
NTAuthenticationProviders property is set to “Negotiate,NTLM” click apply, and reset IIS.
Web Service Properties via Metabase Explorer
2. The Negotiate authentication header will use Kerberos in most cases (for exceptions please refer to
the following article: http://support.microsoft.com/kb/215383). Therefore, if the website
hosting PAS is configured to utilize the Negotiate header (as specified above), the authentication
protocol will generally be Kerberos without the need for further configuration. However, if
everything appears to be in place, but PAS will not authenticate to Analysis Services, it may be
necessary to force the authentication protocol to Kerberos on the OLE DB connection string. This
can be done by following these steps:

Add a registry key called “Properties” to the existing Microsoft ProClarity Server registry key the final path with look like this: HKLM\SOFTWARE\Microsoft ProClarity
Corporation\Server\Properties

Add a new string value -create a new string value by right clicking on the new Properties key and
selecting New  String value - the string value will be "SSPI" without the quotes -the value will
be "Kerberos" without the quotes.

Reset IIS
Other Troubleshooting Tips
1. You may also turn on verbose logging to capture security traffic on your web server and data server.
http://support.microsoft.com/kb/262177
LogLevel Setting in the Registry
2. If you are using Constrained Delegation, temporarily disable the constraint and retest.
3. Are you using a split domain where machines can resolve with two different FQDNs? For example,
when you ping the same server from two different machines and it returns different FQDNs – such
as MyDataServer.Company.com as well as MyDataServer.AD.Company.com? If so, this may defeat
the SPNs needed for Kerberos delegation. Please see your network administrators and verify that
the DNS names being requested by Internet Explorer to the web server match the SPNs on the
server. Also be sure that the DNS names requested by the web server to the data server match the
SPNs registered on the data server.
4. Are you using a Pre-SP4 version of Windows 2000? Your account may be a member of too many
groups. See: http://support.microsoft.com/kb/327825
5. HTTP Error 400 Bad Header Request (Request Header too Long) in IIS6? See
http://support.microsoft.com/?id=820129 and http://support.microsoft.com/kb/837361
for more information.
6. Update all servers to the latest Windows Server 2003 Service Pack. Also, update SQL Server 2005 to
the latest Service Pack.
7. Troubleshooting with Network Monitor or Wireshark? Two easy ways to pick Kerberos from
NTLM in an HTTP capture.
8. Analysis Services should be installed, preferably from a fresh install that has not been imaged. It is
also preferable that you use a machine that has not been renamed.
9. Kerberos delegation will not work over external trusts.
10. Kerberos delegation will work across a one-way trust – including between forests. The resource
domain (web and data servers) must trust the user domain.
11. Kerberos delegation will work with a disjointed domain namespace where the NETBIOS short name
does not match the Fully Qualified Domain Name (FQDN). For example, if your FQDN is
northamerica.contoso.com and your NETBIOS name is NA.
12. Use Network Monitor to capture a client’s failed attempt to authenticate to PAS and see data. Filter
the traffic by, “HTTP or KerberosV5” and you should see HTTP:Request, HTTP:Response for GET
/pas. Find the KerberosV5:TGS Request and Response and you should see the Sname being
requested. This is the exact SPN that needs registered on the PAS IIS application pool service
account. For example, Sname: HTTP/ProClarityServer.northamerica.contoso.com.
Conclusion
The steps outlined above are sufficient in the majority of cases requiring Kerberos delegation. If you are
unable to configure Kerberos delegation successfully, please contact Microsoft ProClarity support at
1800Microsoft or http://support.microsoft.com/selectindex/?target=assistance.
Related documents
Utena Dauni*kis Gymnasium - Training-for-LIFE
Utena Dauni*kis Gymnasium - Training-for-LIFE
presentation
presentation
Rowan Pritchard-Jones: Digital Health and Care in Practice
Rowan Pritchard-Jones: Digital Health and Care in Practice
Chapter 15
Chapter 15
Physician Associates - Health Education Yorkshire and the Humber
Physician Associates - Health Education Yorkshire and the Humber
Preparation Checklist - Idaho Health Care Association
Preparation Checklist - Idaho Health Care Association
KERBEROS
KERBEROS
Web Service Security
Web Service Security
Chapter 10
Chapter 10
Download
advertisement