Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers

Article:HOWTO62460  |  Created: 2011-12-13  |  Updated: 2012-05-29  |  Article URL http://www.symantec.com/docs/HOWTO62460
Article Type
How To


Subject


Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers

If you install Symantec Management Platform on a different server than the SQL Server Analysis and Reporting Services and the Authentication Type is set to Windows Integrated Authentication, users cannot access the reports to which you grant them access unless you configure Kerberos.

See About configuring the Reporting Services data sources to use Stored Credentials or Windows Integrated Authentication to access the Analysis Services cubes.

If Stored Credentials provides enough control over the reports, you can reconfigure the Reporting Services data sources to use Stored Credentials to access the Analysis Services cubes. Then, you do not need to configure Kerberos.

See Reconfiguring the Reporting Services data sources to access the Analysis Services cubes.

If you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos. Kerberos allows the user's credentials to pass from the Symantec Management Platform server to the SQL Server Analysis and Reporting Services server. Kerberos must be correctly configured on the following servers: Symantec Management Platform and the SQL Server Analysis and Reporting Services servers.

To configure Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers

  1. From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only).

    If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation.  If the App Pool is using the Default value "ApplicationPoolIdentity" you may skip this step.

  2. Add the following Service Principal Names to the Symantec Management Platform:

    • Setspn - S http/netbiosName netbiosName

      For example, Setspn - S http/computer1 computer1

    • Setspn - S http/Fully Qualified Domain Name netbiosName

      For example, Setspn - S http/computer1.domain.com computer1

    If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you may need to set the Service Principal Names for that account instead of computer1.

    For example:

    Setspn - S http/computer1 domain\username

    Setspn - S http/computer1.domain.com domain\username

    For additional information on Setspn, see the Microsoft Technet Web site at the following URL:

    http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

  3. If you use SQL 2008, on the Reporting Services server edit the ReportServer.config file. Edit the config file so that RSWindowsNegotiate/ is listed at the top of the Authentication node.

    You can locate this file at SQL Server Install Directory\MSRS10.MSSQLSERVER\Reporting Services\ReportingServer

    The ReportServer.config file is installed on the box that hosts the Reporting Services. The config file is an XML file; use a program such as Notepad to edit the file.

    If you do not use SQL 2008, you do not need to edit the config file on the Reporting Services server.

  4. If SQL Reporting Services is running as a domain account, add the following Service Principal Names for the account that the SQL Reporting Services service is running as.

    • Setspn - S http/netbiosName domain\username

    • Setspn - S http/fqdn domain\username

    For additional information on Setspn, see the Microsoft | Technet Web site at the following URL:

    http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

    If SQL Reporting Services is not running as a domain account, you do not need to add the Service Principal Names.

  5. To make the changes take effect, restart all affected systems.


Legacy ID



v66756442_v66502529


Article URL http://www.symantec.com/docs/HOWTO62460


Terms of use for this information are found in Legal Notices