Video Screencast Help

Enabling Kerberos for Authentication in IT Analytics 7.1

Created: 24 Sep 2012 • Updated: 19 Sep 2013
Language Translations
dprager's picture
+18 18 Votes
Login to vote

Understanding IT Analytics 7.1 Architecture Scenarios

IT Analytics Solution 7.1 requires that the following components exist within the environment to run successfully: Symantec Management Platform, SQL Server Analysis Server and SQL Server Report Server.  Depending on the environmental restrictions and availability, these services may be hosted on one, two or three separate servers.  Whenever these components are hosted on more than one server Kerberos is required to authenticate the connection between servers as illustrated in the following diagrams:

 

In the configuration above, the Symantec Management Platform, Analysis Server and Report server are all located on the same computer.  Authentication is direct from the user’s computer to the server and uses their Windows logged in credentials to access cubes and reports.  As such, Kerberos is not required in this environment.

 

 

In the configuration above, where the Symantec Management Platform is on one computer and the Report Server and Analysis Server are on a separate computer, authentication becomes somewhat more complicated.  The Symantec Management Platform must pass credentials for the user over to the Report/Analysis server.  This can be achieved by one of two different ways:

  • Option 1 allows you to bypass enabling Kerberos by setting the Reporting Server’s Authentication Type to Stored Credentials.  Doing this will mean that all user requests to run IT Analytics reports will impersonate the user specified in the Stored Credentials and you will not be able to utilize any of the cube security features.  This is the best option if you are not concerned with restricting which cubes users can access or which data users can see inside of cubes.  See section Option 1 - Setting Reporting Server to use Stored Credentials below for details on configuring this option.
  • Option 2 allows you to use Windows Integrated Authentication.  You must configure Kerberos as described in section Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers below. 

 

In the above configuration the Symantec Management Platform, Report Server and Analysis Server are located on separate computers.  Authentication now becomes a three step process to view reports:

  1. The user authenticates to the Symantec Management Platform and requests a report.
  2. The Symantec Management Platform forwards credentials to the Report Server.
  3. Report Server forwards credentials to the Analysis server to fetch cube data.

You still have the option to use Stored Credentials as well as Kerberos to authenticate in this scenario.  Kerberos is required on both the Symantec Management Platform and on the Report Server when using Windows Integrated Authentication.  This can be achieved by one of two different ways:

  • Option 1 allows you to bypass enabling Kerberos by setting the Reporting Server’s Authentication Type to Stored Credentials.  Doing this will mean that all user requests to run IT Analytics reports will impersonate the user specified in the Stored Credentials and you will not be able to utilize any of the cube security features.  This is the best option if you are not concerned with restricting which cubes users can access or which data users can see inside of cubes.  See section Option 1 - Setting Reporting Server to use Stored Credentials below for details on configuring this option.
  • Option 2 allows you to use Windows Integrated Authentication.  You must configure Kerberos as described in sections Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers and Configuring Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection below.

 

Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services Servers

If you install Symantec Management Platform on a different server than the SQL Server Analysis and Reporting Services and the Authentication Type is set to Windows Integrated Authentication, users cannot access the reports to which you grant them access unless you configure Kerberos. If Stored Credentials provides enough control over the reports, you can reconfigure the Reporting Services data sources to use Stored Credentials to access the Analysis Services cubes. Then, you do not need to configure Kerberos. 

If you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos. Kerberos allows the user’s credentials to pass from the Symantec Management Platform server to the SQL Server Analysis and Reporting Services server. Kerberos must be correctly configured on the following servers:

  • Symantec Management Platform
  • SQL Server Analysis Services server
  • SQL Server Reporting Services server

 

To configure Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services Servers

Warning: It is important that a user with Domain Admin rights issue the SETSPN.EXE commands in the following process.  This command makes changes to both the computer account and the service account in Active Directory.  Failure to use Domain Admin credentials when issuing the command will result in a failed Kerberos installation.

  1. From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only). If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation.
  2. Add the following Service Principal Names to the Symantec Management Platform: If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you may need to set the Service Principal Names for that account instead of computer1. For example: Setspn - S http/computer1 domain\username Setspn - S http/computer1.domain.com domain\username For additional information on Setspn, see the Microsoft Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx.

Setspn - S http/netbiosName netbiosName For example, Setspn - S http/computer1 computer1

Setspn - S http/Fully Qualified Domain Name netbiosName For example, Setspn - S http/computer1.domain.com computer1 

  1. If you use SQL 2008, on the Reporting Services server edit the ReportServer.config file. Edit the config file so that RSWindowsNegotiate/ is listed at the top of the Authentication node. You can locate this file at SQL Server Install Directory\MSRS10.MSSQLSERVER\ReportingServer The ReportServer.config file is installed on the box that hosts the Reporting Services. The config file is an XML file; use a program such as Notepad to edit the file. If you do not use SQL 2008, you do not need to edit the config file on the Reporting Services server.
  2. If SQL Reporting Services is running as a domain account, add the following Service Principal Names for the account that the SQL Reporting Services service is running as. For additional information on Setspn, see the Microsoft | Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx. If SQL Reporting Services is not running as a domain account, you do not need to add the Service Principal Names. 

Setspn - S http/netbiosName domain\username

Setspn - S http/fqdn domain\username

  1. To make the changes take effect, restart all affected systems.
  2. Make sure that all the following conditions are true for the Active Directory directory service settings:
  • The Account is sensitive and cannot be delegated setting is not enabled for user accounts that will be delegated.
  • The Account is trusted for delegation setting is enabled for the domain account of the middle tier that is connecting to Analysis Services. For example, if IIS is the middle tier and a domain account is used for the application pool, that application pool domain account must have the Account is trusted for delegation setting enabled.
  • The Account is trusted for delegation setting is enabled for the accounts of all services and COM+ components that are involved in the process.
  • The Trust computer for delegation setting is enabled for all the computers that are involved in the process.

Configuring Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection

Symantec recommends that the SQL Server Analysis Services and SQL Server Reporting Services instances that IT Analytics uses reside on the same host server. You can host these services on different servers in a highly distributed environment. However, when you host these services on different servers, additional configuration might be necessary to ensure that authentication is managed appropriately across all application tiers.

When SQL Server Analysis Services and SQL Server Reporting Services are hosted on different servers and the Authentication Type is set to Windows Integrated Authentication, an additional connection is required to pass the credentials of the user from the Reporting Server to the Analysis Server. To ensure that the user’s credentials are passed successfully, you must configure Kerberos. Without configuring Kerberos, the connection is attempted as an anonymous user, which fails authentication in a typical configuration. When authentication fails, users cannot access the reports to which you grant them access. Therefore, if you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos. 

If Stored Credentials provides enough control over the reports, you can reconfigure the Reporting Services data sources to use Stored Credentials to access the Analysis Services cubes. Then you do not need to configure Kerberos. 

 

To configure Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection

 
Warning: It is important that a user with Domain Admin rights issue the SETSPN.EXE commands in the following process.  This command makes changes to both the computer account and the service account in Active Directory.  Failure to use Domain Admin credentials when issuing the command will result in a failed Kerberos installation.
 
  1. Configure the Kerberos protocol for the SQL Server Reporting Services server to SQL Server Analysis Services server connection to allow credential delegation over multiple connections. For more information, see the Microsoft knowledge base article SQL Server 2008 Analysis Services and SQL Server 2005 Analysis Server to use Kerberos authentication at the following URL: http://support.microsoft.com/kb/917409 If Symantec Management Platform is installed on the same server as SQL Server Reporting Services, no additional configuration is required. If Symantec Management Platform is installed on a different server than SQL Server Reporting Services, go to step 1.
  2. Configure Kerberos so that the user’s credentials can pass from the Symantec Management Platform server to the SQL Server Reporting Services server.
  3. From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only). If the Application Pool which Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation.
  4. Add the following Service Principal Names to the Symantec Management Platform: If the Application Pool which Symantec Management Platform uses in IIS uses a domain account, you may need to set the Service Principal Names for that account instead of computer 1. For example, Setspn - S http/computer1 domain\username Setspn - S http/computer1.domain.com domain\username For additional information on Setspn see the Microsoft Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx.

Setspn -S http/netbiosName netbiosName For example, Setspn - S http/computer1 computer1

Setspn -S http/Fully Qualified Domain NamenetbiosName For example, Setspn - S http/computer1.domain.com computer1 

  1. If you use SQL 2008, on the Reporting Services server edit the ReportServer.config file. Edit the config file so that RSWindowsNegotiate/ is listed at the top of the Authentication node. You can locate this file at SQL Server Install Directory\MSRS10.MSSQLSERVER\ReportingServer The ReportServer.config file is installed on the server that hosts the Reporting Services. The config file is an XML file; use a program such as Notepad to edit the file. If you do not use SQL 2008, you do not need to edit the ReportServer.config file on the Reporting Services server.
  2. If SQL Reporting Services is running as a domain account, add the following Service Principal Names for the account that the SQL Reporting Services service is running as. For additional information on Setspn, see the Microsoft | Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx If the SQL Reporting Services is not running as a domain account, you do not need to add the Service Principal Names. 

Setspn - S http/netbiosNamedomain\username