This article was accidentally deleted. This is a recreated and enhanced version.
This is the final installment for this Kerberos series. I’ve listed the various parts of the series below for easy reference. Initially, the idea of a SPN setup tool was introduced. The next segments walked through some of the set up needed for Active Directory, IIS, and IE. Part 5 has the best troubleshooting tools available to help you resolve any issues with your setup.
What is missing now is an example. The picture below shows an example setup of a reporting infrastructure. Let’s review the SPN setup needed.
SQL Database – ServerSQL.domain.com (Relational Database Server – assumes single server using default port)
Domain\SQLService (SQL Server Service Account)
Domain\SSASService (Analysis Services Service Account)
Reporting Services – ServerSSRS.domain.com
Domain\SSRSwebapp (IIS Identity)
ProClarity – ServerPAS.domain.com
Domain\PASwebapp (IIS Identity)
PerformancePoint and MOSS – ServerPPS.domain.com
Domain\PPSwebapp (IIS Identity)
Domain\MOSS2007webapp (IIS Identity – Assumes only 1 main portal site being configured)
A few things to note about the above SPNs.
- For an programs that use IIS sites (SharePoint, PerformancePoint, ProClarity, SSRS), most likely the SPNs will contain http or https
- For relational data, the SPNs will be MSSQLSvc
- For OLAP data, the SPNs will be MSOLAPSvc.3 (assumes SQL Server 2005 and higher)
Once the SPNs are set up and checked for duplicates, you must delegate. Basically, Constrained Delegation is the process of setting up a trust between accounts on various machines for a particular service. The way that I think about this is to follow the data for the delegations needed.
For example, I would like the following to happen:
- View SSRS reports from within SharePoint
- View PerformancePoint dashboards from within SharePoint that contain both SSRS reports and ProClarity (cube) reports
- View PerformancePoint dashboards that contain both SSRS reports and ProClarity (cube) reports
What needs to be delegated (the Million Dollar Question)?
The simple way to think about delegation is to follow the data path. Start at the front end and follow the path to the database.
View SSRS reports from within SharePoint (can not view ProClarity views for this part of the example)
- MOSS2007webapp delegates to SSRSwebapp (view SSRS reports in SharePoint)
- SSRSwebapp delegates to SSASService and SQLService (report data sources for cube and Relational data)
View PerformancePoint dashboards from within SharePoint that contain both SSRS reports and ProClarity (cube) reports
- MOSS2007webapp delegates to PASwebapp (view cube reports in SharePoint)
- PASwebapp delegates to SSASService (cube data source)
- MOSS2007webapp delegates to SSRSwebapp – already done above for SSRS reports from within SharePoint
- SSRSwebapp delegates to SSASService and SQLService – already done above for SSRS reports from within SharePoint
Note: You do not need to have MOSS2007webapp delegate to PPSwebapp because you have deployed the PerformancePoint dashboard to SharePoint. Basically, the dashboard is now running as MOSS2007webapp instead of PPSwebapp.
View PerformancePoint dashboards that contain both SSRS reports and ProClarity (cube) reports
- PPSwebapp delegates to PASwebapp (view cube reports in PerformancePoint)
- PASwebapp delegates to SSASService (cube data source) – already done above for SharePoint
- PPSwebapp delegates to SSRSwebapp (view SSRS reports in PerformancePoint)
- SSRSwebapp delegates to SSASService and SQLService – already done above for SharePoint
- Make sure not to delegate the same thing twice. Some paths following the data exist for both SharePoint and PerformancePoint (i.e.: SSRSwebapp –> SSASService and SQL service)
- Many blogs and articles have erroneously stated that you must use the same application pool identity for PerformancePoint and SharePoint. This is not necessarily true. Mainly this is done because people don’t understand how to delegate and set up the proper security for SSRS, SSAS, etc. for multiple service accounts. Some older technologies may require this scenario to overcome various issues with browsers, ports, etc.
What if you wanted to use a SharePoint list as the data source for a PerformancePoint report and view it from within PerformancePoint Preview site?
Hint: Follow the data path. Would PPSwebapp have to delegate to MOSS2007webapp?
Setup Tool Needed
Now that we have reviewed some of the basics of Kerberos setup, and walked through an example, I would like to make a tool that helps create the SPNs needed for Microsoft products. My question to the community is:
What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.