Kerberos SPN Generation Setup Tool – PAS

The last post “Kerberos SPN Generation Setup Tool – SSAS 2008” reviewed how to enter information for a SQL Server Analysis Services 2008 instance.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post covers how to enter information into the tool for ProClarity Analytics Server (PAS) 6.3 – the “PAS tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data from the browser?  Since we are using the default SSAS instance for cube data, we will leverage information that was created for that instance from the last post “Kerberos SPN Generation Setup Tool – SSAS 2008”.


Application Server – Where PAS is Installed.

Enter the information for the machine where PAS is installed.  It is assumed that the SSAS instance and PAS are installed on different machines otherwise you wouldn’t need to do this delegation.  You only need to specify the port number in cases where the port number is not the default port (normally port 80 for http) and you chose not to use a host header.  In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number.

DNS Information – Host (A) Name Record / IIS – Host Header

For our example, “PASMachine” will be the machine name where we have PAS installed.  We will create a host header A-Record called “analytics” to make an easy url for the users to enter.  The A-Record will correspond to the http default port 80.  You do not need to specify the port number in the tool when you use a host header.  Also, for this example we are using the default port (another reason not to specify the port number).

PAS Server Information – Authentication Method

Since we want to use Integrated Windows authentication, make sure that the PAS website has the authentication method checked as shown below.  Notice that there are two or three web sites of interest (PAS, PASUploads, and Dashboard).  Dashboard will only be applicable if you have ProClarity Dashboard Server installed.  PAS is the main web site used for analysis.  PASUploads is a web site used to download the PAS standard and professional web clients.  From an authentication perspective, if you are going to use Kerberos Constrained Delegation with Integrated Windows authentication, you will want to have these sites set up like the screen shown below.

Authentication Methods

PAS Server Information – Service Account

You can find the service account information by using IIS Manager on the PASMachine.  In this example, the PAS web site works in the Proclarity Web application pool.  The PASUploads web site works with the Proclarity Uploads application pool, and the Dashboard web site works with the ProClarityDashboardServer application pool.  The tool assumes that you are using the same service account “paswebapp” for all 3 application pools.  In most setups, this would be the scenario.  Check to ensure that each of the application pools listed are set up like the example below.

Service Account

SSAS 2008 Instance

Fill in the machine information where the SSAS 2008 instance resides.  In our example, this will be the “ReportMachine” machine.  This machine will have multiple SQL  instances running on it.  In fact, it could be a SQL Cluster.  Just use the Cluster Resource Group Name and the appropriate port number (if needed).  In our case the SSAS 2008 instance is the default (MSSQLSERVER) instance; therefore, we do not need to specify a name or port.

The SSAS 2008 service account can be found in the SQL Server Configuration Manager on the ReportMachine.  Since we are accessing SSAS 2008 data, we want to select the service account that corresponds to this.

SSAS “Log On As” Service Account – SQL_Analysis
Named Database Instance Note:

While the tool supports named instances, I have observed issues with named instances and the cluster manager.  Also, named instances are still relatively new as far as Kerberos is concerned.  You may observe issues with older applications and ODBC or OLE connection strings / drivers.  Active Directory 2003 may need a hotfix to enable named instances as well.  We did not used a named instance in this example.  This is just a FYI in case you have a named instance.  It is safer to use the port number that corresponds to the named instance (even though it shouldn’t matter) and avoid these issues.

PAS Tab Completed

The screen shot below shows the PAS tab filled out for this example.


Note: While there are multiple service types, the default values (shown in column C) are typically used.  Since the PAS application is going after data that is in a SSAS2008 instance, the service type is MSOLAPSvc.3.  If you have a SSAS 2000 instance it is time to upgrade, or use the MSOLAPSvc service type.  See the Service Type drop down for details.


Upon completing the steps above, you should have a “Green” traffic light and the message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  For now, the Delegation tab will show the default delegation that is suggested.

Multiple Application Pools / Web Sites

In this application, you have at least 2 application pools (Proclarity Web and Proclarity Uploads) to worry about and a third application pool if you set up ProClarity Dashboard.  It is assumed that the service account is the same for Proclarity Web and Proclarity Uploads application pools.  While the ProClarity Dashboard is not specifically supported by the tool, if you set up the web site and application pool as shown above, it will also work.  If you make the Dashboard application pool a different service account, you would also need a different unique SPN.  In other words, you would have to repeat this process for the ProClarityDashboardServer application pool if you used a different service account.  This would also mean 2 application pools with 2 different service accounts with two unique host headers which would require 2 versions of this spreadsheet (a second one for the ProClarityDashboardServer application pool).  In general, the process would be to go through all of these steps with the Proclarity Web application pool and then do the same process again with the ProClarityDashboardServer application pool and a unique url / host header.

If you use different service accounts, you will need a unique SPN (host header) for each web site.  If you didn’t do this, you would generate duplicate SPNs.

Most of the time, people use the same application pool service account for all three application pools (Proclarity Web, Proclarity Uploads and ProClarity Dashboard).  For this case, you only need one SPN and delegation.

Other PAS Tips and Tricks

Always download and install the latest version of ProClarity.  The latest version contains Service Pack 3.


Check the metabase settings, application pool user name, web site integrated authentication and perhaps the SQL Service “Log On As” account to make sure they are all correct.  The details for this can be found above and in the article: Kerberos Constrained Delegation – IIS Setup (Part 3 of 6).

Check to make sure your PAS Application Pool service account is in the IIS_ WPG group on the PASMachine.  Kind of self-explanatory.

OLE Exception 80072020

Set up the Analytics Server Administration Tool to Recognize the Machine Name (not the host header name).

Use the Analytics Server Administration Tool to connect to the PAS instance by Machine Name instead of the host header name.  Remove the connection to the server by host name if it exists.  This resolve the following issue: OLE Exception 80072020.


Desktop Professional

If you are going to install Desktop Professional, there are some issues with Windows Vista / 7.  These relate to the ProClarity folks trying to write to areas on the c: drive where elevated permissions are needed.  Basically, you get an annoying pop-up when starting the program that asked you to take the tutorial, skip, etc.  No matter what you select, it asks you this each time you start the program.  To work around this issue, you can change the Options.xml file for the two associated tutorial files, “Getting Started.bbk” and “Store Sales.cub” to an accessible directory and move the files there.  You can also set the “SkipGettingStarted” property to “Yes”.  Obviously your users wouldn’t see the message at startup which also means they won’t know the tutorial exists.  You will have to message them separately for this if needed.

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

This entry was posted in Kerberos, Microsoft BI - Security - Kerberos, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

5 Responses to Kerberos SPN Generation Setup Tool – PAS

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool – Generate SPNs | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos SPN Generation Setup Tool – Delegation Tab | FUTURESULTS, LLC Blog

  4. Pingback: Kerberos SPN Generation Setup Tool – Delegation Process | FUTURESULTS, LLC Blog

  5. Pingback: Kerberos SPN Generation Setup Tool – PPS | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s