Kerberos SPN Generation Setup Tool – PPS

The last post “Kerberos SPN Generation Setup Tool – PAS” reviewed how to enter information for ProClarity Analytics Server (PAS) 6.3.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools.  This post covers how to enter information into the tool for PerformancePoint Server (PPS) 2007 – the “PPS tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data from the browser?  Since we are using the default SSAS instance for cube data, we will leverage information that was created for that instance from a previous post “Kerberos SPN Generation Setup Tool – SSAS 2008”.  I will walk through this scenario in detail and then show a second scenario using relational data as the data source.

Note that in these posts, I have been discussing the data source for a report / dashboard view (not the configuration database for an individual product).  For example, PerformancePoint can be installed as a “Distributed installation”.  In this installation, the “PPS Monitoring System Database” stores the definitions of the dashboards.  This database is not the report “Data Source”.  The Data Source is referenced in the diagrams for Kerberos SPN setup and is the source of data for the reports / dashboard views that you will create.

Scenario 1 – SSAS Data Source


Application Server – Where PPS is Installed.

Enter the information for the machine where PPS is installed.  It is assumed that the SSAS instance and PPS are installed on different machines otherwise you wouldn’t need to do this delegation.  You only need to specify the port number in cases where the port number is not the default port (normally port 80 for http) and you chose not to use a host header.  In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number.

DNS Information – Host (A) Name Record / IIS – Host Header

For our example, “MossMachine” will be the machine name where we have PPS installed.  We will create a host header A-Record called “PPSMonitoring” to make an easy url for the users to enter.  The A-Record will correspond to the http port 38000.  You do not need to specify the port number in the tool when you use a host header.

PPS Server Information – Authentication Method

Since we want to use Integrated Windows authentication, make sure that the PPS web sites have the authentication method checked as shown below.  Notice that there is one root web site (PPSMonitoring) with three applications of interest (DesignerInstall, Preview, WebService).  The Central web site is used to distribute Dashboard Designer.  The Preview web site renders dashboards for development preview.  The Web Service component is used to build and store definitions in the Monitoring System database.  From an authentication perspective, if you are going to use Kerberos Constrained Delegation with Integrated Windows authentication, you will want to have these five sites set up like the screen shown below.

Authentication Methods

PPS Server Information – Service Account

You can find the service account information by using IIS Manager on the MossMachine.  In this example, the PPS web sites / applications work in the PPSMonitoringCentral, PPSMonitoringPreview, and PPSMonitoringWebService application pools.  The tool assumes that you are using the same service account “ppswebapp” for all 3 application pools.  Check to ensure that each of the application pools listed are set up like the example below.

Service Account

SSAS 2008 Instance

Fill in the machine information where the SSAS 2008 instance resides.  In our example, this will be the “ReportMachine” machine.  This machine will have multiple SQL  instances running on it.  In fact, it could be a SQL Cluster.  Just use the Cluster Resource Group Name and the appropriate port number (if needed).  In our case the SSAS 2008 instance is the default (MSSQLSERVER) instance; therefore, we do not need to specify a name or port.

The SSAS 2008 service account can be found in the SQL Server Configuration Manager on the ReportMachine.  Since we are accessing SSAS 2008 data, we want to select the “Log On As“ service account that corresponds to this.

SSAS 2008 “Log On As” Service Account – SQL_Analysis
Named Database Instance Note:

While the tool supports named instances, I have observed issues with named instances and the cluster manager.  Also, named instances are still relatively new as far as Kerberos is concerned.  You may observe issues with older applications and ODBC or OLE connection strings / drivers.  Active Directory 2003 may need a hotfix to enable named instances as well.  We did not used a named instance in this example.  This is just a FYI in case you have a named instance.  It is safer to use the port number that corresponds to the named instance (even though it shouldn’t matter) and avoid these issues.

PPS Tab Completed – SSAS Data Source

The screen shot below shows the PPS tab filled out for this example.


Note: While there are multiple service types, the default values (shown in column C) are typically used – SSAS data is assumed in this case.  Since the PPS application is going after data that is in a SSAS2008 instance, the service type is MSOLAPSvc.3.  If you have a SSAS 2000 instance it is time to upgrade, or use the MSOLAPSvc service type.  See the Service Type drop down for details.


Upon completing the steps above, you should have a “Green” traffic light and the message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  For now, the Delegation tab will show the default delegation that is suggested.

Multiple Application Pools / Web Sites

In this application, you have at least 3 application pools (PPSMonitoringCentral, PPSMonitoringPreview, and PPSMonitoringWebService) to worry about.  It is assumed that the service account is the same for all 3 application pools.  Since there is only one website starting point (PPSMonitoring) there is only one port specified for all of the web sites (and basically one url).  If you made one of the application pools have a different service account, you would also need a different unique SPN.  Since there is only one url, this would generate two service accounts with one SPN (and thus an error of duplicate SPNs).   For this case, you only need one SPN and delegation.

Scenario 2 – Relational Data Source

If you have reviewed the posts for the other tabs in the spreadsheet, you should be starting to understand the process of how to fill out the Kerberos SPN Generation Setup Tool.  Since this process is similar to the one described above, I am not going to repeat it other than showing the setup and completed spreadsheet.


PPS Tab Completed – Relational Data Source

The screen shot below shows the PPS tab filled out for this example.


Multiple Data Sources / Multiple Spreadsheets

If you have more than one data source, you will have to fill out two spreadsheets.  This example shows two different spreadsheets to cover both a SSAS data source and a Relational data source.  The process would be to completely fill out one spreadsheet and then complete the SPN creation process.  After that is completed, then come back and do the same process with the second spreadsheet.  The point is to make sure to complete the process prior to starting to apply the information from the second spreadsheet.  This will allow the second spreadsheet to check for duplicate SPNs, etc.  More on this in a future post.

Other PPS Tips and Tricks

This is by far the best documented product for Kerberos setup by Microsoft.  I’m just going to link to some excellent materials for your reference.

Reference Information:

Configuring Monitoring Server for Kerberos delegation
Video: PPS Monitoring – Kerberos Delegation Setup (launch live link)
Configuring Kerberos Delegation with PerformancePoint Monitoring Server (same video as above, just a downloadable version)

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

This entry was posted in Kerberos, Microsoft BI, Microsoft BI - Security - Kerberos, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Kerberos SPN Generation Setup Tool – PPS

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool – MOSS 2007 | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s