Kerberos SPN Generation Setup Tool – SSAS 2008

The last post “Kerberos SPN Generation Setup Tool – SSRS 2008” reviewed how to enter information for a SQL Server Reporting Services 2008 instance.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Microsoft BI tools.  This post covers how to enter information into the tool for SQL Server Analysis Services 2008 (SSAS 2008) – the “SSAS2008 tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data?  In this case, we are simply going to create the SPN for the backend SSAS 2008 service.  There are a multitude of ways to connect to a SSAS instance (SSRS 2005, SSRS 2008, ProClarity, PerformancePoint 2007, Excel, …).  We will draw a picture for each of these connection methods as we discuss them.  Since this is just a service running on a single server, drawing a picture is not necessary.

Application Server – Where the SSAS Instance is Installed.

Enter the information for the machine where SSAS 2008 is installed.  It is assumed that SSAS is installed on a single machine.

Some servers may have multiple instances of SSAS and SSRS.  The same basic rules that we have previously discussed apply.  Make sure to determine if it is the default instance (MSSQLSERVER) or a named instance.  You only need to specify the port number in cases where the port number is not the default port and you chose not to use a host header.


DNS Information – Host (A) Name Record / IIS – Host Header

In this example, we only have one Analysis Services instance on this machine and it is the default instance.  We will just use the machine name “ReportMachine” to specify this service.

Reporting Server Information – Service Account

The Service Account is listed above as the “Log On As” user for the service.  In our case, the account is “SQL_Analysis”.  Note that you only enter the user name.  The domain information is listed only once in the common tab.  The information entered into the tool is case-insensitive (case does not matter).

SSAS2008 Tab Completed

The screen shot below shows the SSAS2008 tab filled out for this example.  We used the Service Type of MSOLAPSvc.3 since this is a SSAS 2008 instance.  The same would be true if this were a SSAS 2005 instance.  You would use a Service Type of MSOLAPSvc for a SSAS 2000 instance.



Upon completing the steps above, you should have a “Green” traffic light and the message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have a green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  Delegation will happen between a front-end client (SSRS, ProClarity, PerformancePoint, …) and the SSAS instance.  You will note that there is no default delegation for the instance itself and the database (as they are on the same machine).

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

This entry was posted in Kerberos, Microsoft BI - Security - Kerberos, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

3 Responses to Kerberos SPN Generation Setup Tool – SSAS 2008

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool – PPS | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos SPN Generation Setup Tool – PAS | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s