Enterprise Portal Kerberos Delegation for connecting to Reporting/Analysis Services on a different box
Here are the steps that I followed for setting up Kerberos Delegation on For Enterprise Portal connecting to Reporting Services/ Analysis Services on different boxes
1) The first thing to do is to check that your domain controller is operating in Windows 2003 mode. By default you’ll find your system will operate in the Windows 2000 compatible mode. To check this go to active directory users and computers, right click on your domain, and click ‘Raise Domain Functional Level’. If it’s in Windows 2000 compatible mode, then raise it to Windows 2003 mode.
2) Enable Kerberos in SharePoint
a. Open Central Administration
b. Navigation to Application Management > Authentication Providers
c. Choose the web application you wish to configure from the drop-down in the top right corner
d. Click on 'Default'
e. Set the authentication to Negotiate (Kerberos)
f. IISRESET
g. In case of MOSS perform the below additional steps
i. Repeat the steps “c” to “e” until all application pools needed are modified. (Minimum should be the content application and the ssp application)
ii. To set the SSP and Excel Services if you are running them to use Kerberos authentication it is best to run the following two commands:
1. STSADM.EXE –o Set-ECSsecurity –SSP <ssp name> -AccessModel Delegation
2. STSADM.EXE –o SetSharedWebServiceAuthN –negotiate
iii. Optional if SharePoint admin service is enabled – STSADM.EXE –o execadmsvcjobs
If the service is not running the command is needed to propagate the change to additional servers and services.
iv. IISRESET
3) Make sure Reporting server and Report Manager virtual directory has Kerberos enabled. ( By default this is set to Kerberos. So this is an optional step , just to verify and correct)
a. In IIS Manager, right-click the local computer, and then click Properties..
b. Select the Enable Direct Metabase Edit check box, and then click OK.
c. Click Start, click Run, type cmd, and then click OK.
d. At the command prompt, type the following command to change to the directory where the MetaBase.xml file is located:
e. cd %systemroot%\system32\inetsrv
f. To open the file with Notepad, at the command prompt, type the following:
g. notepad MetaBase.xml
h. In the <IISWebServer> section, locate the NTAuthenticationProviders metabase property and modify its setting to read "Negotiate,NTLM".
i. Repeat the same for Reports and ReportServer Virtual directory
j. Save and close the MetaBase.xml file.
k. IISRESET
4) Register the App pool
a. SPNs are configured by using SetSPN.exe (download it from here for Windows 2003 SP1 or SP2) which is a command line provided as part of the Windows 2003 resource kit
b. Run SetSPN for all EP servers and Reporting Servers with the app pool account alias for HTTP ( for each server you have to run twice one with FQDN and another with just host name for each service. So for a given server there will be two commands)
i. Setspn.exe -A HTTP/mey1 redmond\meysun
ii. Setspn.exe -A HTTP/mey1.redmond.corp.microsoft.com redmond\meysun
In the above command, replace
“mey1” with the server name
“redmond.corp.microsoft.com” with the domain name
“redmond\meysun” with the app pool account
c. Add the SSAS service to each account for each Analysis Service machine
i. Setspn.exe -A MSOLAPSvc.3/mey1 ssasaccount
ii. Setspn.exe -A MSOLAPSvc.3/mey1.redmond.corp.microsoft.com ssasaccount
In the above command, replace
“mey1 ” with the server name
“redmond.corp.microsoft.com” with the domain name
“ssasaccount” with the machine name if the SSAS service is running in network service or the domain account which is running this service
5) The user account(s) you want to be delegated must have the "Account Is Sensitive And Cannot Be Delegated" option cleared (i.e. not checked). You'll find this property in "Active Directory Users And Groups", under the "Account" property tab. I believe this is unchecked by default.
6) The app pool accounts should have the" Account Is Trusted For Delegation" option enabled in "Active Directory Users And Groups"->"User"->"Properties"->"Delegation"->"Account is trusted for delegation ".
7) In the odc file stored in Data Connections document library on the EP site, edit the connection string and append the following ";SSPI=Kerberos"
8) Component Services Configuration
a. Open Component Services on the EP server
b. Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service
c. Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab
d. Edit Launch and Activate Permissions
e. Grant all application pool account 'Local Activation' permissions (see https://support.microsoft.com/kb/920783). In our example, these accounts would be your network service and app pool account of your EP site.
Note: If you are Windows 2008 Server, then by default Kernel Mode Authentication is enabled and it uses LocalSystem account. So for web sites which use Domain account as App Pool account either you need to configure useAppPoolCredentials in applicationHost.config
Configure the useAppPoolCredentials attribute in system.webServer/security/authentication/Windows-Authentication configuration section to true. For example:
<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
OR disable Kernel-mode authentication for the web site
In IISManager7 , under the Windows Authentication -> Advanced Settings option, uncheck "Enable Kernel Mode authentication"
Comments
Anonymous
February 27, 2008
The comment has been removedAnonymous
March 06, 2008
Hi Meysun, If we want to create Enterprise Portal via IIS and WSS access AX 4.0 business logic, do you think stability of IIS will be a critical element which we need to take it into consideration? Thank you Gem HanAnonymous
March 08, 2008
The comment has been removedAnonymous
May 21, 2008
Configure Kerberos authentication (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263449.aspx#section3Anonymous
May 21, 2008
Troubleshooting Kerberos Delegation in Windows 2000 and Windows Server 2003 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspxAnonymous
May 27, 2008
Role Center Security Forcing NTLM http://blogs.msdn.com/solutions/archive/2008/05/28/forcing-ntlm-on-iiswebsite.aspxAnonymous
June 15, 2008
Ich mache viele reine Intranet-Konfigurationen/Installationen. Einen grossen Teil davon versuche ich, mit Kerberos Authentifizierung zu realisieren. Es ist etwas an Vorarbeit nötigt, aber der Mehrwert, wenn es um mehr als reinen CMS Content geht, istAnonymous
June 19, 2008
- In the odc file stored in Data Connections document library on the EP site, edit the connection string and append the following ";SSPI=Kerberos" If I got nothing at http://servername/sites/dynamicsAx/data Connections/ could that explain why my EP isn't working?
Anonymous
November 10, 2008
The ODC files can be deployed from the Dynamics AX client. Go to the Administration Area, go to the Setup panel, Business analysis, OLAP, OLAP Administration. Once you open this dialog, you will see "Deploy ODC Files". Anthony "It's an MS thang."Anonymous
March 05, 2009
I was unable to find a way to edit the connection-strings in the .odc-files. Anyone have any information regarding how these can be changed?Anonymous
May 07, 2009
save the odc from SharePoint to the filesystem, edit it in notepad and then upload it.Anonymous
August 13, 2011
Hi, I am getting same error on EP Portal dashboards: Cannot read information from SQL Server Reporting Services. Validate that the Report Manager URL is correct. But we are not using Kerberos authentication. What should i do? Any help is appreciated!