BI Service Applications in SharePoint 2010 – Authentication (Classic vs. Claims) and Identity Delegation (Kerberos) – Part 1

  • Article

Author: Chris Bailiss
Technical Reviewers (Kerberos/Claims): James Noyce, Paul Williams

Introduction

This series of posts provides an overview of the authentication methods and associated functionality supported by the Business Intelligence Service Applications in SharePoint 2010, covering:

  • Excel Services
  • PerformancePoint Services (PPS)
  • Reporting Services (2008 R2, Integrated Mode)
  • PowerPivot
  • Visio Services

I have assumed that you have an understanding of SharePoint concepts such as web applications, service applications, etc.

This article isn’t going to repeat lots of detailed material available elsewhere about how to configure each of the above services.

Rather, the aim is to provide an overview of what works and what doesn’t from a BI perspective (I’m a SQL BI Consultant). Particular attention will be paid to differences in BI-functionality between the Classic-mode and Claims-mode authentication options in SharePoint, and how this supports or doesn’t support passing user identity to back end systems.

SharePoint authentication methods covered will include:

  • Classic-mode authentication (‘Windows Authentication’)
  • Claims-mode authentication
    • Windows-Claims
    • Forms Based Authentication (FBA-Claims)

There is a lot to cover so this article will be split into a series of parts:

  • Part 1 – Introduction, Environment, Web Application Overview
    • Describes my test environment and my SharePoint web applications
  • Part 2 – Portal Web Application, User Identity Testing for SQL Server
    • Describes a web application running with classic-mode authentication
    • Describes some ways to test user identity in SQL server
  • Part 3 – BI Service Application Tests in the Portal Web App – Classic-Authentication
    • Describes SharePoint BI identity delegation testing with classic-mode authentication
  • Part 4 – Claims Web Application
    • Describes a web application running with claims-mode authentication
  • Part 5 - BI Service Application Tests in the Claims Web App – Windows-Claims
    • Describes SharePoint BI functionality with Windows-Claims based authentication
  • Part 6 - BI Service Application Tests in the Claims Web App – FBA-Claims
    • Describes SharePoint BI functionality with FBA-Claims based authentication
  • Part 7 – Summary, Additional References
    • Provides a recap of everything and some links for additional information

Screen shots will be shown to illustrate the text – they are functional, not pretty!

If you’re not interested in how the testing was carried out, skip to the summary at the end.

Environment

Examples will be shown from my scaled-out Hyper-V lab environment, consisting of:

  • 1 x Domain Controller
  • 1 x SQL Server
    • SQL Server Relational Database Engine
    • Analysis Services
  • 2 x Application Servers
    • 1 x Excel Services & PerformancePoint Services
    • 1 x PowerPivot for SharePoint
  • 1 x SQL Server Reporting Services (Integrated Mode)
  • 1 x Web Front End (WFE)
  • 1 x Client

All are running Windows 2008 R2 SP1 and SQL 2008 R2 SP1 / SharePoint Server 2010 SP1.

Wherever references are made to Kerberos within this article, this is all within the same domain.

Web Application Overview

Two web applications have been configured in this environment:

  • https://portal – ‘portal’ – configured with classic-mode authentication
  • https://claims – ‘claims’ – configured with claims-mode authentication

These will be described and compared in more detail in the coming posts.

Continued...

Continue reading in Part 2.