Enterprise Portal Kerberos Delegation for connecting to Reporting/Analysis Services on a different box

  • Article

Here are the steps that I followed for setting up Kerberos Delegation on For Enterprise Portal connecting to Reporting Services/ Analysis Services on different boxes 

1) The first thing to do is to check that your domain controller is operating in Windows 2003 mode. By default you’ll find your system will operate in the Windows 2000 compatible mode. To check this go to active directory users and computers, right click on your domain, and click ‘Raise Domain Functional Level’. If it’s in Windows 2000 compatible mode, then raise it to Windows 2003 mode.

2) Enable Kerberos in SharePoint

a. Open Central Administration

b. Navigation to Application Management > Authentication Providers

c. Choose the web application you wish to configure from the drop-down in the top right corner

d. Click on 'Default'

e. Set the authentication to Negotiate (Kerberos)

f. IISRESET

g. In case of MOSS perform the below additional steps

                                                               i. Repeat the steps “c” to “e” until all application pools needed are modified. (Minimum should be the content application and the ssp application)

                                                              ii. To set the SSP and Excel Services if you are running them to use Kerberos authentication it is best to run the following two commands:

1. STSADM.EXE –o Set-ECSsecurity –SSP <ssp name> -AccessModel Delegation

2. STSADM.EXE –o SetSharedWebServiceAuthN –negotiate

                                                      iii. Optional if SharePoint admin service is enabled – STSADM.EXE –o execadmsvcjobs
If the service is not running the command is needed to propagate the change to additional servers and services.

                                                             iv. IISRESET

3) Make sure Reporting server and Report Manager virtual directory has Kerberos enabled. ( By default this is set to Kerberos. So this is an optional step , just to verify and correct)

a. In IIS Manager, right-click the local computer, and then click Properties..

b. Select the Enable Direct Metabase Edit check box, and then click OK.

c. Click Start, click Run, type cmd, and then click OK.

d. At the command prompt, type the following command to change to the directory where the MetaBase.xml file is located:

e. cd %systemroot%\system32\inetsrv

f.  To open the file with Notepad, at the command prompt, type the following:

g. notepad MetaBase.xml

h.  In the <IISWebServer> section, locate the NTAuthenticationProviders metabase property and modify its setting to read "Negotiate,NTLM".

i. Repeat the same for Reports and ReportServer Virtual directory

j.   Save and close the MetaBase.xml file.

k. IISRESET

4) Register the App pool

a. SPNs are configured by using SetSPN.exe (download it from here for Windows 2003 SP1 or SP2) which is a command line provided as part of the Windows 2003 resource kit

b. Run SetSPN for all EP servers and Reporting Servers with the app pool account alias for HTTP ( for each server you have to run twice one with FQDN and another with just host name for each service. So for a given server there will be two commands)

                                                               i. Setspn.exe -A HTTP/mey1 redmond\meysun

                                                              ii. Setspn.exe -A HTTP/mey1.redmond.corp.microsoft.com redmond\meysun

In the above command, replace
mey1” with the server name
redmond.corp.microsoft.com” with the domain name
redmond\meysun” with the app pool account

c. Add the SSAS service to each account for each Analysis Service machine

                                                               i. Setspn.exe -A MSOLAPSvc.3/mey1 ssasaccount

                                                              ii. Setspn.exe -A MSOLAPSvc.3/mey1.redmond.corp.microsoft.com ssasaccount

In the above command, replace
mey1 ” with the server name
redmond.corp.microsoft.com” with the domain name
ssasaccount” with the machine name if the SSAS service is running in network service or the domain account which is running this service

5) The user account(s) you want to be delegated must have the "Account Is Sensitive And Cannot Be Delegated" option cleared (i.e. not checked). You'll find this property in "Active Directory Users And Groups", under the "Account" property tab. I believe this is unchecked by default.

6) The app pool accounts should have the" Account Is Trusted For Delegation" option enabled in "Active Directory Users And Groups"->"User"->"Properties"->"Delegation"->"Account is trusted for delegation ".

7) In the odc file stored in Data Connections document library on the EP site, edit the connection string and append the following ";SSPI=Kerberos"

8) Component Services Configuration

a. Open Component Services on the EP server

b. Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service

c. Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab

d. Edit Launch and Activate Permissions

e. Grant all application pool account 'Local Activation' permissions (see https://support.microsoft.com/kb/920783). In our example, these accounts would be your network service and app pool account of your EP site.

Note: If you are Windows 2008 Server, then by default Kernel Mode Authentication is enabled and it uses LocalSystem account. So for web sites which use Domain account as App Pool account either you need to configure useAppPoolCredentials in applicationHost.config

 

Configure the useAppPoolCredentials attribute in system.webServer/security/authentication/Windows-Authentication configuration section to true. For example:

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

OR disable Kernel-mode authentication for the web site

In IISManager7 , under the Windows Authentication -> Advanced Settings option, uncheck "Enable Kernel Mode authentication"