Setting up Kerberos delegation to named SSAS instance

When using BI Tools (Reporting Services, Excel Services) within multi-server SharePoint 2010 deployments with Windows Integrated authentication, Kerberos is the preferred authentication method to overcome the well-known double-hop problem.

Kerberos configuration for services/service accounts usually involves 2 steps:
1. Registering SPN's via command line
2. Configuring delegation in AD (from service/service account A to service/service account B)

When setting up Excel Services for connections to your SSAS Cube:
1. Register SPN for Excel Services account
2. Register SPN for SSAS account
3. Configure delegation from Excel Services to SSAS Cube

When using a named SSAS instance, step 2 is done by entering the following commands:
setspn -s MSOLAPSvc.3/<machinename>:<instancename> <domain>\<ssas account>
setspn -s MSOLAPSvc.3/<fqn>:<instancename> <domain>\<ssas account>

When trying to configure the delegation (step 3) in Active Directory the SPN's of step 2 can not be added to the delegation tab as they don't show up when queriing for SPN's. This was a reported bug for Win2003 but seems to occur in Win2008 as well. (See KB936628)

To configure the delegation to the named SSAS instance, perform the following steps:
1. Fire up ADSI edit
2. Find the Excel Services account and right-click it
3. Choose properties
4. Find the ms-DSAllowToDelegateTo property
5. Enter the 2 SPN's from step 2
6. Click OK/Aplly etc
7. Close ADSI edit

Now you can use the SSAS Named Instance in connections strings & data refresh in Excel Services.

Be aware that although the SPN's have been added, they won't show up in Active Directory Users and Computers.

Separating FAST Search Index files from FASTSearch directory

Many companies separate applications froms its content for performance purposes, storing content/data on fast & easilly expandable storage while maintaining the app itself on separate (fixed size) disks. Although FAST 2010 for SharePoint doesn't provide an installation/configuration option for this, it can be done.


Although the configuration files contain the DATA location somewhere (could be changed easily), changing these files is not supported. The supported approach is moving the DATA folder to a separate volume and joining the new location to the existing application directory by creating a "junction point", as described in Microsoft KB2506015:


The following steps have to be performed on all FAST Servers within the FAST farm:

1. Stop the FAST Search for SharePoint service.
2. Stop the FAST Search for SharePoint Monitoring service.
3. Move %FASTSEARCH%\data to the larger storage you have added.
4. Run the following in a command prompt: mklink /j %FASTSEARCH%\data %NEW_LOCATION%\data
5. Start the FAST Search for SharePoint Service.

When running out of disk space, this is an easy way to get the FAST farm up and running again.