When using BI Tools (Reporting Services, Excel Services) within multi-server SharePoint 2010 deployments with Windows Integrated authentication, Kerberos is the preferred authentication method to overcome the well-known double-hop problem.
Kerberos configuration for services/service accounts usually involves 2 steps:
1. Registering SPN's via command line
2. Configuring delegation in AD (from service/service account A to service/service account B)
When setting up Excel Services for connections to your SSAS Cube:
1. Register SPN for Excel Services account
2. Register SPN for SSAS account
3. Configure delegation from Excel Services to SSAS Cube
When using a named SSAS instance, step 2 is done by entering the following commands:
setspn -s MSOLAPSvc.3/<machinename>:<instancename> <domain>\<ssas account>
setspn -s MSOLAPSvc.3/<fqn>:<instancename> <domain>\<ssas account>
When trying to configure the delegation (step 3) in Active Directory the SPN's of step 2 can not be added to the delegation tab as they don't show up when queriing for SPN's. This was a reported bug for Win2003 but seems to occur in Win2008 as well. (See KB936628)
To configure the delegation to the named SSAS instance, perform the following steps:
1. Fire up ADSI edit
2. Find the Excel Services account and right-click it
3. Choose properties
4. Find the ms-DSAllowToDelegateTo property
5. Enter the 2 SPN's from step 2
6. Click OK/Aplly etc
7. Close ADSI edit
Now you can use the SSAS Named Instance in connections strings & data refresh in Excel Services.
Be aware that although the SPN's have been added, they won't show up in Active Directory Users and Computers.
No comments:
Post a Comment