Kerberos Authentication Setup

Please note that since all network environments are different in some way or another, you should use the document below as a basic starting point.

Here is the official document from MSDN:
How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

Here is a Kerberos article by Mosha Pasumansky that Microsoft recommends:
http://sqlblog.com/blogs/mosha/archive/ ... -2005.aspx

Here is another article:
http://msdn.microsoft.com/en-us/library/ms178119.aspx

Another good knowledge base article if you are using IIS6 - How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication:
http://support.microsoft.com/default.aspx/kb/215383

 

Additional Tips

For the ServicePrincipleName entries for MSOLAPSvc.3 rd, both the FQDN and the short names are needed.

SSAS service account:
MSOLAPSvc.3/server01
MSOLAPSvc.3/server01.scc.com

IIS server:
HOST/server02
HOST/server02.scc.com

IIS App Pool service account:
HTTP/server03
HTTP/server03.scc.com

 

When configurating your IIS, if the site is not using the default path (1) then please specify the correct path number when calling cscript adsutil.vbs

If the default path is used:
cscript adsutil.vbs get w3svc/1/root/NTAuthenticationProviders
cscript adsutil.vbs set w3svc/1/root/NTAuthenticationProviders "Negotiate,NTLM"

otherwise the number will change accordingly (it can be obtained from your IIS):
cscript adsutil.vbs get w3svc/1000000123/root/NTAuthenticationProviders
cscript adsutil.vbs set w3svc/1000000123/root/NTAuthenticationProviders "Negotiate,NTLM"

 

For those having trouble setting up the correct service principal name (SPN) please take a look at this site http://futuresults.wordpress.com/2010/0 ... etup-tool/. Fill in your account(s) and it will show you what the correct SPNs should be for analysis services, reporting services, MOSS, Performance Point, etc.


Be sure to use the latest and greatest version of SETSPN which now has the ability to detect duplicate SPNs in Active Directory.
http://blogs.msdn.com/b/saurabh_singh/a ... ected=true


See attachment for additional documents.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.