Friday, May 22, 2009

Enabling Kerberos delegation with Application Service Architectures and SQL Server Analysis Services 2005


Introduction


This document describes how to setup Kerberos delegation to authenticate an application windows service HTTP requests to SQL Server Analysis Services 2005. Additionally the steps for configuration that will follow become required when the application host machines are separated but exist within the same domain. More information can be obtained on this here.


Active Directory Setup


When making changes in Active Directory there is a requirement for you to have a System Administrator with permissions to invoke any of the changes needed below.


● The server which hosts your application windows services must be set to 'Trust this computer for Delegation (Kerberos
only)'.
● All your AD user-accounts that will utilize your application windows service should have the setting "Sensitive: not allowed
to be delegated" disabled. This means that all these accounts should be allowed to be delegated.
● Register the Service Principal Names (SPN) described in this document in your Active Directory.


Service Principal Name Registration


If you do not have the Service Principal Name tool or SPN tool is part of the Windows Server 2003 and 2008 Support tools and can be found on your product CD. Alternatively you can download it from here.


Machine hosting your application windows service.



Check the registered SPN’s before you continue with the registration by issuing the following text from the command line:
setspn –l <domainName]\[serverHostName]


This command will list (-l) out the current SPN’s and the only one’s that should show up are as follows:


HOST/<serverHostName>
HOST/<serverHostName>.domain.com


Protocol registration


setspn –a HTTP/<domainName>\<serverHostName> <serviceAccount>
setspn –a HTTP/<serverHostName>.<domainName>.com <serviceAccount>


Application Service registration


setspn –a <appWindowsServiceName>/<domainName>\<serverHostName> <serviceAccount>
setspn –a <appWindowsServiceName>/<serverHostName>.<domainName>.com <serviceAccount>


Note: The <serviceAccount> token we have used above will be referenced as the <serverHostName> token when the services are running as LocalSystem/NetworkService. Otherwise specify the Domain account that the services are running under.


Machine Hosting SQL Server Analysis Services



Check the registered SPN’s before you continue with the registration by issuing the following text from the command line:
setspn –l <domainName]\[serverHostName]


This command will list (-l) out the registered SPN’s. Typically the one’s that will appear are the same as noted above on your Application windows service machine.


SSAS Service registration


setspn –a MSOLAPSvc.3/<domainName>\<serverHostName> <serviceAccount>
setspn –a MSOLAPSvc.3/<serverHostName>.<domainName>.com <serviceAccount>


The <serviceAccount> token notes above equally apply.


Setup the clients



● The URL used to connect to the Application service web application http://<serverhostname>.<domainname>.com/) should be added to the trusted sites list in Internet Explorer
● To use Windows Integrated Authentication, the option ‘Automatic logon with current username and
password’ must be selected in the Security settings dialog box for the trusted sites zone, (Section:User authentication -Logon)

No comments: