Kerberos Delegation

Introduction

Kerberos will need to be configured if XLCubedWeb is installed on a different server to the underlying database and the Website is configured to use Windows Authentication.

If you have this type of setup and Kerberos isn't configured then you will receive a message such as "Server is unavailable" for Analysis Services or a "(null) user" error for SQL Server when trying to access published reports.

Most corporations have a standard setup for Kerberos and this would be handled by the Domain Administrators. The following is a guide to how to configure Kerberos in the simplest case but is no means a "Best practice" guide as each domain setup and infrastructure can vary enormously.

There are also many other factors that can impact a successful implementation Kerberos, such as network infrastructure, client security settings and software. The following guide will assume that all the clients will be running Internet Explorer and there is only one domain with everything located on the same physical network with no firewalls/routers that could filter Kerberos requests.

Information Required

Before configuring Kerberos you will need to know the following information:

• What the networks domain name is - this is needed to get a server's Fully Qualifed Domain Name (FQDN): server.domain
• The name and FQDN of the Web Server: Webserver
• The name and FQDN of the Analysis Services: ASServer
• The name and FQDN of the SQL Server (if allowing SQL connections): SQLServer
• The port SQLServer is running under (if allowing SQL connections)
• The User ID for the XLCubed Application Pool configured for the XLCubedWeb website: WebUser
• The User ID the Analysis Services service is running as: ASUser
• The User ID the SQL Server service is running as: SQLUser

User ID format

If the User ID's are domain accounts then the format needed is simply:

domain\user

If the accounts are special accounts (such as local system, network server) then they would take the form:

server\NETWORK

Access Required

You will need to be a Domain Administrator to perform any of the configuration steps

Domain configuration

Enable Delegation

The first step is to enable delegation on ALL the machines involved in the process:

• WebServer
• ASServer
• SQLServer

This is a domain level setting and is set using the "Active Directory Users and Computers" administrative tool which is part of the Microsoft Admin Tools Pack and would normally be on the Domain Controller.

If there is more then one domain controller then you would need to either initiate a propagate or wait for this change to be applied to all the domain controllers.

Set SPNs

The Service Princial Names (SPNs) are set using a Command Line tool: setspn. This needs to be run in an Administrator Command Prompt with an account that has Domain Admin privileges.

If there is more then one domain controller then you would need to wait for this change to propagate to all the servers

Web Server

setspn –A http/WebServer WebUser setspn –A http/WebServerFQDN WebUser

Example:

 setspn -A http/webserver domain\appooluser
 setspn -A http/webserver.domain.com domain\appooluser

Analysis Services

setspn –A MSOLAPSvc.3/ASServer ASUser
setspn –A MSOLAPSvc.3/ASServerFQDN ASUser

SQL Server

setspn –A MSSQLSvc/SQLServer:1433 SQLUser
setspn –A MSSQLSvc/SQLServerDQDN:1433 SQLUser

Where 1433 would be replaced with the appropriate SQL Server port number

IIS Configuration

XLCubed Configuration