Configure Monitoring Server for Kerberos delegation

Updated: 2009-10-29

To help implement a more secure deployment, we recommend that non-PerformancePoint Monitoring Server services not share the same set of credentials, nor have access to the resources that the Monitoring Server Configuration Manager sets up — for example, the application database.

Note

Where Windows SharePoint Services 3.0 is mentioned in this article, the same information and procedures apply to Microsoft Office SharePoint Server 2007.

To configure Kerberos delegation for Monitoring Server, you will need to perform the following basic steps:

  • Configure Windows SharePoint Services for Kerberos authentication   Any Windows SharePoint Services Web applications that host a Web site where you publish PerformancePoint Monitoring Server data must be configured for Kerberos authentication.

  • Configure Internet Information Services   For each Web site associated with PerformancePoint Monitoring Server, including Windows SharePoint Services Web sites, you must modify the Web.config file and make sure the Web site is configured to work with Kerberos.

  • Configure Kerberos delegation on Windows Server 2008 with Internet Information Services 7.0   You must follow specific steps to configure Kerberos delegation when you install the Monitoring server on Windows Server 2008 and use IIS 7.0.

  • Configure Service Principal Names (SPNs)   Both the service accounts for Web sites associated with PerformancePoint Monitoring Server and the service accounts for data sources containing your PerformancePoint Monitoring Server data require SPNs.

  • Configure application pool accounts   You must update the configuration for the domain accounts used to run the application pools associated with PerformancePoint Monitoring Server and Windows SharePoint Services Web sites to be trusted for delegation.

  • Configure client computers   On each client computer that will access PerformancePoint Monitoring Server data, confirm that Internet Explorer is configured to allow Integrated Windows authentication, and add the needed sites to the Trusted Sites list.

  • Optional - Configure constrained delegation   For best security, you can restrict which services are trusted for delegation.

The following sections will walk you through each of these steps in detail.

Important

Once Kerberos configuration is completed, remember to grant the needed user permissions for your data sources.

Note

While you can use standard service accounts such as Network Service to run the application pools for your Internet Information Services (IIS) Web sites, this is not a secure configuration and should only be used in test or pre-production environments. The procedures in the following sections assume that you are using domain accounts to run the application pools.

The following table lists the permissions you need for the procedures described in this article.

Task Permission

SharePoint Products and Technologies configuration

Farm Administrator

Service Principal Name configuration

Domain Administrator

Internet Information Services configuration

Local Administrator

Configuring Windows SharePoint Services for Kerberos authentication

In order for Kerberos delegation to function correctly, you must configure the Windows SharePoint Services Web application that hosts the Web site associated with PerformancePoint Monitoring Server for Kerberos delegation. Perform the following procedure for each Windows SharePoint Services Web application hosting a site where you publish PerformancePoint Server data.

Configure Windows SharePoint Services for Kerberos authentication

  1. Open the SharePoint Central Administration Web site.

  2. On the Application Management tab, under Application Security, click Authentication Providers.

  3. Select the Web application associated with the PerformancePoint Monitoring Server Windows SharePoint Services site from the Web Application menu.

  4. Under Zone, click Default.

  5. On the Edit Authentication page, in the IIS Authentication Settings section, select the Integrated Windows authentication check box, and then select the Negotiate (Kerberos) option.

  6. Click OK on the information dialog box.

    Note

    The additional configuration referenced in the information dialog box will occur when you create SPNs for the service account in a later procedure.

  7. Click Save.

For more information about configuring Kerberos for Office SharePoint Server 2007, see Configure Kerberos authentication (Office SharePoint Server).

Configuring Internet Information Services

During PerformancePoint Monitoring Server configuration, the NT Authentication Provider property value is changed from the default value of “Negotiate,NTLM” to “NTLM.” This value must be reset to the default, otherwise Kerberos authentication will fail.

Both the Web site used by PerformancePoint Monitoring Server (PPSMonitoring) and the Windows SharePoint Services Web site you configured to work with PerformancePoint Monitoring Server must have an NT Authentication Provider property value of “Negotiate,NTLM”. You can check the current value by using the following procedure.

Check the NT Authentication Provider property value

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand the local computer node, and then click Web Sites. Note the number listed in the Identifier column in the right pane for the Web site that you want to check.

    Note

    For a computer running PerformancePoint Monitoring Server, this will be the PPSMonitoring Web site. For a computer running Windows SharePoint Services, this will be the Windows SharePoint Services site that you created to use with PerformancePoint Monitoring Server. PerformancePoint Monitoring Server and Windows SharePoint Services may or may not be installed on the same computer depending on your configuration.

  3. Open a Command Prompt window and change to the following directory:

    %systemdrive%\Inetpub\adminscripts
    
  4. Type the following command, where SiteNumber is the site identifier number you noted in step 2:

    cscript adsutil.vbs GET w3svc/SiteNumber/Root/NTAuthenticationProviders
    

If the value returned from the procedure above is (STRING) "Negotiate,NTLM", then the Web site is properly configured. If the value returned is (STRING) "NTLM", then you must reconfigure the NT Authentication Provider property. Use the following procedure to set the NT Authentication Provider property value to “Negotiate,NTLM”.

Configure the NT Authentication Provider property value

  1. Open IIS Manager and determine the Identity number of the site that you want to change as described in the procedure "Check the NT Authentication Provider property value," above.

  2. Open a Command Prompt window and navigate to the following directory:

    %systemdrive%\Inetpub\adminscripts
    
  3. Type the following command, where SiteNumber is the site identifier number you noted in step 1:

    cscript adsutil.vbs SET w3svc/SiteNumber/Root/NTAuthenticationProviders "Negotiate,NTLM"
    

    Important

    Make sure that there is no space character in “Negotiate,NTLM”.

In order to force the Web application to delegate the current user’s identity, it is necessary to modify the Web.config file for the WebService, Preview, and Windows SharePoint Services Web sites. In most applications, the Web.config setting of <Identity Impersonate=true> forces the Web application to delegate the user’s identity. PerformancePoint Monitoring Server behaves differently in that the application explicitly forces a revert to the process user when making external calls unless the setting Bpm.ServerConnectionPerUser property has been enabled.

Perform the following procedure for each of the PerformancePoint Monitoring Server Web sites (WebService and Preview) and the Windows SharePoint Services site.

Configure the Web.config file

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand the local computer node.

  3. Right-click the site, and then click Explore

    Note

    The Preview and WebService sites for PerformancePoint Monitoring Server are located under the PPSMonitoring site.

  4. In the right pane, right click the Web.config file, and then click Open.

  5. Search for the Bpm.ServerConnectionPerUser property in the document.

  6. Change the value to true.

  7. Save the changes to the Web.config file.

  8. Restart IIS.

For more information about configuring IIS to work with Kerberos, see How to troubleshoot Kerberos-related issues in IIS (https://support.microsoft.com/kb/326985) in the Microsoft Knowledge Base.

Configuring Kerberos delegation on Windows Server 2008 with Internet Information Services 7.0

If you are using Windows Server 2008 with IIS 7.0, you must configure Kernel Mode Authentication to use the application pool credentials or disable Kernel Mode Authentication. There are two ways of configuring Kernel Mode Authentication to use the application pool credentials.

Note

We recommend that you disable Kernel Mode Authentication in Office SharePoint Server 2007 to support a variety of different Internet browsers.

Command-line method

  1. Open a Command Prompt window and navigate to the following directory: %windir%\system32\inetsrv\

  2. Type and execute the following command: appcmd set config "SharePoint - 80" /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

Manual method

  1. Open the applicationHost.config file, usually located in: %systemroot%\System32\inetsrv\config\

  2. Locate the SharePoint location - <location path="SharePoint - 80">

  3. Locate the code entry - <windowsAuthentication enabled="true"> and replace it with the following:<windowsAuthentication enabled="true" useAppPoolCredentials="true">

  4. Save your changes and then refresh the page.

Note

In some situations, setting useAppPoolCredentials to True may cause issues. See this Microsoft Knowledge Base article (https://go.microsoft.com/fwlink/?LinkId=152330&clcid=0x409) for details.

Follow the steps listed in the section titled “Configuring Internet Information Services” to complete the PerformancePoint Monitoring Server configuration. There are no additional configuration steps for Windows Server 2008 and Internet Information Services 7.0.

Disable Kernel Mode Authentication

  1. Open IIS Manager and navigate to the level you want to manage.

  2. On the Authentication page, select Windows Authentication.

  3. In the Actions pane, select Advanced Settings. The Advanced Settings dialog box appears.

  4. Clear the check box to disable Kernel Mode Authentication.

Configuring Service Principal Names

Service principal names (SPNs) are associated with the security principal (user or groups) in whose security context a service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as the Active Directory directory service. A service principal name is associated with an account, and an account can have many service principal names. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

Each domain account used to run an application pool must have an SPN associated with it. Perform the following procedure for each application pool identity.

Important

We highly recommend that the PPSMonitoringPreview application pool and the PPSMonitoringWebService application pool run under the same domain account. If Windows SharePoint Services is running on the same server, then the Windows SharePoint Services application pool should also use the same account. If you use different accounts, then you must specify a port number when you create the SPN.

Additionally, make sure the root site is configured to use the same application pool identity as the subsites: PPSMonitoringPreview and PPSMonitoringWebService.

Configure an SPN for PerformancePoint Web services

  1. On the domain controller, install the Manipulate Service Principal Names for Accounts tool (https://go.microsoft.com/fwlink/?LinkId=125730).

  2. Open a Command Prompt window.

  3. For each application pool domain account, run the following commands:

    setspn -A HTTP/<ServerName>.<Fully qualified domain name> <Account>
    setspn -A HTTP/<ServerName> <Account>
    

    where ServerName is the name of the computer where the Web site is hosted and Account is the domain account running the application pool.

Data sources must also have SPNs associated with them in order for Kerberos delegation to work.

Note

Though you can run application pools using the Network Service account rather than a domain account, this is not considered secure and is not recommended.

Configure Monitoring Server data sources by setting SPNs for the services

  1. Log on to the domain controller.

  2. Download the Manipulate Service Principal Names for Accounts (Setspn.exe) tool (https://go.microsoft.com/fwlink/?LinkID=82039).

  3. Add an SPN for each of the associated services. For example:

    • For Microsoft SQL Server 2005 Analysis Services running under a domain account, run the following commands:

      setspn -A MSOLAPSvc.3/<Server Name>.<Fully qualified domain name> <domain\username>
      setspn -A MSOLAPSvc.3/<Server Name> <domain\username>
      
    • For Microsoft SQL Server 2000 Analysis Services running under a domain account, run the following commands:

      setspn -A MSOLAPSvc/<Server Name>.<Fully qualified domain name> <domain\username>
      setspn -A MSOLAPSvc/<Server Name> <domain\username>
      

Note

Though you can run the Analysis Services service using the Network Service account rather than a domain account, this is not considered secure and is not recommended.

For more information about setting SPNs, see the following articles:

Configuring application pool accounts

Each domain account used to run an application pool associated with a user accessible PerformancePoint Monitoring Server Web site must be trusted for delegation. In a typical PerformancePoint Monitoring Server deployment, these are:

  • The PPSMonitoringPreview application pool

  • The PPSMonitoringWebService application pool

  • The Windows SharePoint Services application pool for the site associated with PerformancePoint Monitoring Server

If you are unsure which account is used to run each application pool, use the following procedure to find the application pool account.

Determine the application pool account

  1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Expand the local computer node, and then expand Application Pools.

  3. Right-click the application pool that you want to check, and then click Properties.

  4. Click the Identity tab and note the account shown in the User name field.

    Note

    If the application pool is running under a predefined account, then you will need to create and assign a domain account.

  5. Click Cancel.

For each application pool account being used to run the application pools listed above, use the following procedure to configure account delegation.

Configure the application pool account

  1. On the domain controller, open Active Directory Users and Computers, and then click Users.

  2. Right-click the application pool account, and then click Properties.

  3. On the Account tab, select the Account is trusted for Delegation check box.

  4. Verify that the Account is sensitive and cannot be delegated check box is cleared.

  5. Click OK.

The application pool account must also be a member of the IIS_WPG group on the computer running IIS. If you specified the application pool account when you set up PerformancePoint Monitoring Server, this will have been done automatically. If you have changed the application pool account since you installed PerformancePoint Monitoring Server, you must manually add it to the IIS_WPG group on the computer running IIS.

Configuring client computers

Each client computer that needs to access data using Kerberos delegation must allow Integrated Windows authentication. Depending on your organization’s standards, this may already be enabled. If this is not enabled, perform the following procedure on each client computer that needs to access data using Kerberos delegation.

Configure client computers

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. On the Advanced tab, ensure that the Enable Integrated Windows Authentication check box is selected.

  3. Close the Internet Options dialog box.

You will also want to confirm that the appropriate SharePoint Products and Technologies URLs have been added to the Trusted Sites list in Internet Explorer. For more information, see Security zones: adding or removing Websites (https://go.microsoft.com/fwlink/?LinkId=144657).

The most secure implementation of Kerberos delegation is to prevent the usage of delegation by any services that you do not explicitly enable. This is known as constrained delegation.

Constrained delegation is not required for Kerberos to work with Microsoft Office PerformancePoint Server 2007, but it is highly recommended. Constrained Delegation restricts which services are allowed to delegate user credentials. This prevents unauthorized applications from logging into remote services on behalf of the user.

If you choose to configure constrained delegation, we recommend that you test your Kerberos configuration with unconstrained delegation and resolve any issues you might encounter prior to configuring constrained delegation.

Note

Kerberos constrained delegation is not supported in a Windows 2000 Mixed or Native functional level domain. Though constrained delegation is more secure, you can still use Kerberos with a Windows 2000 Mixed or Native functional level domain without constrained delegation.

To configure constrained delegation, you must specify which services trust the application pool identity to present credentials. For constrained delegation to work properly, each application pool identity (both Windows SharePoint Services and Microsoft Office PerformancePoint Server 2007) must be trusted for delegation for the specific services associated with the data source.

For example, the following table shows a Microsoft Office PerformancePoint Server 2007 deployment with Microsoft Office PerformancePoint Server 2007 running on Server1, Windows SharePoint Services running on Server2, and SQL Server Analysis Services (the data source) running on Server3.

Server Name Service/Application Pool ServiceClass Service Account

Server1

PPSMonitoringPreview and PPSMonitoringWebService application pools

HTTP

contoso\PPS-Svc

Server2

Windows SharePoint Services application pool

HTTP

contoso\WSS-Svc

Server3

SQL Server 2005 Analysis Services

MSOLAPSvc.3

contoso\AS-Svc

For constrained delegation to work in this example, the following trust relationships must be established:

  • The Analysis Services service on Server3 must trust credentials presented by the service account running the Web service on Server1 (contoso\PPS-Svc).

    This is accomplished by adding the Analysis Services service on Server3 to the list of specified delegation services in the contoso\PPS-Svc account settings.

  • The Analysis Services service on Server3 must trust credentials presented by the service account running the Web service on Server2 (contoso\WSS-Svc).

    This is accomplished by adding the Analysis Services service on Server3 to the list of specified delegation services in the contoso\WSS-Svc account settings.

Specifying these trust relationships is done using Active Directory Users and Computers to modify the user account settings for each application pool identity account. Perform the following procedure for each application pool account associated with your Microsoft Office PerformancePoint Server 2007 deployment.

Configure a service account for Kerberos constrained delegation

  1. Log on to the domain controller.

  2. On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  3. Expand the domain node, and then click Users.

  4. Right-click the application pool identity user account, and then select Properties.

  5. On the Delegation tab, verify that the Trust this user for Delegation to specified Services only option is selected.

  6. Select Use Kerberos Only.

  7. Click Add.

  8. Click Users or Computers.

  9. Enter the domain and user name of the account running the service that you want to have accept Kerberos credentials, and then click OK.

  10. The Available Services values will appear for the account that you selected. Select the appropriate service and click OK.

    Note

    This will normally be the Web service associated with the application pool identity that you are modifying or any services associated with data sources that you want to be able to access using Kerberos authentication.

  11. Repeat steps 8 through 10 for each service that you want to accept credentials from this account.

  12. Click OK to close the account properties dialog box.

For more information about constrained delegation, see Configuring Constrained Delegation for Kerberos (IIS 6.0) (https://go.microsoft.com/fwlink/?LinkId=144659).

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.

See Also