• Article

Configure Planning Server for Kerberos delegation by using a domain user account

To help implement a more secure deployment, we recommend that you use a domain user account that you t assign to only the Microsoft Office PerformancePoint Server 2007 application pools instead of using the Network Service account. This configuration is more secure because you can grant the domain user account only the necessary permissions. Additionally, no other services share the same set of credentials, nor do they have access to the resources that the Configuration Manager Wizard sets up, such as the application database. Nonetheless, delegation is not totally secure in this mode because other services running as Network Service can still use the impersonation token.

Configure Kerberos delegation for a Windows 2000 Server functional domain

  1. On the domain controller, open Active Directory Users and Computers, and then click Computers.

  2. Right-click and then select Properties for each of the PerformancePoint Server Web sites and data source servers in the deployment. Verify that the Trust computer for Delegation check box is selected for each computer.

  3. Set a service principal name (SPN) for each of the PerformancePoint Server Web sites by using the following steps.

    1. Log on to the domain controller.

    2. Download the Manipulate Service Principal Names for Accounts tool (https://go.microsoft.com/fwlink/?LinkID=99939&clcid=0x409).

    3. Add an SPN for each PerformancePoint Server Web site and application pool account by typing the following command:

      setspn –A HTTP/ <serverName> . <Fully qualified domain name> <Account>

      setspn –A HTTP/ <serverName> <Account>

Configure Kerberos delegation for a Windows Server 2003 functional domain

  1. On the Domain Controller, open Active Directory Users and Computers, and then click Computers.

  2. Right-click and then select Properties for each of the PerformancePoint Server Web sites and datasource servers in the deployment. On the Delegation tab, select the Trust this computer for delegation to any service (Kerberos only) option for each computer.

  3. Set an SPN for each of the PerformancePoint Server Web sites.

  4. Log on to the domain controller.

  5. Download the Manipulate Service Principal Names for Accounts tool (https://go.microsoft.com/fwlink/?LinkID=99939&clcid=0x409).

  6. Add an SPN for each PerformancePoint Server site and application pool identity account by typing the following command.

    setspn –A HTTP/<serverName>.<Fully qualified domain name> <Account>

    setspn –A HTTP/ <serverName> <Account>

Configure PerformancePoint Planning Web Services

  1. Verify that each Planning Server Web site has the application pool identity set to match what was entered in the SPN.

  2. Locate the numeric identifier for both the Planning Administration Console and front-end Web sites in PerformancePoint Planning by doing the following substeps.

    1. Click Start, click Run, type inetmrg, and then press ENTER.

    2. Expand the local computer node, and then click the Web Sites folder.

      The identifier for each Web site is listed in the Identifier column.

  3. Open a Command Prompt window and change to the following directory:

    %systemdrive%\Inetpub\adminscripts

  4. For each identifier, type the following command:

    cscript adsutil.vbs SET w3svc/<IDENTIFIER#>/Root/NTAuthenticationProviders "Negotiate,NTLM"

    Note

    This setting is not always automatically applied. For information, see How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=99929&clcid=0x409).

  5. Restart Internet Information Services (IIS).

Configure user accounts

  1. On the domain controller, open Active Directory Users and Computers, and then click Users.

  2. Right-click the application pool account, and then click Properties.

  3. On the Account tab, verify that Account is trusted for Delegation is selected.

  4. For every user account that will access the system, do the following:

    • Verify that the Account is sensitive and cannot be delegated check box is not cleared.

    • If you did not set up the application pool identity as part of the configuration wizard, add the account to the IIS_WPG group.

Configure client computers

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. On the Advanced tab, ensure that the Enable Integrated Windows Authentication check box is selected.

  3. Close the Internet Options dialog box.