• Article

Configure Planning Server for basic Kerberos authentication

The most basic configuration of delegation is to use the default Network Service account as the application pool identity for the Microsoft Office PerformancePoint Server 2007 Web sites. PerformancePoint Planning does not support this type of configuration. PerformancePoint Planning only supports valid domain user accounts. The setup of delegation is more simplistic because the Network Service account has all of the required permissions and service principal names (SPNs) assigned to it. Using Network Service does present security risks and is not recommended for a production deployment. For information about configuring Kerberos delegation in a production environment, see Configure Planning Server for Kerberos delegation by using a domain user account.

Configure Kerberos delegation for a Windows 2000 Server functional domain

  1. On the domain controller, open Active Directory Users and Computers.

  2. Click Computers.

  3. Right-click, and then select Properties for each of the PerformancePoint Server Web sites and data source servers in the deployment. Verify that the Trust computer for Delegation check box is selected for each computer.

Configure Kerberos delegation for a Windows Server 2003 functional domain

  1. On the domain controller, open Active Directory Users and Computers.

  2. Click Computers.

  3. Right-click, and then select Properties for each of the PerformancePoint Server Web sites and monitoring datasource servers in the deployment. On the Delegation tab, select the Trust this computer for delegation to any service (Kerberos only) option.

Configure PerformancePoint Planning Web Services

  1. Locate the numeric identifier for both the Planning Administration Console and front-end Web sites in Planning.

    1. Click Start, click Run, type INETMGR, and then press ENTER.

    2. Expand the local computer node.

    3. Click the Web Sites folder.

      The identifier for each Web site is listed in the Identifier column.

  2. Open a Command Prompt window and change to the following directory.

    %systemdrive%\Inetpub\adminscripts

  3. Type the following command for each identifier:

    cscript adsutil.vbs SET w3svc/IDENTIFIER#/Root/NTAuthenticationProviders "Negotiate,NTLM"

    Note

    This setting is not always automatic applied. For more information, see How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=99929&clcid=0x409).

  4. Restart Internet Information Services (IIS).

Configure client computers

  1. In Internet Explorer, on the Tools menu, click Internet Options.

  2. On the Advanced tab, ensure that the Enable Integrated Windows Authentication check box is selected.

  3. Close the Internet Options dialog box.