Kerberos authentication and delegation for Planning Server

Updated: 2009-04-09

Impersonation enables a Web application or service to act on behalf of the caller's identity to access local resources instead of using the process identity. Delegation enables a Web application or service to use the impersonation token to access remote network resources.

Delegation operates based on Integrated Windows authentication and the Kerberos protocol. Both Monitoring Server and Planning Server have configurations that require the use of delegation. Deployment of Planning Administration Console with the client and front-end Web servers located on different computers requires that the service is able to pass the credentials of the authenticated user to the front-end service. Monitoring Server requires delegation if the Bpm.ServerConnectionPerUser property in the Web.config file is set to true and the services and Web sites that are registered as data sources are set up on remote computers. The Bpm.ServerConnectionPerUser setting forces Monitoring Server to attempt to use the identity of the authenticated user when communicating with external data sources such as Analysis Services.

Configuring delegation on a Web site requires changes to the domain user accounts, the service principal names (SPNs) on the domain, and the client and middle-tier servers. This section outlines the changes that are required to get Planning Server working using delegation. Some configuration options are explained, including constrained delegation and how different application pool identities can change the steps around the setup. Constrained delegation is only available on a Windows Server 2003 domain functional level.

The topics in this section refer to the following PerformancePoint Server Web sites for the Planning Server default deployment.

• Administrative Service and front-end Web server

For more information, see Troubleshooting Kerberos Delegation (https://go.microsoft.com/fwlink/?LinkId=99662).

Download this book