Configure the Monitoring Server application pool identity
This topic provides details about configuring the application pool identity for Monitoring Server.
During Monitoring Server setup, when the Monitoring Server Internet Information Services (IIS) component is installed, you specify an identity account for the Monitoring Server application pool.
Planning Server also requires an application pool identity account. However, because Planning Server runs in a separate application pool, you can specify a separate account.
The interaction points for the application pool identity account are the following:
On computers on which the Monitoring Server IIS component is installed, permissions for the Monitoring Server application pool identity account are automatically configured during installation. The following IIS application pools are created during installation and run under the Monitoring Server application pool identity:
On servers that run Microsoft SQL Server 2005 Analysis Services, the Monitoring Server application pool identity account must be granted read access to the catalogs and cubes that are to be monitored. Read access must be provided to create a data source in Dashboard Designer.
Choosing an account type to use with the Monitoring Server application pool identity account
You can configure the PerformancePoint Monitoring Server application pool identity account to use either of two account types: the Network Service account and a domain user account. The type of account you use should fit the needs of your domain and security model. Each account type offers separate features that will enable you to secure and maintain your Monitoring Server deployment.
Network Service account
The Network Service account is a built-in account that has fewer access rights on the system than the LocalSystem account, but is still able to interact throughout the network by using the computer account credentials. A service that runs as the Network Service account accesses network resources by using the credentials of the computer account in the same manner as a LocalSystem service does. The actual name of the account is NT AUTHORITY\NetworkService, and it does not have a password that an administrator needs to manage.
Domain user account
Domain user accounts include accounts that you create in the domain — for example, by using the Active Directory® Users and Computers management console. Domain user accounts have limited access rights in the domain unless you specifically grant them access or add them to groups that already possess those access rights.
Monitoring Server application pool identity account considerations
The identity account that you use for the Monitoring Server application pool must be a member of the BpmDeveloper and BpmViewer group on each computer that runs Microsoft SQL Server 2005 to which Monitoring Server connects. In addition, the application pool identity account cannot be a group account. It must be a unique account that has been granted local and domain access.
The Monitoring Server application pool identity account must have the following user rights:
Access computer from the network
Log on as a batch job
Log on as a service
Monitoring Server Configuration Manager adds the application pool identity account to:
The IIS_WPG group.
A local security policy on the computer.
SQL Server security logins
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.