How to configure PerformancePoint Services in SharePoint Server 2010 for Kerberos authentication

Article ID: 2723073 - View products that this article applies to.
Expand all | Collapse all

Summary

This article describes how to configure PerformancePoint Services in Microsoft SharePoint Server 2010 for Kerberos authentication.

More information

Create PerformancePoint Services service account

As a best practice PerformancePoint Services should run under its own domain identity. To configure the PerformancePoint Service Application, an Active Directory account must be created and registered as a managed account in SharePoint Server 2010. For more information see Managed Accounts in SharePoint 2010. In this example the following account is created and registered later in this scenario:


Collapse this tableExpand this table
SharePoint Server serviceIIS App Pool Identity
PerformancePoint Servicesvmlab\svcPPS

* NOTE: You can optionally reuse a single domain account for multiple services. This configuration is not covered in the following sections.

Create an SPN for the Service Account that is running the PerformancePoint service on the Application Server

The Active Directory Users and Computers MMC snap-in is typically used to configure Kerberos delegation. To configure the delegation settings within the snap-in, the Active Directory object being configured must have a service principal name applied; otherwise the delegation tab for the object will not be visible in the object’s properties dialog. Although PerformancePoint Services does not require a SPN to function, we will configure one for this purpose. Note that if the service account already has an SPN applied (in the case of sharing accounts across services) this step is not required.

On the command line, run the following command:

SETSPN -S SP/PPS vmlab\svcPPS

Collapse this tableExpand this table
 Note:
The SPN is not a valid SPN. It is applied to the specified service account to reveal the delegation options in the AD users and computers add-in. There are other supported ways of specifying the delegation settings (specifically the msDS-AllowedToDelegateTo AD attribute) but this topic will not be covered in this document.



Configure Kerberos constrained delegation from the PerformancePoint Services Service account to the SSAS Service and optionally for SQL Server service

To allow PerformancePoint services to delegate the client's identity, Kerberos constrained delegation must be configured. You must also configure constrained delegation with protocol transition for the conversion of claims token to Windows token via the WIF C2WTS.

Each server running PerformancePoint services must be trusted to delegate credentials to each back-end service with which PerformancePoint will authenticate. In addition, the PerformancePoint services service account must also be configured to allow delegation to the same back-end services. Notice also that HTTP/Portal and HTTP/Portal.vmlab.local are configured to delegate in order to include a SharePoint list as an optional data source for your PerformancePoint dashboard.

In our example the following delegation paths are defined:

 
Collapse this tableExpand this table
Principal TypePrincipal Name
UserVmlab\svcC2WTS
UserVmlab\svcPPS
 

To configure constrained delegation

1.       Open the Active Directory Object’s properties in Active Directory Users and Computers.

2.       Navigate to the Delegation tab.

Collapse this imageExpand this image
2723094




3.       Select Trust this computer for delegation to specified services only.

4.       Select Use any authentication protocol.

5.       Click the add button to select the service principal.

6.       Select User and Computers.



Collapse this imageExpand this image
2723095



7.       Select the service account running the service you wish to delegate to (SQL Server, SQL Server Analysis Services, or both).


Collapse this tableExpand this table
 Note:
The service account selected must have an SPN applied to it. In our example, the SPN for this account was configured in a previous scenario. See the Kerberos Authentication for SQL OLTP and Kerberos Authentication for SQL Analysis Services sections of this document.

8.       Click OK.

9.       Select the SPNs you would like to delegate to, and then click OK.


Collapse this imageExpand this image
2723096


10.   You should now see the selected SPNS in the services to which this account can presented delegated credentials list.

Collapse this imageExpand this image
2723097


11.   Repeat these steps for each delegation path defined in the beginning of this section.


Start the PerformancePoint Services service instance on the PerformancePoint Services server

Before creating a PerformancePoint Services service application, start the PerformancePoint services serve service on the designated Farm servers. To learn more about PerformancePoint Services configuration, see PerformancePoint Services administration on Microsoft TechNet.

1.       Open Central Administration.

2.       Under services, select Manage services on server.



Collapse this imageExpand this image
2723455




3.       In the server selection box in the upper right hand corner select the server(s) running PerformancePoint services

4.       Start the PerformancePoint Services service.

Collapse this imageExpand this image
2724026




Create the PerformancePoint Services service application and proxy

Next configure a new PerformancePoint Services service application and application proxy to allow web applications to consume PerformancePoint Services:

1.       Open Central Administration.

2.       Select Manage Service Applications under Application Management.



Collapse this imageExpand this image
2723457



3.       Select New, and then click PerformancePoint Services Application.


Collapse this imageExpand this image
2723508



4.       Configure the new service application. Be sure to select the correct service account or create a new managed account if you did not perform this step previously.


Collapse this imageExpand this image
2723509




Collapse this tableExpand this table
 Note:
Configuring the Unattended Services Account is optional in this scenario and only used if you want to also test NTLM authentication.
 
You can create and register a new service account for an existing application pool dedicated for PerformancePoint Services before this step or when you create the new PerformancePoint Service. To associate the service account with an existing application pool dedicated to PerformancePoint or verify an existing account, do the following.

1.       Navigate to SharePoint Central Administration.  Find Configure managed accounts in the Security section.

2.       Select the drop-down box and select the application pool.

3.       Select the Active Directory account.

Collapse this imageExpand this image
2723510




Grant the PerformancePoint Services service account permissions on the web application content database

A required step in configuring SharePoint Server 2010 Office Web Applications is allowing the web application’s service account access to the content databases for a given web application. In this example, we will grant the PerformancePoint Services account access to the "portal" web application’s content database by using Windows PowerShell.

Run the following command from the SharePoint 2010 Management Shell:

$w = Get-SPWebApplication -Identity http://portal
$w.GrantAccessToProcessIdentity("vmlab\svcPPS")


Configure PerformancePoint Services trusted file location and authentication settings

Once the PerformancePoint Services application is created, you must configure the properties on the new service application to specify a trusted host location and authentication settings.

1.       Open Central Administration.

2.       Select Manage Service Applications under Application Management.



Collapse this imageExpand this image
2723511



3.       Click the link for the new Service Application, PerformancePoint Services and click the Manage button in the ribbon.



Collapse this imageExpand this image
2723512



4.       In the PerformancePoint services management screen, click Trusted Data Source Locations.


Collapse this imageExpand this image
2723514



5.       Select the Only specific locations option and click Add Trusted Data Source Location.

6.       Type the URL of the location, select the Site Collection (and subtree) option, and then click OK.



Collapse this imageExpand this image
2723515




Collapse this imageExpand this image
2723516



7.       Select the Only specific locations option and click Add Trusted Data Source Location.

8.       Type the URL of the location, select the Site (and subtree) option, and then click OK.


Collapse this imageExpand this image
2723517


Collapse this imageExpand this image
2723518



Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2723073 - Last Review: April 10, 2013 - Revision: 4.0
Applies to
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
Keywords: 
KB2723073

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com