kerberos

W

Will Byron

Hi
Want to know how to get kerberos to work
3 workstations involved
User computer with Windows 2000 runs I.E 6.0 and accesses a web page on
Reporting services server (Web Portion-IIS) running windows 2003.
USer is running a report that runs an mdx statement on a data server which
is also windows 2003
We included in the connection string sspi=kerberos
We also when to the domain controller which is windows 2003 and enabled
kerberos delegation on the web and data server.

We still get the below error

An error has occurred during report processing. (rsProcessingAborted) Get
Online Help
a.. Cannot create a connection to data source 'OLAP'.
(rsErrorOpeningConnection) Get Online Help
a.. The operation requested failed due to security problems - the user
could not be authenticated
b.. Thanks in advance
 
H

Herb Martin

Will Byron said:
Hi
Want to know how to get kerberos to work
3 workstations involved
Click to expand...

If you mean for all Win2000+ machines then Kerberos
just works for domain authentication with no special
steps (in most cases.)

If you mean for IIS we can try to help -- some of use are
pretty good with IIS but you might also wish to crosspost
the message here and to the IIS groups.
User computer with Windows 2000 runs I.E 6.0 and accesses a web page on
Reporting services server (Web Portion-IIS) running windows 2003.
USer is running a report that runs an mdx statement on a data server which
is also windows 2003
We included in the connection string sspi=kerberos
We also when to the domain controller which is windows 2003 and enabled
kerberos delegation on the web and data server.

We still get the below error

An error has occurred during report processing. (rsProcessingAborted) Get
Online Help
a.. Cannot create a connection to data source 'OLAP'.
(rsErrorOpeningConnection) Get Online Help
a.. The operation requested failed due to security problems - the user
could not be authenticated
b.. Thanks in advance
Click to expand...

This is some programmatic problem and might be as
simple as having the wrong options enabled in IIS,
or as simple as IE not running on a user workstation
that can participate in Integrated security or which doesn't
have the user logged onto the right account, or where the
user isn't supplying the right account source (server, domain,
etc.)
[/QUOTE]
 
W

Will Byron

Hi

Thanks

I was wondering what you meant by this

"or which doesn't

have the user logged onto the right account, or where the user isn't
supplying the right account source (server, domain, etc.)"

The user workstation logs into reporting services from IE using the
http://servername/reports url The data source for the report being run has
the following connection string

Provider=MSOLAP.2;Client Cache Size=25;sspi=kerberos ;Data
Source=CEP-Norwalk02;Initial Catalog=CEPeProphet;Auto Synch Period=10000

The integrated security box is checked

The analysis service is running and I am using a domain account to run it
that has all the rights it needs I believe

Herb Martin said:
If you mean for all Win2000+ machines then Kerberos
just works for domain authentication with no special
steps (in most cases.)

If you mean for IIS we can try to help -- some of use are
pretty good with IIS but you might also wish to crosspost
the message here and to the IIS groups.


This is some programmatic problem and might be as
simple as having the wrong options enabled in IIS,
or as simple as IE not running on a user workstation
that can participate in Integrated security or which doesn't
have the user logged onto the right account, or where the
user isn't supplying the right account source (server, domain,
etc.)
Click to expand...
[/QUOTE]
 
W

Will Byron

I got Kerberos to work by using the artricle at
http://support.microsoft.com/default.aspx?kbid=828280
however what I ultimately got tied up with is the olap service on the
analysis service machine was using a domain account which I assumed it could
since the above article talks about setting up an SPN if the analysis
service service runs using a domain account.
I ran into another article
http://www.mosha.com/msolap/articles/enablingdelegation.htm
which stated
The MSSQLServerOLAPService must be running under the LocalSystem account in
order for delegation to be enabled.
Once I changed to run under local system the kerberos feature worked.
Will Byron said:
Hi

Thanks

I was wondering what you meant by this

"or which doesn't

have the user logged onto the right account, or where the user isn't
supplying the right account source (server, domain, etc.)"

The user workstation logs into reporting services from IE using the
http://servername/reports url The data source for the report being run has
the following connection string

Provider=MSOLAP.2;Client Cache Size=25;sspi=kerberos ;Data
Source=CEP-Norwalk02;Initial Catalog=CEPeProphet;Auto Synch Period=10000

The integrated security box is checked

The analysis service is running and I am using a domain account to run it
that has all the rights it needs I believe
Click to expand...
[/QUOTE]
 
H

Herb Martin

Will Byron said:
Hi

Thanks

I was wondering what you meant by this

"or which doesn't

have the user logged onto the right account, or where the user isn't
supplying the right account source (server, domain, etc.)"
Click to expand...

Users logged into a Domain client that runs a browser which
supports Integrated (basically this is IE) MAY be automatically
authenticated -- if the web server is part of the same domain or
one which trusts the user domain.
The user workstation logs into reporting services from IE using the
http://servername/reports url The data source for the report being run has
the following connection string

Provider=MSOLAP.2;Client Cache Size=25;sspi=kerberos ;Data
Source=CEP-Norwalk02;Initial Catalog=CEPeProphet;Auto Synch Period=10000

The integrated security box is checked
Click to expand...

If the user is not already authenticated where the Server
lives -- or running a browser that doesn't support integrated
-- then the user has to explicitly log on, even for integrated.

In this case the user is quite capable of providing either no
domain or the wrong one.
The analysis service is running and I am using a domain account to run it
that has all the rights it needs I believe
Click to expand...

[/QUOTE]
 
H

Herb Martin

Will Byron said:
I got Kerberos to work by using the artricle at
http://support.microsoft.com/default.aspx?kbid=828280
however what I ultimately got tied up with is the olap service on the
analysis service machine was using a domain account which I assumed it could
since the above article talks about setting up an SPN if the analysis
service service runs using a domain account.
I ran into another article
http://www.mosha.com/msolap/articles/enablingdelegation.htm
which stated
The MSSQLServerOLAPService must be running under the LocalSystem account
Click to expand...
in


Glad you solved it and especially glad you posted
what worked/helped so that others can benefit from
your work.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows 7 / Windows Vista kerberos differencies 4
Using Kerberos exclusively on Windows 2003 server - No fallback on NTLM 0
Kerberos authentication fails 3
Kerberos Event ID 4 messages and NT4 2
kerberos 4
Kerberos Error 594 1
Kerberos Error 1
Kerberos ticket on 2003 member server 1

Top