PerformancePoint and Kerberos Woes

I spent about a week to a week and a half researching and learning about kerberos. About 1-2 days were just on the Kerberos authentication to the SharePoint site, and the other 12 or so days were on the Kerberos Authentication to PerformancePoint. I just want to share what I’ve done to fix the problems of these errors of KDC_ERR_S_PRINCIPAL_UNKNOWN and KDC_ERR_BADOPTION :

A Kerberos Error Message was received:

on logon session

 Client Time:

 Server Time: 15:33:56.0000 1/20/2012 Z

Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN

Extended Error: 0xc0000035 KLIN(0)

Client Realm:

 Client Name:

 Server Realm: COSTOSO.COM

Server Name: MSOLAPSvc.3/SQLANALYSISSERVER

Target Name: MSOLAPSvc.3/SQLANALYSISSERVER@CONTOSO.COM

Error Text:

 File: 9

Line: f09

Error Data is in record data.

A Kerberos Error Message was received:

on logon session

 Client Time:

 Server Time: 15:33:56.0000 1/20/2012 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc0000272 KLIN(0)

Client Realm:

 Client Name:

 Server Realm: COSTOSO.COM

Server Name: svcPPS@COSTOSO.COM

Target Name: svcPPS@COSTOSO.COM@COSTOSO.COM

Error Text:

 File: 9

Line: f09

Error Data is in record data.

Also, I was getting this error when I added a new data source in the Dashboard Designer and tried to connect it to a server:

PerformancePoint Services was unable to connect to “xxxxxxx”. Verify that the server name is correct and that you have permissions to connect to the server. To enable you to connect to the remote server with your credentials the domain administrator must configure Kerberos between all instances of the PerformancePoint Service application and the data source server

And this event kept coming up in the event viewer:

The user “Constoso\user” does not have access to the following data source server.

Data source location: http://PPSWebApp:port/Data Connections for PerformancePoint/<#>_.000

Data source name: Test Data Source

Server name: SQLAnalysisServer

Exception details:

Microsoft.AnalysisServices.AdomdClient.AdomdConnectionException: The connection either timed out or was lost. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host

   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

   — End of inner exception stack trace —

   at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)

   at System.IO.BufferedStream.Read(Byte[] array, Int32 offset, Int32 count)

   at Microsoft.AnalysisServices.AdomdClient.DimeRecord.ForceRead(Stream stream, Byte[] buffer, Int32 length)

   at Microsoft.AnalysisServices.AdomdClient.DimeRecord.ReadHeader()

   at Microsoft.AnalysisServices.AdomdClient.DimeReader.ReadRecord()

   at Microsoft.AnalysisServices.AdomdClient.TcpStream.GetResponseDataType()

   — End of inner exception stack trace —

   at Microsoft.AnalysisServices.AdomdClient.XmlaClient.EndRequest()

   at Microsoft.AnalysisServices.AdomdClient.XmlaClient.CreateSession(ListDictionary properties, Boolean sendNamespaceCompatibility)

   at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Microsoft.AnalysisServices.AdomdClient.AdomdConnection.IXmlaClientProviderEx.CreateSession(Boolean sendNamespaceCompatibility)

   at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.ConnectToXMLA(Boolean createSession, Boolean isHTTP)

   at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.Open()

   at Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdConnectionPool`1.GetConnection(String connectionString, ConnectionContext connectionCtx, String effectiveUserName, CultureInfo culture, NewConnectionHandler newConnectionHandler, TestConnectionHandler testConnectionHandler)

One of the things I’ve learned is that you need to add SPNs for the SERVER of the service that you are going to use for constrained delegation. For example: I needed to add constrained delegation for the analysis services (MSOLAPSvc.3) to my performancepoint service application pool account, but when I tried to add the service, there was no MSOLAPSvc.3….WTF?!?

I found out that you need to add the SPN of that service to the server that it’s hosted on…

setspn.exe -A MSOLAPSvc.3/AnalysisServerFQDN AnalysisServer

VERY IMPORTANT!! (this is what cost me time): AFTER YOU MAKE THE CONSTRAINED DELEGATION for the service accounts, DELETE THE SPNS for that service from the Server SPNS

This is what my setup looks like.

SPNs
PerformancePoint Web application pool service account:
HTTP/webapplication
HTTP/webapplicationFQDN
HTTP/webapplicationFQDN:port

SQL Analysis Service account:
MSSQLSVC/SQLServer
MSSQLSVC/SQLServerFQDN
MSSQLSVC/SQLServerFQDN:instance
MSOLAPSvc.3/SQLServer
MSOLAPSvc.3/SQLServerFQDN
MSOLAPSvc.3/SQLServer:instance

PerformancePoint Service Application Pool account:
SP/svcPPS (to open delegation)

Claims to Windows Token Service Application Pool account:
SP/C2WTS (to open delegation)

SQL Analysis Server:
MSOLAPSvc.3/SQLAnalysisServer (delete after adding constrained delegation)
MSOLAPSvc.3/SQLAnalysisServerFQDN (delete after adding constrained delegation)

Delegation
PerformancePoint Service Application Pool account: (masked server is SQLAnalysis Server)

Claims to Windows Token Service Application Pool account: (masked server is SQLAnalysis Server)

PerformancePoint Web application pool service account:

SSAS service account:

SSAS Server, SharePoint Server & SharePoint DB Server:

To test it, you can open up the dashboard designer and create a new data source. Have the data source connect to the SQL Analysis Server, and if you don’t get an error, then you are good to go! I didn’t believe it at first but most Kerberos errors are from SPNs!

EDIT:

Other additions I needed to check were the DOMAIN\svcc2tws account. It didn’t have the right settings on the PerformancePoint server.

a)      Add the service account to the local Administrators Groups.

b)      In local security policy (secpol.msc) under user rights assignment give the service account the following permissions:

  1.                                              i.            Act as part of the operating system
  2.                                            ii.            Impersonate a client after authentication
  3.                                           iii.            Log on as a service

C)  1.Open the command-prompt window.

2. Type: sc config c2wts depend= CryptSvc

 

Also make sure that the SSAS SPN includes RestrictedKrbHost/SQLAnalysisServerFQDN

Advertisements

2 thoughts on “PerformancePoint and Kerberos Woes

  1. You shouldn’t have had to setup the SPN’s for SSAS to the server, just the SSAS service account. When you do the lookup for the constrained delegation you do the lookup on the SSAS service account to add it, not the server name, because it will not be listed on the server because it was assigned to the account. Same thing when you setup the constrained to the SQL service account.

    Also, you should use the -S when doing the setspn to avoid potentially creating a duplicate SPN which can cause issues as well.

    Here is the white paper which you might have already tracked down, a bit confusing at first, but is a great reference – http://technet.microsoft.com/en-us/library/ff829837.aspx

    • I did -A because I was expecting the duplicate. I just deleted the SPN after the constrained delegation.

      Also, I have tried to add just the SPNs to the service account. It doesn’t have the MSOLAPSvc.3 service available for constrained delegation if I don’t add it to the server, in any configuration or SPN settings for any service accounts. I have followed the white paper to the ‘T’. This is why it took me several days to figure out. My results will not match everyone’s environments, but just another 5 cents added to the pile…

      I appreciate your input!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s