none
Excel Calculation Services on application server without Kerberos

    Soru

  • Hello everybody,

    I'm trying to implement a "medium farm" setup for Excel Services:

    - ServerA: Webapps

    - ServerB: Excel Services

    I found in the "Configuring Forms Services and Excel Services" White paper that it should work, excepting propagation of the user's authentication.. and that would be ok since we can afford fixing authentication with SSO Service.

    The problem is that the ServerA cannot access Excel Web Services on ServerB, and drops a security error in the logs:
    ExcelServerProxy.ProcessWebException: A Web exception during ExecuteWebMethod has occurred for server: http://svmmosqa2:56737/MOSS_SSP_QA/ExcelCalculationServer/ExcelService.asmx, method: OpenWorkbook, ex: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.

    I tried the stsadm.exe -o set-ecssecurity -ssp [SSPNAME] -accessmodel TrustedSubsystem, but to no avail.

    Anyone can confirm that Kerberos is the only way to go ? Or has implemented such a solution ?

    Thanks in advance.


    Lloyd, MCITP SharePoint Administrator 2010

    14 Mart 2012 Çarşamba 14:44

Yanıtlar

  • Yes, I've already tried the alternate access mapping configuration, but it did not change anything.

    I forgot to mention that hte configuration works perfectly when accessing http://serverB (which has the web application service but should not be used as a front-end).

    After discussing it with a SPadmin friend, it seems that when in three-tier configuration (WFE-APP-SQL) Kerberos is the only solution for Excel Services 2007.

    I'd like a confirmation of this if possible, as we don't have Kerberos setup here, and won't have for some time because of old domain controllers (win2k) still in place.


    Lloyd, MCITP SharePoint Administrator 2010


    • Düzenleyen Lloyd Bee 15 Mart 2012 Perşembe 08:28
    • Yanıt Olarak İşaretleyen Lloyd Bee 26 Mart 2012 Pazartesi 07:31
    15 Mart 2012 Perşembe 08:28

Tüm Yanıtlar

  •  

    Hi Lloyd,

    Have you ever setup any alternate URLs (aka Alternate Access Mappings on the Operations tab) . I find an thread resolve it by add Alternate Access Mappings. You can find it here.

    From Microsoft KB article, you can configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication.

    You can refer to the following link.

    http://support.microsoft.com/kb/215383

    Thanks,

    Jack


    15 Mart 2012 Perşembe 07:56
    Moderatör
  • Yes, I've already tried the alternate access mapping configuration, but it did not change anything.

    I forgot to mention that hte configuration works perfectly when accessing http://serverB (which has the web application service but should not be used as a front-end).

    After discussing it with a SPadmin friend, it seems that when in three-tier configuration (WFE-APP-SQL) Kerberos is the only solution for Excel Services 2007.

    I'd like a confirmation of this if possible, as we don't have Kerberos setup here, and won't have for some time because of old domain controllers (win2k) still in place.


    Lloyd, MCITP SharePoint Administrator 2010


    • Düzenleyen Lloyd Bee 15 Mart 2012 Perşembe 08:28
    • Yanıt Olarak İşaretleyen Lloyd Bee 26 Mart 2012 Pazartesi 07:31
    15 Mart 2012 Perşembe 08:28
  •  

    Hi Lloyd,

    As far as I know, this is none of  Kerberos business .But if you want to configuration(WFE-APP-SQL), I will show you some useful articles to you. It is very detail to introduce how to configure it.

    http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

    http://blogs.msdn.com/b/martinkearn/archive/2007/04/27/configuring-kerberos-for-sharepoint-2007-part-2-excel-services-and-sql-analysis-services.aspx

    Thanks,

    Jack

    16 Mart 2012 Cuma 02:15
    Moderatör
  • Your post is not an answer to my question, as the subject was not how to implement Kerberos, but if it was needed.

    I propose my friend's answer, as no one has another solution.


    Lloyd, MCITP SharePoint Administrator 2010

    26 Mart 2012 Pazartesi 07:31
  • Hello Lloyd;

    I think I can answer your question for you. We have been struggling with excel services as well.

    The short answer is that yes kerberos is a viable option in a multi tiered farm (WFE-APPS-SQL).

    This is also our setup except we use a sql cluster (2 servers). We have implemented Kerberos although we are in troubleshooting mode. We have gotten past most of the issues but its a bit tooth and nail.

    A bit more detail:

    What you may find when using NTLM is that you will run across the dreaded "Double Hop" issue. I won't go into detail (google is your friend) but basically your credentials get dropped as you hop across servers in your farm. NTLM only seems to support you on the first hop

    Kerberos can be the answer here as it assigns an authentication ticket which persists throughout the session. Your credentials should not get dropped while hopping across servers to access resources. I see no other alternative than Kerberos.

    Kerberos can be a pain to setup as there are several configuration points to consider. Hopefully your network admin will be versed on kerberos as well.

    I hope that provides a more complete answer for you as you only wanted to know whether you should use kerbie.

    As always if my understanding is incorrect I welcome respectful feedback.

    r&r

    29 Mart 2012 Perşembe 18:41
  • Hello r&r, thanks for your feedback.

    Actually I know how kerberos works and I'm aware of the double-hop issue. The original question was: is there any other way as it is suggested in the white paper AF010288107 ? 

    "In a server farm, the default security setting is trusted subsystem; in this case all Web front-end servers and applications servers will communicate with each other by using the account settings of the Shared Service Provider that manages the service. There is no additional configuration required for the default communication security to work."

    This sentence seems to be wrong, as Kerberos seems to be the only viable option in a simple three-tier setup.

    Thanks anyway for confirming that Kerberos is a viable solution.


    Lloyd, MCITP SharePoint Administrator 2010

    30 Mart 2012 Cuma 05:35