locked
Problem with Per User Identy in Single Server Installation RRS feed

  • Question

  • I have a single server installation of Windows Server 2008, Sql Serdver 2008 R2, and Sharepoint 2010. I installed Sharepoint 2010 Enterprise edition. During the setup I did not see an option to install a stand alone version (I didn't see and option to connect to an existing farm on create new farm.  I chose to create a new farm).

    I am not able to connect to my SSAS database from Performancepoint Dashboard Designer using Per User Identity. I can make a successful connection using the Unattended Service.

    When I attempt to connect using Per User Identity I receive the error in the log.

    Could not retrieve a valid windows identity for NTName='OCB\AdminUser', UPN='AdminUser@ocb.com'. UPN is required when Kerberos constrained delegation is used......Monitoring Service was unable to retrieve a Windows identity for "OCB\AdminUser".  Verify that the web application authentication provider in SharePoint Central Administration is the default windows Negotiate or Kerberos provider.  If the user does not have a valid active directory account the data source will need to be configured to use the unattended service account for the user to access this data.

    Wednesday, January 5, 2011 3:48 PM

Answers

  • Solution :-) I needed to have the "Claims to Windows Token Service" (located at Central Administration -> Application Management -> Manage services on server) turned on.  This is the same service used by Excel Services to pass windows credentials.  Once I started it I was able to connect Per User Identity
    Monday, January 10, 2011 1:18 AM

All replies

  • As far as I know Per User Identity to work on SharePoint 2010 you must configure Kerberos delegation. Although I haven't tried this by myselft yet. Take a look at this article.

    http://blogs.msdn.com/b/performancepoint/archive/2010/05/06/data-source-authentication-in-performancepoint-services-for-sharepoint-2010.aspx

    hth

    Wednesday, January 5, 2011 4:37 PM
  • Actually I think I overlooked the stand alone option. I will re install as stand alone and see if that makes a difference.
    Wednesday, January 5, 2011 4:38 PM
  • For my install I did this on a Domain Controller.  Is this what you are doing?  I don't believe when I installed SharePoint during the PowerPivot setup that it gave an option for this.  This installation does a new farm and a complete install of all components of SharePoint.  I don't have any issues using either the Unattended Account or Per User Identity security.

    Are you using a Domain Controller setup?

    As long as the source you are trying to access is on the same server you shouldn't have any issues.  I have done this setup on a couple of different servers without any issues.  One doing the SharePoint install through the PowerPivot setup and the other with just a SharePoint install and no PowerPivot.


    Dan English's BI Blog
    Wednesday, January 5, 2011 10:41 PM
  • Really?  I got the Per User Identity authentication to work.  BUT I reinstalled Windows Server as a Workgroup which game me the option of Standalone during the Sharepoint install (the stand alone is only available on a workgroup).  Once I got Sharepoint installed as a stand alone the Per User Identity worked fine.

    I haven't been able to get it to work when I install Sharepoint as a farm on a Windows Server domain controller

    Is there any particular configuration you do in Sharepoint to get the Per User Identity to work on the Sharepoint farm (single server install)

    Friday, January 7, 2011 2:07 PM
  • Not that I can think of.  I setup the Domain Controller and did the SharePoint install using the PowerPivot process.

    Dave Wickert has some nice videos to reference - http://social.technet.microsoft.com/wiki/contents/articles/install-powerpivot-for-sharepoint-on-a-domain-controller.aspx.

    The Secure Store Service should be configured and that does get used by PowerPivot and you must have had that setup if you were using the Unattended Account for PerformancePoint previously.

    If checked my VM setup and that is a farm setup with the PowerPivot and PPS running just fine (use Unattended Account or Per User Identity) and I checked another SharePoint demo server that does not have PowerPivot configured which is also a Domain Controller and that is a farm setup and that can use both Authentication modes as well.

    I verified that they were farm installs by using the SharePoint Configuration Wizard.  I never use the Standalone option with SharePoint.  That install also loads SQL Express.


    Dan English's BI Blog
    Friday, January 7, 2011 3:34 PM
  • Solution :-) I needed to have the "Claims to Windows Token Service" (located at Central Administration -> Application Management -> Manage services on server) turned on.  This is the same service used by Excel Services to pass windows credentials.  Once I started it I was able to connect Per User Identity
    Monday, January 10, 2011 1:18 AM
  • Yes, that is definitely needed to be running and that is used by the Secure Store Service.  There is a slight bug with this that it requires a dependency on the Cryptographic Service.  If you do not setup the dependency you can see a delay on the c2wts starting if you reboot your server.  I ran into this issue using PowerPivot data sources in PerformancePoint - http://denglishbi.wordpress.com/2010/07/21/performancepoint-services-powerpivot-data-sources-error/.  Dave Wickert posted the issue here along with the fix - http://powerpivotgeek.com/2010/04/02/help-c2wts-has-fallen-and-it-cannot-get-up/.

    Glad you were able to get this resolved and I was actually thinking about this potential issue as well.  Nice job!


    Dan English's BI Blog
    Monday, January 10, 2011 12:29 PM