none
SharePoint Constrained Delegation to SSAS TABULAR

    Question

  • Hello

    My SharePoint environment

    - 2 WFEs (WFE01 and WFE02) Load Balanced
    - 2 APP Servers (APP01 and APP02)
    - 1 SQL Server (SQL01)

    My SSAS Data source

    - 1 SSAS TABULAR external Data Source (SSASSrv\TABULAR)


    Excel, PowerPivot, SSRS, PerformancePoint, C2WTS all have dedicated managed accounts.

    SPNs have been configured for Web App and Kerberos works in the SharePoint farm as I can see KList tickets as well as Kerberos tickets in the Event Log of the WFEs.

    SPNs have also been configured for the SSAS TABULAR instance ie. fully qualified and netbios. Constrained delegation has been set for the C2WTS, Excel, PerfPoint, PowerPivot, SSRS and web application accounts to service running SSAS TABULAR.

    However, I see Anonymous Logon in the Event Log of the SSAS instance. SQL Profiler on the SSAS instance also shows Anonymous Logon.

    I have gone through the SP2010 Kerberos Guide documentation and numerous articles online but I'm having no luck. I have also checked and rechecked the SPNs and delegations.

    I now have a feeling there may be something to do with the fact that the SharePoint farm is load balanced.

    While Kerberos works perfectly within the SharePoint farm, it is unable to pass the ticket to any external data source including SQL Server. NetMon isn't giving me much either.

    Does anyone have any suggestions? This is really urgent.

    Thanks in advance.

    Yoshi

    Monday, May 1, 2017 9:10 AM

All replies

  • Hi, Is there any update?

    Monday, May 8, 2017 12:16 AM
  • Yes, I have solved it.

    When you want to configure PowerView for kerberos in SharePoint 2013 to SSAS TABULAR, it is only the C2WTS and SSRS service accounts that come in to play.

    Both these accounts need to have delegations pointing to the OLAP service, SQL service and Disco services on the SSAS TABULAR instance and the HTTP service of the SharePoint Web Application.

    The SSAS TABULAR instance and the Web Application needs to have SPNs set for the services above before delegations can be configured on the service accounts.

    When you open the Properties > Delegation tab for the C2WTS and SSRS accounts make sure you select the 'Trust this user for delegation to specified services only' and 'Use any authentication protocol' when setting the delegations to enable constrained delegation.

    The reason I was having trouble was because I had the 'Use Kerberos only' option selected.

    All the best. If you need a hand feel free to reply and I will assist you in setting this up.

    Cheers

    Yoshi

    Monday, May 8, 2017 4:03 AM
  • Hi,
    Thanks for your sharing.
    You can mark your reply as answer.
    Thanks,
    Dean Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 16, 2017 12:07 PM
    Moderator