locked
Web access features for books....need clarification RRS feed

  • Question

  •  

    I'm a bit confused about what features users can access via the PAS portal, without having the Desktop client installed. We created a test library and a test book. On a machine with the desktop client installed, we can open the book at click around to see the results. On clients without desktop client installed, we get an error saying "unable to run Proclarity processional."

     

    The user guide didn't seem very informative to me. My boss thought without the desktop client installed you could at least view and click around within books.

     

    Can some clarify (har har) what features, if any, are available for viewing books via the web site?

     

    Thanks!

    Tuesday, March 25, 2008 8:32 PM

Answers

  • The next step after creating a book and library on the PAS is to publish the view(s) that you have created.  Then they should be available for viewing on the ProClarity web site (http://machinename/PAS by default).

    Then select the "Standard" client in the dropdown to the left of the ProClarity Analytic Server web page.  Then the view will open in the browser window instead of the Professional client (or attempting to on machines that don't have it installed).  I would recommend checking out the ProClarity Administrators Guide that should be in the documentation directory of the PAS installation package.

     

    Hope this helps!

     

    -Bob

    Tuesday, March 25, 2008 8:45 PM
  • Ok, we finally got it working. We had to configure two things to get Kerberos delegation to work properly for our scenarios. First, we had to register a HTTP SPN for our PAS server using the friendly FQDN that users type in to access the server. Basically, setspn -A HTTP/pas.contoso.com  app04, where app04 is the AD machine account name of the PAS server. IIS is NOT running under a domain account, but this was still needed.

     

    In addition, users will be accessing it from non-domain joined machines as well. So on the AD machine account of APP04 we configured constrained delegation for 'any authentication protocol' of the SQL 2005 Analysis Services service account using the MSOLAPSvc.3 SPN.

     

    After these two changes, it works like a charm. Also take note that accessing a web site via IP address disables IE from using Kerberos, as well as using the WS2003 IE enhanced security configuration.

     

     

     

     

    Monday, March 31, 2008 9:27 PM

All replies

  • The next step after creating a book and library on the PAS is to publish the view(s) that you have created.  Then they should be available for viewing on the ProClarity web site (http://machinename/PAS by default).

    Then select the "Standard" client in the dropdown to the left of the ProClarity Analytic Server web page.  Then the view will open in the browser window instead of the Professional client (or attempting to on machines that don't have it installed).  I would recommend checking out the ProClarity Administrators Guide that should be in the documentation directory of the PAS installation package.

     

    Hope this helps!

     

    -Bob

    Tuesday, March 25, 2008 8:45 PM
  •  

    Making a little bit of progress. We did publish the view. When we select the standard client and open the view, we get: The selected page could not be opened because the cube could not be found. Please choose a different page.

     

     

    Tuesday, March 25, 2008 8:49 PM
  • This message generally has to do with the user credentials not making it to the Analysis Services cube, or the user not having permissions on the cube.  These links should help you sort this out:

     

    http://support.microsoft.com/kb/927942
    http://support.microsoft.com/kb/828280
    http://support.microsoft.com/kb/917409

     

     

    Thanks,

     

    Bob

    Tuesday, March 25, 2008 8:55 PM
  •  

    Bob,

     

    Thanks for the articles. I am making progress. I confirmed if I use Basic mode in IIS that the cubes display. Last night we enabled Kerberos constrained delegation for the SQL server and Analysis server, per the KB articles. I also had some instructions for making the needed changes in AD for the SQL computer account and SQL service account, which I did as well. We rebooted the SQL server to ensure all the PSNs got registered.

     

    The PAS article says that PAS and IIS need to be configured for Kerberos as well. However, I see no mention of the required steps. Are there instructions anywhere for how to setup PAS/IIS for Kerberos?

     

    Thanks!

    Wednesday, March 26, 2008 2:47 PM
  • All you should need to do is set the check on the IIS/PAS AD account to "Trust computer for delegation", unless you're running the PAS application pool with a domain account, in which case it will be necessary to add an HTTP SPN to that account for the IIS/PAS server.  Good work on this!

     

    -Bob

     

    Wednesday, March 26, 2008 2:58 PM
  •  

    Bob,

     

    Unfortunately checking that option for the PAS/IIS AD computer account and rebooting the PAS server didn't help. It appears to me PAS can not use a domain account for SQL access. Should PAS database access be configured for a domain account? I tried to use a domain account during installation and it didn't appear to work.

     

    The IIS PAS application pool is account "network service."

     

    Any more ideas?

    Wednesday, March 26, 2008 4:14 PM
  • As a follow up, the ProClarity server is logging:

     

    Event Type: Information
    Event Source: ProClarity Server
    Event Category: None
    Event ID: 2
    Date:  3/26/2008
    Time:  10:58:04 AM
    User:  yyy\UserAccount
    Computer: MPSAPP04
    Description:
    Information. Accessing page "Breakdown of Revenue" ({56204A86-3B68-4004-9132-C64BCDCD2DA6})
    from book "Decomp" ({BD264BF3-B94C-4B01-8BC3-2031F21BF099})

    Cache File Name:  (unknown)

    Call Stack:

    Location: line #318 of file OlapSession.cpp
     - Error-code: (0xbba), Error-number: 0x80004005
     - Caught exception in COlapSession::ConnectToKSession()

    Location: line #361 of file PoolConnect.cpp
     - Error-code: (0xbba), Error-number: 0x80004005
     - Connection Failure in call to Session->ConnectToKSession()

    Location: line #214 of file PoolConnect.cpp
     - Error-code: (0xbba), Error-number: 0x80004005
     - Error - RealConnect() in CPool::AllocSession()
     Provider: 0x0337D1C4:{176941F9-18E8-47D6-860D-006FF2655608}
     Server: 0x0337B4E4:MPCSQL01
     Database: 0x0337B534Stick out tongueS Reports
     Cube: 0x0338E3FC:[PS Chargeability]
     OLAPRoleMembershipList: 0x00150FB4:
     PreferredSessionID: 0x-1


    Location: line #677 of file PConnection.cpp
     - Error-code: (0x3c), Error-number: 0x80004005
     - Could not establish a session for user

    Location: line #6780 of file QueryImpl.cpp
     - Error-code: (0x3c), Error-number: 0x80004005

    Location: line #6757 of file QueryImpl.cpp
     - Error-code: (0xe), Error-number: 0x80004005
     - CreateOlapRolesForConnInfo()

    Location: line #14773 of file QueryImpl.cpp
     - Error-code: (0x1c), Error-number: 0x80004005
     - Error -- GetOlapRolesForConnInfo() call

    Location: line #14180 of file QueryImpl.cpp
     - Error-code: (0x3c), Error-number: 0x80004005

     

    Wednesday, March 26, 2008 4:22 PM
  • During the PAS installation, you're actually creating the account that PAS is going to use to connect to its SQL repository, and this has to be a SQL account, not a domain account, and should be created by the install as long as you provide the SQL SA or similarly permissioned account to create this PAS user account.  Also,SQL must be configured for mixed mode (allows for the SQL account to be created and used) authentication, this is a requirement for PAS to be able to install.

     

    When the end user receives the message stating that the cube cannot be found, this is the result of IIS not being able to pass the user NT credentials to Analysis Services (which Kerberos allows for), so since the user can't be authenticated, "the cube cannot be found"!

     

    Hope this clarifies things a little,

     

    Bob

     

    Wednesday, March 26, 2008 4:43 PM
  •  

    Yes that helps clarify, but doesn't resolve my problem. Guess I'll be calling PSS on this one.
    Wednesday, March 26, 2008 4:45 PM
  • The entry in the event log is what I would expect to see when the authentication is not taking place.  You should open a case, then we can forward you some documentation and troubleshooting tools that we use to help us nail these down.  Are you seeing any errors in the event logs relating or referring to Kerberos?  In the Security event log, which authentication method is showing on the 540 event types?

    Here's a clip from the document that we use describing how to set the default authentication header in the IIS metabase:

     

    An IIS metabase entry specifying the authentication headers available for the web site where PAS is hosted needs to be checked to insure Kerberos is the default security protocol option.  You may check this with any IIS metabase browser, or from the IIS metabase xml file directly.  The metabase browser from the IIS 6 Resource Kit may be the easiest to use.

     

    For the IIS service where the PAS virtual directory is located (in this case the default website) be sure the NT Authentication Providers property is set to “Negotiate,NTLM”.  If it is not, change the existing value to “Negotiate,NTLM” (without the quotes), click Apply, and reset IIS.

     

     Forcing Kerberos as the authentication protocol on the OLE DB connection string from the web server hosting PAS may be necessary in some cases.

     

    The Negotiate authentication header will use Kerberos in most cases (for exceptions please refer to the following article: http://support.microsoft.com/kb/215383).  Therefore, if the website hosting PAS is configured to utilize the Negotiate header (as specified above), the authentication protocol will generally be Kerberos without the need for further configuration.  However, if everything appears to be in place, but PAS will not authenticate to Analysis Services, it may be necessary to force the authentication protocol to Kerberos on the OLE DB connection string.  This can be done by following these steps:

     

    1.    Add a registry key called “Properties” to the existing ProClarity Server registry key. The final path with look like this:

     

    HKLM\SOFTWARE\ProClarity Corporation\Server\Properties

     

    2.    Add a new string value.  Create a new string value by right clicking on the new Properties key and selecting New à String value.

     

    3.    The string value will be "SSPI" without the quotes.  The value will be "Kerberos" without the quotes.

     

    4.    Reset IIS.

     

     

     

    You may also turn on some verbose logging to capture security traffic on your web server and data server.

    On both your web and data server, you should have the following registry path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters


    You may here have a value called LogLevel. If you do not, add it as a DWORD value, and set it to 1.

    Once you have done this on the web server and on the data server, your event logs will begin to give you detailed information on user activity on those boxes, with relation to Kerberos authentication. On the web server you will look for event log entries that are authenticating users to the PAS virtual directory using Kerberos. Once you've confirmed that this is happening, you will then look for corresponding entries on the data server to see if it is also authenticating using Kerberos.

    Before beginning this testing, it is highly recommend that you clear your event logs, as the entries are many. Also, once you've finished testing, you will want to be sure to clear the registry entry, as this kind of logging will cause performance degradations.

     

     

     

     

     

    Wednesday, March 26, 2008 5:00 PM
  • Thanks, the Kerberos logging did point to a problem. Lots of Googling hasn't come up with any quick answers, so my next step is PSS and get a Kerberos expert to see what's going on. I did reboot the server and used the Kerbtray to purge all tickets, in case something was wacky with one of them.

     

    Event Type: Error
    Event Source: Kerberos
    Event Category: None
    Event ID: 3
    Date:  3/26/2008
    Time:  1:51:56 PM
    User:  N/A
    Computer: CONAPP04
    Description:
    A Kerberos Error Message was received:
             on logon session
     Client Time:
     Server Time: 18:51:56.0000 3/26/2008 Z
     Error Code: 0xd KDC_ERR_BADOPTION
     Extended Error: 0xc0000272 KLIN(0)
     Client Realm:
     Client Name:
     Server Realm: CONTOSO.LOCAL
     Server Name: host/conapp04.contoso.local
     Target Name: host/conapp04.contoso.local@CONTOSO.LOCAL
     Error Text:
     File: 9
     Line: ae0
     

    Wednesday, March 26, 2008 7:13 PM
  • There are definitely a few different things that message could be.  Can you post the solution once you have resolved the issue so that other forum participants may benefit?

     

    Thanks!

     

    Bob

     

    Friday, March 28, 2008 1:24 PM
  • YngDiego777,

     

    KDC_ERR_BADOPTION can mean that the ticket is expiring before it can be used - which can mean just about anything.  I suggest a Microsoft netmon trace and checking what users are arriving at IIS and arriving at SSAS.

     

    -Joey

    Friday, March 28, 2008 11:40 PM
  • Ok, we finally got it working. We had to configure two things to get Kerberos delegation to work properly for our scenarios. First, we had to register a HTTP SPN for our PAS server using the friendly FQDN that users type in to access the server. Basically, setspn -A HTTP/pas.contoso.com  app04, where app04 is the AD machine account name of the PAS server. IIS is NOT running under a domain account, but this was still needed.

     

    In addition, users will be accessing it from non-domain joined machines as well. So on the AD machine account of APP04 we configured constrained delegation for 'any authentication protocol' of the SQL 2005 Analysis Services service account using the MSOLAPSvc.3 SPN.

     

    After these two changes, it works like a charm. Also take note that accessing a web site via IP address disables IE from using Kerberos, as well as using the WS2003 IE enhanced security configuration.

     

     

     

     

    Monday, March 31, 2008 9:27 PM
  • Good work YngDiego and many thanks for letting us know the outcome and the configuration necessary for this scenario.

     

    -Bob

     

    Tuesday, April 1, 2008 1:05 PM