IT Analytics Connectivity

Contents 1

Introduction 2

Authentication 2

Cube Authentication 2

Report Authentication 2

Authenticating in a Workgroup Environment 2

Kerberos 3

Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers 6

To configure Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers 6

Configuring Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection 7

To configure Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection 8

IT Analytics Ports 9

IT Analytics in a Hierarchy 10

Introduction

This whitepaper provides information about connectivity within IT Analytics Solution. This includes authentication, ports and data flow. Having an understanding of these areas will allow the administrator to determine where issues might occur.

Authentication

IT Analytics uses pass-through authentication whenever a user accesses either reports or cubes. When a user accesses a cube his credentials are passed to the Analysis Service to authenticate his connection. This also applies to accessing reports; with the added requirement to authenticate to the Report Server. So how does this work in your environment?

Cube Authentication

Cube access is always based on the user’s logged in Windows credentials. The credentials are passed from the Windows workstation to the Symantec Management Platform then to the Analysis Server. Kerberos is required on the Symantec Management Platform if the Analysis Server is on a separate computer. See section Kerberos below.

Report Authentication

You have the choice of using Windows Integrated Authentication or Stored Credentials. The difference is that when a user accesses a report through the SMP console Windows Integrated Security uses the logged in user’s credentials. The Stored Credentials option sends a pre-determined set of credentials and all users have the same access to reports.

Kerberos is required on the Symantec Management Platform if the Report Server is on a separate computer. If the Report Server, Analysis Server and Symantec Management Platform are all on separate servers authentication is a three step process and requires Kerberos on both the Symantec Management Platform and the Analysis Server to make the three step connection from the Windows computer to the Symantec Management Platform to the Report Server and finally to the Analysis Server. See section Kerberos below.

Authenticating in a Workgroup Environment

Note: This method is not officially supported. It may not work in your environment.

Be aware that Analysis Services requires Windows authentication. It does not allow SQL authentication. This can present problems for those companies that don’t use Active Directory. To use Windows credentials in a Workgroup environment you will need to create a set of user credentials on each server that a user accesses. It must have the same user name and password on all servers. Windows then allows users to authenticate using their credentials to logon to servers in the Workgroup.

You will also need to add the user to a role in Analysis Server and grant them rights to view reports. This can be done manually from SQL Server Management Studio and Report Server or by adding the user to a role in the Symantec Management Platform. That user will be the user from the server on which the Analysis Server resides. For example, if the Analysis Server resides on VMMSSQL001 and the user is drussell then the user added to the role would be VMMSSQL001\drussell.

This can be an issue in environments where the user is required to change the password periodically as there is no convenient way to change the password on all servers. To ease administration use Stored Credentials. Then you only have one account to maintain.

Kerberos

Another security consideration is placement of the Symantec Management Platform, Analysis Server and Report Server. These services may be hosted on one, two or three separate servers. Whenever they are hosted on more than one server Kerberos is required to authenticate the connection between servers as illustrated in the following diagrams.

In this configuration the Symantec Management Platform, Analysis Server and Report server are all located on the same computer. Authentication is direct from the user’s computer to the server and uses his Windows logged in credentials to access cubes and reports. Kerberos is not required.

In this configuration, where the Symantec Management Platform is on one computer and the Report Server and Analysis Server are on a separate computer, authentication becomes somewhat more complicated. The Symantec Management Platform must pass credentials for the user over to the Report/Analysis server. There are a couple of options for doing this.

Option 1 allows you to bypass enabling Kerberos by setting the Reporting Server’s Authentication Type to Stored Credentials. Doing this will mean that all user requests to run IT Analytics reports will impersonate the user specified in the Stored Credentials and you will not be able to utilize any of the cube security features. This is the best option if you are not concerned with restricting which cubes users can access or which data users can see inside of cubes. See section Option 1 - Setting Reporting Server to use Stored Credentials below for details on configuring this option.

Option 2 allows you to use Windows Integrated Authentication. You must configure Kerberos as described in section Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers below.

In this configuration the Symantec Management Platform, Report Server and Analysis Server are located on separate computers. Authentication becomes a three step process to look at reports. 1) The user authenticates to the Symantec Management Platform and requests a report. The Symantec Management Platform forwards credentials to the Report Server. 3) Report Server forwards credentials to the Analysis server to fetch cube data. You still have the option to use Stored Credentials as well as Kerberos to authenticate in this scenario. , Kerberos is required on both the Symantec Management Platform and on the Report Server when using Windows Integrated Authentication. There are a couple of options for doing this.

Option 2 allows you to use Windows Integrated Authentication. You must configure Kerberos as described in sections Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers and Configuring Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection below.

Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers

Note: The following sections on configuring Kerberos are excerpted from the Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide.

If you install Symantec Management Platform on a different server than the SQL Server Analysis and Reporting Services and the Authentication Type is set to Windows Integrated Authentication, users cannot access the reports to which you grant them access unless you configure Kerberos.

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide "About configuring the Reporting Services data sources to use "

If Stored Credentials provides enough control over the reports, you can reconfigure the Reporting Services data sources to use Stored Credentials to access the Analysis Services cubes. Then, you do not need to configure Kerberos.

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide"Reconfiguring the Reporting Services data sources to access the Analysis Services cubes"

If you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos. Kerberos allows the user’s credentials to pass from the Symantec Management Platform server to the SQL Server Analysis and Reporting Services server. Kerberos must be correctly configured on the following servers: Symantec Management Platform and the SQL Server Analysis and Reporting Services servers.

To configure Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers

Warning: It is important that a user with Domain Admin rights issue the SETSPN.EXE commands in the following process. This command makes changes to both the computer account and the service account in Active Directory. Failure to use Domain Admin credentials when issuing the command will result in a failed Kerberos installation.

1. From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only). If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation.

2. Add the following Service Principal Names to the Symantec Management Platform: If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you may need to set the Service Principal Names for that account instead of computer1. For example: Setspn - S http/computer1 domain\username Setspn - S http/computer1.domain.com domain\username For additional information on Setspn, see the Microsoft Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

· Setspn - S http/netbiosNamenetbiosName For example, Setspn - S http/computer1 computer1

· Setspn - S http/Fully Qualified Domain NamenetbiosName For example, Setspn - S http/computer1.domain.com computer1

3. If you use SQL 2008, on the Reporting Services server edit the ReportServer.config file. Edit the config file so that RSWindowsNegotiate/ is listed at the top of the Authentication node. You can locate this file at SQL Server Install Directory\MSRS10.MSSQLSERVER\ReportingServer The ReportServer.config file is installed on the box that hosts the Reporting Services. The config file is an XML file; use a program such as Notepad to edit the file. If you do not use SQL 2008, you do not need to edit the config file on the Reporting Services server.

4. If SQL Reporting Services is running as a domain account, add the following Service Principal Names for the account that the SQL Reporting Services service is running as. For additional information on Setspn, see the Microsoft | Technet Web site at the following URL: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx If SQL Reporting Services is not running as a domain account, you do not need to add the Service Principal Names.

· Setspn - S http/netbiosNamedomain\username

· Setspn - S http/fqdndomain\username

5. To make the changes take effect, restart all affected systems.

Configuring Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection

Symantec recommends that the SQL Server Analysis Services and SQL Server Reporting Services instances that IT Analytics uses reside on the same host server. You can host these services on different servers in a highly distributed environment. However, when you host these services on different servers, additional configuration might be necessary to ensure that authentication is managed appropriately across all application tiers.

When SQL Server Analysis Services and SQL Server Reporting Services are hosted on different servers and the Authentication Type is set to Windows Integrated Authentication, an additional connection is required to pass the credentials of the user from the Reporting Server to the Analysis Server. To ensure that the user’s credentials are passed successfully, you must configure Kerberos. Without configuring Kerberos, the connection is attempted as an anonymous user, which fails authentication in a typical configuration. When authentication fails, users cannot access the reports to which you grant them access. Therefore, if you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos.

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide "About configuring the Reporting Services data sources to use "

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide"Reconfiguring the Reporting Services data sources to access the Analysis Services cubes"

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide "About security"

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide"About SQL Server Analysis Services"

See Altiris™ IT Analytics Solution 7.1 SP2 from Symantec™ User Guide"About SQL Server Reporting Services"

To configure Kerberos for the SQL Server Analysis Services server to SQL Server Reporting Services server connection

1. Configure the Kerberos protocol for the SQL Server Reporting Services server to SQL Server Analysis Services server connection to allow credential delegation over multiple connections. For more information, see the Microsoft knowledge base article SQL Server 2008 Analysis Services and SQL Server 2005 Analysis Server to use Kerberos authentication at the following URL: http://support.microsoft.com/kb/917409 If Symantec Management Platform is installed on the same server as SQL Server Reporting Services, no additional configuration is required. If Symantec Management Platform is installed on a different server than SQL Server Reporting Services, go to step 1.

2. Configure Kerberos so that the user’s credentials can pass from the Symantec Management Platform server to the SQL Server Reporting Services server.

3. From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only). If the Application Pool which Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation.