Tuesday, April 29, 2008

PerformancePoint 2007 Monitoring Server per user authentication

I had an interesting time getting Kerberos authentication working for PerformancePoint 2007 Monitoring Server. The deployment guide is pretty thorough, but I had some issues getting the Kerberos authentication to function. After making the changes recommended in the guide for Kerberos auth and per-user security, the Dashboard Designer would produce the following error when trying to refresh:

Unable to connect to the specified server. Make sure the address is correct.

After reviewing Kerberos logging messages, I found that this was a Kerberos error. I used adsiedit to set SPNs rather than the SetSPN utility as I find it a bit faster to work with. I set the service principal names above on the Monitoring Server application pool identity domain account (locate the account in the tree, right-click and choose Properties, select the servicePrincipalName attribute, and click Edit). This is because:
  • My PPSMonitoring web runs on the dppt01 server on port 40000;
  • My PPSPlanningWebServices web runs on the dppt01 server on port 46787; and
  • My PPSPlanningAdminConsole web runs on the dppt01 server on port 46788.
This wasn't sufficient to make it work, however. I also had to:

- Set one more SPN (for both the short and fully-qualified domain name) on both the server's computer account and the Monitoring Server application pool identity:
  • HTTP/dppt01.domain.local
  • HTTP/dppt01
- Change the application pool identity of the PPSMonitoringCentral app pool (for some reason, the installer defaulted this to Network Service instead of my app pool identity, ppt-pool-dev).

After doing these steps and allowing for replication, Dashboard Designer was again able to connect and enumerate resources.

No comments:

Post a Comment