I had an interesting time getting Kerberos authentication working for PerformancePoint 2007 Monitoring Server. The deployment guide is pretty thorough, but I had some issues getting the Kerberos authentication to function. After making the changes recommended in the guide for Kerberos auth and per-user security, the Dashboard Designer would produce the following error when trying to refresh:
Unable to connect to the specified server. Make sure the address is correct.
After reviewing Kerberos logging messages, I found that this was a Kerberos error. I used adsiedit to set SPNs rather than the SetSPN utility as I find it a bit faster to work with. I set the service principal names above on the Monitoring Server application pool identity domain account (locate the account in the tree, right-click and choose Properties, select the servicePrincipalName attribute, and click Edit). This is because:
- My PPSMonitoring web runs on the dppt01 server on port 40000;
- My PPSPlanningWebServices web runs on the dppt01 server on port 46787; and
- My PPSPlanningAdminConsole web runs on the dppt01 server on port 46788.
- Set one more SPN (for both the short and fully-qualified domain name) on both the server's computer account and the Monitoring Server application pool identity:
- HTTP/dppt01.domain.local
- HTTP/dppt01
After doing these steps and allowing for replication, Dashboard Designer was again able to connect and enumerate resources.
No comments:
Post a Comment