Tuesday, August 05, 2008

Jesse Orosz: SQL Server Analysis Services Blog

Jesse demonstrates how to overcome the ‘double hop authentication issue’ in Analysis Services.

As you know we have run into a problem with querying Analysis Services from another computer (our desktops for example) after connecting to a secondary server.

After working on this case with MS, we have an understanding of the problem and we have a solution.

The problem is the desktops not requesting Kerberos tickets from the domain controller. This is a bug in Kerberos dll and is fixed with a hotfix by Microsoft.


1)     A Kerberos hotfix must be installed in our desktops.

Kerberos Hotfix canbe installed from (hotfix for IA64, x64, Win2003 also exist)

2)     The linked server from secondary server to target server (cubes) must be defined with Fully Qualified domain name.

I would like to specify a couple of more points here, since they are prerequisites for this double hop authentication to work.

1)     We need to define the servers with "Trust this computer for delegation to any service (Kerberos only)" in Active Directory as opposed to “Do not trust this computer for delegation”.

2)     We need to register the OLAP service with SPN as follows for the target server

a.     Setspn.exe -A MSOLAPSvc.3/CUBESSERVER USER\svc_db

b.    Setspn.exe -A MSOLAPSvc.3/CUBESSERVER USER\svc_db

Jesse Orosz: SQL Server Analysis Services Blog

No comments: