Enabling delegation in Analysis Services 2000

By Marius Dumitru, January 2002 (revised January 2005)

In order to enable delegation for Analysis Services 2000 the following steps are needed:

1. SP1 or higher version of Analysis Services 2000 needs to be installed both on the server and on the client
2. Correct SPN should be registered in the Active Directory
• Either the MSSQLServerOLAPService service is running under the LocalSystem account, in which case it will register SPN automatically
• Or, of the MSSQLServerOLAPService service is running under another account, the SPN must be registered manually. The "setspn.exe" utility from the Windows 2000 Resource Kit can be used with the following syntax:
  
  setspn.exe -A MSOLAPSvc/<serverhostname>.<domainname> <serviceaccountname>
          and/or
  setspn.exe -A MSOLAPSvc/<serverhostname> <serviceaccountname>




3. DBPROP_MSMD_SSPI property should be set to string "Kerberos". This can be done most conveniently from the connection string, by appending the following ";SSPI=Kerberos"
4. The MSSQLServerOLAPService must be running under the LocalSystem account in order for delegation to be enabled.
5. The user account(s) you want to be delegated must have the "Account Is Sensitive And Cannot Be Delegated" option cleared (i.e. not checked). You'll find this property in "Active Directory Users And Groups", under the "Account" property tab.
6. All computers involved must be marked as trusted for delegation (except the first and last computers in the chain).
   For example, if a user on machine A connects to IIS on machine B which uses a COM component on machine C which uses MSOLAP90 to connect to an Analysis Services server on machine D, then the machine accounts of B and C should have the "Computer Is Trusted For Delegation" option checked (enabled) in "Active Directory Users And Computers"->"Computers"->"Computer"->"Properties".
7. All computers involved must be marked as trusted for delegation (except the first and last computers in the chain).For example, if a user on machine A connects to IIS on machine B which uses a COM component on machine C which uses MSOLAP90 to connect to an Analysis Services server on machine D, then the machine accounts of B and C should have the "Computer Is Trusted For Delegation" option checked (enabled) in "Active Directory Users And Computers"->"Computers"->"Computer"->"Properties".
8. If you have other servers on the chain between the user and the Analysis Services machine, and the other servers run under a service account other than "LocalSystem", then those server accounts should have the "Account Is Trusted For Delegation" option enabled in "Active Directory Users And Groups"->"User"->"Properties"->"Acount"->"Account Options".
9. All accounts (including machine accounts) must belong to the same Active Directory domain (or to trusted domains in the same forest).
10. The machines involved (both clients and servers) must have Win 2000 or later installed. Older OSes (like NT4 or Win9X) do not have Kerberos support.
11. The server (datasource) name has to be either the full DNS name of the server (fully qualified domain name, e.g. myhost.mydomain.com), or a NetBios name (myhost). Specifying a numeric IP address will disable Kerberos.

You can troubleshoot whether a server tries to use Kerberos or not by running "setspn.exe -L <serviceaccountname>" (use the hostname if running the server as LocalSystem) and checking whether SPNs with the following format are listed:

MSOLAPSvc/myhost.mydomain.com
MSOLAPSvc/myhost