Using Kerberos for Authentication in Analysis Services 2000
By Marius Dumitru, January 2002 (revised January 2005)
In order for Analysis Services 2000 to use Kerberos as an authentication protocol,
the following steps are needed:
- SP1 or higher version of Analysis Services 2000 needs to be installed both
on the server and on the client
- Correct SPN should be registered in the Active Directory
- Either the MSSQLServerOLAPService service is running under the
LocalSystem account, in which case it will register SPN automatically
- Or, of the MSSQLServerOLAPService service is running under another
account, the SPN must be registered manually. The "setspn.exe" utility from
the Windows 2000 Resource Kit can be used with the following syntax:
setspn.exe -A MSOLAPSvc/<serverhostname>.<domainname> <serviceaccountname>
and/or
setspn.exe -A MSOLAPSvc/<serverhostname> <serviceaccountname>
- DBPROP_MSMD_SSPI property should be set to string "Kerberos". This can be
done most conveniently from the connection string, by appending the following
";SSPI=Kerberos"
- All accounts (including machine accounts) must belong to the same Active
Directory domain (or to trusted domains in the same forest).
- The machines involved (both clients and servers) must have Win 2000 or
later installed. Older OSes (like NT4 or Win9X) do not have Kerberos support.
- The server (datasource) name has to be either the full DNS name of the
server (fully qualified domain name, e.g. myhost.mydomain.com), or a NetBios
name (myhost). Specifying a numeric IP address will disable Kerberos.
You can troubleshoot whether a server tries to use Kerberos or not by running
"setspn.exe -L <serviceaccountname>" (use the hostname if running the server as
LocalSystem) and checking whether SPNs with the following format are listed:
MSOLAPSvc/myhost.mydomain.com
MSOLAPSvc/myhost