The good news is that SSL works at a lower level than the
application, so no application changes are necessary; in fact, the web application will
be unaware if SSL is being employed or not.
Microsoft recommends that SSL be used for PerformancePoint Server work. In
fact, PerformancePoint Server is set to require SSL by default during installation.
This is a good best practice, but it requires the installation of an SSL certificate on
the server, which may not be available in all cases.
Kerberos and Delegation
One of the most confusing aspects of security is determining the users who may be
logging into SQL Server and Analysis Services. By default, the users seen by both
SQL Server and Analysis Services are users set up through the SI account. No matter
what method is used in IIS, the servers run under an SI account and it is those SI
accounts that appear as the calling user to the databases.
294 B u s i n e s s I n t e l l i g e n c e w i t h M i c r o s o f t O f f i c e P e r f o r m a n c e P o i n t S e r v e r 2 0 0 7
If security in SQL Server or Analysis Services is set up to only show certain data
to certain users, it is important to know the originating user of a request; the identity
of the SI account isn??™t good enough. In this case, the SI account must take on the
credentials of the original calling user.
In order for the SI account to mimic the original caller, either basic or integrated
authentication must be used. Next, Kerberos must be installed; this is because it is
only through Kerberos delegation that the current user can be impersonated through
IIS back to the data source.
Pages:
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382