Kerberos allows IIS to take the user token and present
that to the data source as the user making the request, and in this fashion SQL Server
or Analysis Services can send back just the correct data to the user.
In many cases, IIS can impersonate the user without Kerberos if both IIS and
Analysis Services are on the same server, but if IIS and Analysis Services are on
separate machines, this leads to the ???double hop??? scenario. In this case, the user
requests a page from their browser, so data flows from the client machine to the
web server (the first hop). The web server now needs data from Analysis Services
and makes a call to the server running Analysis Services (the second hop). Even if
integrated authentication is used, the user??™s credentials cannot be passed from IIS to
Analysis Services on another server, unless Kerberos is installed and configured.
When working with PerformancePoint, there is a setting in the web.config file
that must be changed in order to enable impersonation when using Kerberos. This
property is called Bpm.ServerConnectionPerUser and it must be enabled to allow the
impersonation token to be passed. This only applies to the Monitoring Server, as the
Planning Server is set up to always pass user credentials.
Summary
Installation of the various PerformancePoint modules is relatively straightforward.
There are actually few options to choose during installation and configuration. Most
commonly, people will set the Service Identity the Monitoring Server to a domain
user account created for that purpose, while the Service Identity for the Planning
Server must be a domain account.
Pages:
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383