Version

Configuration Steps

  1. Server delegation

The first step is to grant delegation rights from the Web server to the SQL Server Analysis Services (SSAS). In order to do this you should use the Server Principal Name (SPN) of the SSAS machine and set it up in the Active Directory (AD) server.

  1. Go to Active Directory Server.

  2. Open the Active Directory Users and Computers console, find WEBSERVER computer, right-click on it and select Properties.

Kerberos-Active-Directory-Users-Computers
  1. Navigate to the Delegation tab and select the Trust this computer for delegation to specified services only option.

Kerberos-Delegation-Trust-Computer
  1. Use the Add button to specify which back-end servers can be accessed by the accounts.

Kerberos-Add-Backend-Servers
  1. (Only SSAS Server) Enable a specific service.

In case you want to configure a SSAS Server, you should ensure that the MSOLAPSvc.3 service is selected.

If you can’t find that service listed, that’s because a Service Principal Name (SPN) must be created in the Active Directory (AD) for the Analysis service.

You can make that with the following command:

 	setspn -s MSOLAPSvc.3/<serverFQDN> <server>

A real use case should be similar to the following example:

	setspn -s MSOLAPSvc.3/SQL.rplus1.local SQL

If you prefer to do it manually, you can do it by launching ADSIEdit on the DC, locating the SQL computer object, going to its properties and editing the ServicePrincipalName attribute. MSOLAPSvc.3/SQL.rplus1.local was the value we added in the example above.

After that you should be able to grant trust for delegation to the service, in a screen similar to the following one:

Kerberos-Grant-Trust-Delegation-Service
  1. Claims to Windows Token Service

    1. Open a cmd prompt on the server as System Administrator.

    2. Execute the following command:

    sc config "c2wts" depend= CryptSvc
  1. Navigate to C:\Program Files\Windows Identity Foundation\v3.5\ and open the c2wtshost.exe.config file with a text editor.

  2. Add NT AUTHORITY\Network Service, NT AUTHORITY\Local Service

  3. Find the Claims to Windows Token Service in the Services console (run services.msc to open the console).

  4. Double-click on it. Then, on the General tab, change the startup type to Automatic, then navigate to the Log On tab and select LocalSystem.

  5. Right-click on the service and select Start.

  1. Application configuration.

After configuring server’s delegation you need to modify ReportPlus Web application configuration in order to support Single Sign-on.

  1. Go to ReportPlus Web application physical path and open the Web.config file. Normally, the path is: C:\inetpub\wwwroot\RPlusServer

  2. Find the tag security and add the following two properties in that line:

    useRoleBasedModel="false"
    useClaims2WindowsTokenService="true"
  1. Add the mappings for SSAS SPN under the ServerNameMapping tag, inside security.

The complete security section configuration in the Web.config file should be similar to this:

    <security requiresSSL="false" useRoleBasedModel="false" useClaims2WindowsTokenService="true" secureStorageConnectionString="..connectionstring..">
    	<serverNameMapping>
    		<map originalName="10.20.37.248" targetName="SQL.rplus1.local"/>
    	</serverNameMapping>
    </security>