Skip to Content
author's profile photo Former Member
Former Member

Configuring Kerberos/Vintela SSO In BO XI 3.1 Multi-Server Environment

Trying to configure BO XI 3.1 Kerberos/Vintelo SSO in a Windows 2003 server environment

where BO/Tomcat is on one server, Microsoft SQL Server 2005 Analysis Services

(for OLAP cube's) on a second server, and SQL Server 2005 database on a third server.

All works fine until change the universe connection details to use 'single signon' (ie no

predefined acount details) and then receive the following error:

A database error occured. The database error text is: An error has occurred 
while attempting to connect to the OLAP server. Failed to initialize 
(The component Microsoft OLE DB Provider for Analysis Services 2005 returned server 
error (An error was encountered in the transport layer.; 
The peer prematurely closed the connection.)). (WIS 10901) 

Expect this is because I've got the SPN's and/or keytab files created incorrectly.

But my question is: what SPN's should I be defining?

Should they be pointing at the Analysis Services box or the BO server?

Edited by: David Chattell on Dec 11, 2008 4:29 PM

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Best Answer
    Posted on Dec 12, 2008 at 12:29 AM

    This should be set up in steps, Have you configured java AD kerberos so you can login via your web/app with AD? This is a prerequisite before setting up any type of delegation to the DB.

    You can also set up SSO in the front end but this shouldn't be necessarry for delegating to the DB.

    What SPN's do you need...

    Well if using java AD you should have an SPN for the account running the SIA (typically BOBJCentralMS/something) This SPN needs to be set in the CMC, You will need the krb5 and bsclogin files to login to your web/app with kerberos/AD. The krb5.ini will have to have a setting forwardable = true, and finally the MSAS server will need SPN's http://support.microsoft.com/kb/917409

    This a a very complex configuration and you will likely need to open an incident with support to get an engineer to help. I'm not sure where our current docs for the configuration are.

    Regards,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi,

      try to check if the user (who wants to run the query has sufficient rights on the MSAS Server.

      When i understand it correct is the user who logs on to InfoView than also is the users who runs the query against the DB aslong as sso is enabled in the universe connection.

      Maybe there is a failure ?!

      Regards

      Sebastian

  • author's profile photo Former Member
    Former Member
    Posted on Dec 12, 2008 at 08:18 AM

    Can manually sign-on to Infoview (and all other applications) via AD security as well as

    'automated' silent signon to Infoview. The point it all falls apart is when the connection

    in the universe is changed to pass the users AD signon details across to the

    Microsoft SSAS OLAP cube. Hardcoded user-ids in the connection work fine - including

    the users own user-id. But fails when using the single signon connection type.

    All the users are authorised to access the SSAS OLAP cube and as we are still in

    the testing phase, most of the users have admin priviledges to the servers and databases

    and BO itself.

    Add a comment
    10|10000 characters needed characters exceeded

    • OK when you change the connection from using credentials to SSO do you create a seperate ODBC connection using (forget if it's trusted connection or integrated security)?

      Did you reference the above microsoft article and verify if the SPN's exist for the analysis server?

      Regards,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Dec 16, 2008 at 03:50 PM

    Finally managed to get back to this...

    I've set up some extra SPN's based on what was suggested in the microsoft

    document and are still receiving the same error, but now get some Logon/Logoff events in the Event Viewer on the Analysis services box:

    Event Type:	Success Audit
    Event Source:	Security
    Event Category:	Logon/Logoff 
    Event ID:	540
    Date:		16/12/2008
    Time:		16:09:25
    User:		NT AUTHORITY\ANONYMOUS LOGON
    Computer:	AS
    Description:
    Successful Network Logon:
     	User Name:	
     	Domain:		
     	Logon ID:		(0x0,0x183C8F61)
     	Logon Type:	3
     	Logon Process:	NtLmSsp 
     	Authentication Package:	NTLM
     	Workstation Name:	BO
     	Logon GUID:	-
     	Caller User Name:	-
     	Caller Domain:	-
     	Caller Logon ID:	-
     	Caller Process ID: -
     	Transited Services: -
     	Source Network Address:	-
     	Source Port:	-
    

    So one step forward - but no joy yet.

    Any ideas?

    Add a comment
    10|10000 characters needed characters exceeded

    • OK well you will likely need to troubleshoot via Microsoft or you can open a case with the voyager team

      try this http://support.microsoft.com/?id=262177 tracing on the CMS server, MDAC server and SQL analysis (if possible) instead of event viewer.

      Just to verify...

      users login via vintela SSO

      SIA is running under a service account with delegation enabled

      an SPN on the sia account = the value in the CMC > auth > AD > service principal name

      forwarding = true in the krb5.ini libdefaults

      SQL analysis has 2 SPN's 1 for FQDN and 1 for hostname

      SQL analysis is also enabled for kerberos

      Regards,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Dec 18, 2008 at 10:34 AM

    Finally got the bottom of this and it was linked to the SPN that was defined

    to point to the Microsoft SSAS server.

    Your pointer to the Microsoft document finally triggered a comment from our

    Active Directory security team about the SPN's that they had actually setup

    where for a local system account on the SSAS server and not the AD domain

    account as requested (I dont have the rights to check this as everything is

    totally locked down). Once this SPN was corrected it all magically worked.

    Thanks for your help.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.