Configuring Kerberos Authentication With Role Center Pages: Microsoft Dynamics AX 2009
Configuring Kerberos Authentication With Role Center Pages: Microsoft Dynamics AX 2009
This document describes how to configure Kerberos authentication so that reports created with Microsoft SQL Server Reporting Services and Microsoft SQL Server Analysis Services display in Microsoft Dynamics AX 2009 Role Center pages.
Table of Contents
Introduction ................................................................................................ 3
When Kerberos authentication is required ................................................................................ 3 Sample topologies................................................................................................................. 3 Before you begin .................................................................................................................. 3
Introduction
Microsoft Dynamics AX and the Enterprise Portal framework include customizable home pages called Role Centers. Role Centers provide an overview of information that pertains to a users job function in the business or organization, including reports generated by SQL Server Reporting Services and SQL Server Analysis Services. This document describes how to configure Kerberos authentication for Role Center pages in Microsoft Dynamics AX 2009.
Sample topologies
The following topics on TechNet illustrate sample topologies. In the small-scale deployment topology, Kerberos authentication is not required because Enterprise Portal, Reporting Services, and Analysis Services are installed on the same server. Kerberos authentication is required in the large-scale deployment topologies because Enterprise Portal, Reporting Services, and Analysis Services are each installed on separate servers. Small-scale deployment (Kerberos is not required.) Large-scale deployment (Kerberos is required.) Large-scale distributed deployment (Kerberos is required.)
Raise the domain functional level on a Windows Server 2003 domain controller
1. On the Windows domain controller, in Active Directory Users and Computers, click Raise Domain Functional Level. 2. Click Windows Server 2003, and then click Raise. 3. Click OK.
Raise the domain functional level on a Windows Server 2008 domain controller
1. To open the Active Directory Domains and Trusts snap-in, click Start > Administrative Tools > Active Directory Domains and Trusts. 2. In the console tree, right-click the domain for which you want to raise the functional level, and then click Raise Domain Functional Level. 3. Select a domain functional level. Important: If SQL Server Reporting Services and SQL Server Analysis Services are installed on separate servers, you must select the Windows Server 2003 domain functional level. Additional configuration may be required when Reporting Services and Analysis Services are installed on separate servers. For more information, see the following Web page on CustomerSource: http://go.microsoft.com/fwlink/?LinkID=142421. To raise the domain functional level to Windows Server 2003, click Windows Server 2003, and then click Raise. To raise the domain functional level to Windows Server 2008, click Windows Server 2008, and then click Raise.
Verify that the Reporting Services virtual directories use Kerberos authentication
If you are using Reporting Services 2005, complete the following procedure. (If you are using Reporting Services 2008, you can skip this procedure.) By default, the Report Server and Report Manager virtual directories are configured for Kerberos authentication. Use the following procedure to verify the authentication mode on these directories. This procedure also includes the commands to set Kerberos authentication for the virtual directories, if necessary. Complete the following procedure on the report server. 1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager. 2. In the left pane, click the Web sites directory and locate the ReportServer and Reports virtual directories. 3. Locate the Identifier column and write down the identifier for each virtual directory. 4. Enter the following command in a command prompt and press Enter: cd \inetpub\adminscripts 5. Use the following commands to determine if Negotiate,NTLM (Kerberos) authentication is set for the ReportServer and Reports virtual directories. In each command, replace <identifier> with the identifier for the virtual directory. cscript adsutil.vbs get w3svc/<identifier>/root/reportserver/NTAuthenticationProviders cscript adsutil.vbs get w3svc/<identifier>/root/reports/NTAuthenticationProviders 6. If Negotiate,NTLM (Kerberos) authentication is not set, use the following commands to set it for each virtual directory: cscript adsutil.vbs get w3svc/<identifier>/root/reportserver/NTAuthenticationProviders "Negotiate,NTLM" cscript adsutil.vbs get w3svc/<identifier>/root/reports/NTAuthenticationProviders "Negotiate,NTLM" 7. Enter the following command to reset IIS and press Enter: iisreset
Configure a service principal name (SPN) for the Reporting Services account
A service principal name (SPN) is a unique identifier for a service. Every service that uses Kerberos authentication must have an SPN so that clients can identify the service on the network. On the report server, complete the following procedure to create an SPN. The account the SPN must be configured for depends on whether you are using Reporting Services 2005 or Reporting Services 2008. If you are using Reporting Services 2005, you must create an SPN for the account that is used as the identity of the AxReportServer application pool. In the recommended configuration, the AxReportServer application pool runs as the .NET Business Connector proxy account. If you are using Reporting Services 2008, you must create an SPN for the Reporting Services Windows service account. In the recommended configuration, the Reporting Services service account runs as the .NET Business Connector proxy account. To create an SPN, you must be a domain administrator. Use the Setspn.exe command-line tool, which is installed by default on computers running Windows Server 2008. If the server is running Windows Server 2003, you can get the tool by downloading Windows Server 2003 Service Pack 1 Support Tools. 1. Open a command prompt window. 2. At a command prompt, type the following command and press Enter: Setspn.exe -A HTTP/<ServerName> <AccountName > For this command, replace <ServerName> with the name of the report server, and replace <AccountName> with the domain\name used for the application pool identity or service account (depending on which version of Reporting Services you are using). For example, the following command uses a fictitious server called ReportingServices1 and a fictitious domain called contoso. Setspn.exe -A HTTP/ReportingServices1 contoso\AccountName 3. Type the following command and press Enter: Setspn.exe -A HTTP/<FQDNServerName> <AccountName> For this command, replace <FQDNServerName> with the fully-qualified domain name of the report server, and replace <AccountName> with the domain\name used for the application pool identity or service account (depending on which version of Reporting Services you are using). For example, the following command uses a fictitious server called ReportingServices1 and a fictitious domain called contoso. Setspn.exe -A HTTP/ReportingServices1.contoso.corp.contoso.com contoso\AccountName
Configure a service principal name (SPN) for the SQL Server database engine account
If the Reporting Services database is not on the same server as the Reporting Services Windows service, you must create an SPN for the SQL Server database engine account. When creating the SPN, be sure to use the name of server that hosts the Reporting Services database. Refer to Scenario 4 in Knowledge Base article 929650 for information about how to set up the SPN for the SQL Server database engine account. Additionally, if the SQL Server is running in a clustered environment, see the following article on MSDN: How to: Enable Kerberos Authentication on a SQL Server Failover Cluster
8. Save your changes. 9. Locate the properties section for the Reports site. By default, this section begins at the following tag: <location path="Default Web Site/Reports">. 10. Repeat steps 6-8.
Configure a service principal name (SPN) for the Analysis Services account
Create a service principal name (SPN) for the Analysis Services Windows service account. An SPN is a unique identifier for a service. Every service that uses Kerberos authentication must have an SPN so that clients can identify the service on the network. On the OLAP server, complete the following procedure to create an SPN for the account that is used as the Analysis Services service account. To create an SPN, you must be a domain administrator. Use the Setspn.exe command-line tool, which is installed by default on computers running Windows Server 2008. If the server is running Windows Server 2003, you can get the tool by downloading Windows Server 2003 Service Pack 1 Support Tools. Important: If Analysis Services is running as a named instance, see Knowledge Base articles 917409 and 950599. 1. Open a command prompt window. 2. At a command prompt, type the following command and press Enter: Setspn.exe -A MSOLAPSvc.3/<ServerName> <AccountName > For this command, replace <ServerName> with the name of the OLAP server, and replace <AccountName> with the domain\name used for the Analysis Services service account. For example, the following command uses a fictitious server called AnalysisServices1 and a fictitious domain called contoso. Setspn.exe -A MSOLAPSvc.3/AnalysisServices1 contoso\AccountName
3. Type the following command and press Enter: Setspn.exe -A MSOLAPSvc.3/<FQDNServerName> <AccountName> For this command, replace <FQDNServerName> with the fully-qualified domain name of the OLAP server, and replace <AccountName > with the domain\name used for the Analysis Services service account. For example, the following command uses a fictitious server called AnalysisServices1 and a fictitious domain called contoso. Setspn.exe -A MSOLAPSvc.3/AnalysisServices1.contoso.corp.contoso.com contoso\AccountName
7. In the Select Users, Computers, or Groups dialog box, enter the domain users account that you specified as the IIS application pool service account, click Check Names, and then click OK. 8. In the Permissions for <UserName> list, select the Allow check box that is next to Local Activation, and then click OK.
Configure a service principal name (SPN) for the Enterprise Portal application pool identity account
A service principal name (SPN) is a unique identifier for a service. Every service that uses Kerberos authentication must have an SPN so that clients can identify the service on the network. (In this context, a service is a program or application that uses credentials to communicate across a network.) On the Enterprise Portal server, complete the following procedure to create an SPN for the account that is used as the application pool identity of the Enterprise Portal Web site. In the recommended configuration, the Enterprise Portal application pool runs as the .NET Business Connector proxy account.
To create an SPN, you must be a domain administrator. Use the Setspn.exe command-line tool, which is installed by default on computers running Windows Server 2008. If the server is running Windows Server 2003, you can get the tool by downloading Windows Server 2003 Service Pack 1 Support Tools. 1. Open a command prompt window. 2. At a command prompt, type the following command and press Enter: Setspn.exe -A HTTP/<ServerName> <AccountName > For this command, replace <ServerName> with the name of the Enterprise Portal server, and replace <AccountName> with the domain\name used for the application pool identity. For example, the following command uses a fictitious server called EnterprisePortal1 and a fictitious domain called contoso. Setspn.exe -A HTTP/EnterprisePortal1 contoso\AccountName 3. Type the following command and press Enter: Setspn.exe -A HTTP/<FQDNServerName> <AccountName> For this command, replace <FQDNServerName> with the fully-qualified domain name of the Enterprise Portal server, and replace <AccountName> with the domain\name used for application pool identity. For example, the following command uses a fictitious server called EnterprisePortal1 and a fictitious domain called contoso. Setspn.exe -A HTTP/EnterprisePortal1.contoso.corp.contoso.com contoso\AccountName 4. Repeat this procedure for each Enterprise Portal server.
Configure a service principal name (SPN) for the .NET Business Connector proxy account
Configure a service principal name (SPN) for the .NET Business Connector proxy account. An SPN is a unique identifier for a service. Every service that uses Kerberos authentication must have an SPN so that clients can identify the service on the network. (In this context, a service is a program or application that uses credentials to communicate across a network.)
On each server where the .NET Business Connector is installed, complete the following procedure to create an SPN for the .NET Business Connector proxy account. Important: If application pools or other services on the server run as the .NET Business Connector proxy accountand you've already set up an SPN for that accountyou do not need to set up an additional SPN. To create an SPN, you must be a domain administrator. Use the Setspn.exe command-line tool, which is installed by default on computers running Windows Server 2008. If the server is running Windows Server 2003, you can get the tool by downloading Windows Server 2003 Service Pack 1 Support Tools. 1. Open a command prompt window. 2. At a command prompt, type the following command and press Enter: Setspn.exe -A HTTP/<ServerName> <AccountName > For this command, replace <ServerName> with the name of the server, and replace <AccountName> with the domain\name of the .NET Business Connector proxy account. For example, the following command uses a fictitious server called Server1 and a fictitious domain called contoso. Setspn.exe -A HTTP/Server1 contoso\AccountName 3. Type the following command and press Enter: Setspn.exe -A HTTP/<FQDNServerName> <AccountName> For this command, replace <FQDNServerName> with the fully-qualified domain name of the server, and replace <AccountName> with the domain\name of the .NET Business Connector proxy account. For example, the following command uses a fictitious server called Server1 and a fictitious domain called contoso. Setspn.exe -A HTTP/Server1.contoso.corp.contoso.com contoso\AccountName 4. Repeat this procedure on each server where the .NET Business Connector is installed.
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your people to make business decisions with greater confidence. Microsoft Dynamics works like and with familiar Microsoft software, automating and streamlining financial, customer relationship and supply chain processes in a way that helps you drive business success. U.S. and Canada Toll Free 1-888-477-7989 Worldwide +1-701-281-6500 www.microsoft.com/dynamics
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, this document should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft Dynamics Logo, Microsoft Dynamics, SharePoint, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.