Anyone gotten Kerberos delegation working in an extranet scenario?
We've followed the instructions outlined here:
http://support.microsoft.com/default.aspx/kb/917409
http://www.mosha.com/msolap/articles/kerberos_delegation.htm
Kerberos delegation is working as long as the user's browser has the website in the Intranet Zone (so that it automatically logs them on). If the website is not in the Intranet Zone, it prompts them to type in their Active Directory credentials, they're able to connect with the website fine once they've entered their credentials, but then Kerberos delegation doesn't succeed.
I don't want to get into detail in troubleshooting Kerberos tickets in this forum. Just wondering if anybody else has run across this problem and found a fix/workaround.
For internal users, we can ensure the website is in the Intranet Zone. This won't work for external users (a) because they have logged onto their laptop with credentials from a different domain and (b) we can't control their IE browser settings.
Hello! If you are talking about reports build on top of SSAS2005 this issue can be related to NTFS(file system) issues.
If you build a report in a client tool and save it to disk you will have prompts for user credentails for outsiders.
If you build a report with a HTTP connection to SSAS2005 with a third party tool it can work.
Kerberos is for authenticating users between two servers?
Regards
Thomas Ivarsson
|||Thomas-
Kerberos delegation is needed is so that we can put SSAS on a separate server than our web server. There will be several web servers. One for SSRS and one for PerformancePoint. Both web servers need to support passing through the authenticated user's credentials all the way to the cube (so that cube security will work as designed).
The testing we've done thus far is with SSRS as the web server and a report that hits the cube using the authenticated user's credentials. That's the scenario I described above where we're seeing the Intranet Zone thing.
Can you elaborate on the NTFS file system issues or provide a link?
Users don't need to connect directly to SSAS (just through a SSRS or PP) so I'm thinking we don't need to turn on HTTP connectivity for SSAS. But if that helps workaround kerberos restrictions or something, let me know.
Thanks for the reply.
|||Furmangg:
I have read your post once again:
All external users have an account in AD?
Quote:
"This won't work for external users (a) because they have logged onto their laptop with credentials from a different domain and (b) we can't control their IE browser settings"
It is about IE settings? You have a setting like "Allow database connections across domains" . This is disabled in IE7.
HTH
Thomas Ivarsson
|||Thomas-
Yes, external users will have an account in our company's AD in this particular deployment. But they don't sign into their laptop with our company's AD... they sign into their laptop under their company's AD... then when they pull up our extranet, they're prompted to login as someone in our company's AD. And that, from what I've read, won't allow Kerberos.
As for the "Allow database connections across domains" setting in IE, I don't think that applies. We're talking about thin-client web apps. If I understood that setting correctly, it's for thicker client web apps which are doing fancy stuff like databinding inside the webpage with ActiveX or something: http://www.microsoft.com/technet/prodtechnol/ie/ieak/techinfo/deploy/60/en/secopt.mspx?mfr=true
|||I got some help from a number of smart people and the following two options look promising:
1. ISA 2006
http://www.microsoft.com/technet/isa/2006/authentication.mspx
2. Protocol Transition
http://justpickanything.adopenstatic.com/cs/blogs/ken/archive/2007/07/18/8460.aspx
Just wanted to give everyone an update.
No comments:
Post a Comment