Upload
escoo
View
40
Download
7
Tags:
Embed Size (px)
Citation preview
Pyramid Analytics
Installation Guide
Version 4.6
Copyright Pyramid Analytics 2010-2012
2 Pyramid Analytics| Version 4.6 Installation Guide
A Quick Guide and Overview for Installing Pyramid Analytics Start By checking that your server has all the prerequisite operating system and software
requirements
Assemble all the credentials and system information needed to install the application o SQL Server details and login credentials o Active Directory and Domain detail and a domain account with enhanced privileges o SQL Server Analysis Services details o Web URL details
Install the main application from the media as an Administrator
Run the configuration wizard to complete the installation o Pyramid Application License Key
Launch the administrative console and run the quick start wizard o Enter initial client licensing key, users and roles
Minimum Server Hardware Requirements
Recommended Minimum
Windows OS 32-bit 64-bit
Windows Server 2008 Server 2008 R2 / 2012
Cores 4 4
Memory (GB) 4 8
Disk (MB) 150 150
3 Pyramid Analytics| Version 4.6 Installation Guide
Contents
1. Installation ............................................................................................................................................ 4
A. Server & System Prerequisites ............................................................................................................................................................... 4 B. Basic Install ............................................................................................................................................................................................. 5 C. Configuration Wizard .............................................................................................................................................................................. 6 D. Post Configuration Steps ........................................................................................................................................................................ 7
i. Firewalls ........................................................................................................................................................................................................ 7
ii. Security Setup ................................................................................................................................................................................................ 7 iii. Testing Communications: Diagnostics ........................................................................................................................................................... 7
2. Administration ...................................................................................................................................... 8
A. Setting-up Licenses, Users and Roles ...................................................................................................................................................... 8
3. Client .................................................................................................................................................... 9
4. Troubleshooting Guide ........................................................................................................................ 10
5. Appendix ............................................................................................................................................. 11
A. SQL Server Settings ............................................................................................................................................................................... 11 B. Distributed Transaction Coordinator Settings ...................................................................................................................................... 11 C. Web Application Settings and Customizations ..................................................................................................................................... 12
i. Web Site Deployment Options ..................................................................................................................................................................... 12 ii. Using an SSL certificate and HTTPS ............................................................................................................................................................. 13
D. Web Authentication Models................................................................................................................................................................. 14 i. Basic Authentication Models ....................................................................................................................................................................... 14 ii. Windows Authentication Models ................................................................................................................................................................ 14 iii. Forms Authentication Models ..................................................................................................................................................................... 14
E. “Log-on-Locally” Impersonation Setup ................................................................................................................................................. 15 i. Local OS setup: ............................................................................................................................................................................................ 15 ii. Active Directory setup: ................................................................................................................................................................................ 15
F. Kerberos Delegation Setup ................................................................................................................................................................... 16 i. Introduction ................................................................................................................................................................................................. 16 ii. Other Documentation & Tools ..................................................................................................................................................................... 16 iii. Overview ..................................................................................................................................................................................................... 17 iv. Prerequisites ................................................................................................................................................................................................ 17 v. Configuration Steps: Delegation and SPNs .................................................................................................................................................. 17 vi. Client Configuration .................................................................................................................................................................................... 19 vii. Testing Your Configuration .......................................................................................................................................................................... 20 viii. Troubleshooting .......................................................................................................................................................................................... 20
G. Constrained Delegation: ....................................................................................................................................................................... 25 i. Constrained Vs. Full: Overview .................................................................................................................................................................... 25 ii. Pyramid Multi Servers Architecture ............................................................................................................................................................. 25 iii. Configurations from Domain Controller ...................................................................................................................................................... 26 iv. Summary ..................................................................................................................................................................................................... 27
H. Windows 8 & Windows Server 2012 .................................................................................................................................................... 28 I. Performance Load Balancing Options .................................................................................................................................................. 29
4 Pyramid Analytics| Version 4.6 Installation Guide
1. Installation
A. Server & System Prerequisites 1. The Pyramid application is comprised of 3 installed application components: the web client application, the router server and the
application server. Each can be installed on a single machine or on separate machines with these operating systems:
i. Web Server: windows 2003, 2008, 2008 R2 or 2012 (32 or 64 bit)
ii. Router Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit)
iii. Application Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit)
For each OS type ensure that:
o User Account Control is turned off and that the installing user has FULL, TRUSTED ADMINISTRATIVE RIGHTS on the
server(s).
o IIS 7 is installed (with windows and basic authentication)
Only the web client application is supported on Windows 2003 R2 x86. The router and application servers MUST be
installed on a Windows 2008/2012 server. For Windows 2003 ensure:
o The installing user should install the software as an Administrator with FULL, TRUSTED ADMINISTRATIVE RIGHTS on
the server(s).
o IIS 6 is installed (with windows and basic authentication)
2. On all Operating Systems:
Microsoft Distributed Transaction Coordinator is installed and running
Multi-server deployments must be within an Active Directory Framework (2003/ 2008 / 2012). In this scenario, ensure
the server is ALREADY part of the domain.
Kerberos and Service Principal Names (SPNs) need to be enabled and established in a multi-server deployment except
for Basic and Forms Authentication deployments where administrators choose to give end users “log-on-locally” rights.
3. SQL Server 2008/2012 is installed and running on the machine hosting the Content Store Database
You will need the SQL Server authentication credentials with full ADMIN rights (see appendix of this document for more
details)
5 Pyramid Analytics| Version 4.6 Installation Guide
B. Basic Install 1. Launch the ISO on the target server as an ADMINISTRATOR. Before installing ensure that the installation user has full
administrative access to the server and that the User Account Control has been turned completely off.
2. The Pyramid BIO application requires the Microsoft.Net 4.0 Framework. The installer will automatically install this component
before continuing. It will may require a server reboot once installed before the application installation can continue.
3. Provide a domain user name and password if the application is going to be installed in an Active Directory framework.
4. Provide the database details for the content store.
5. Install the package:
a. Choose COMPLETE to install all 3 components (‘web’, ‘router’ and ‘application’) to a single server (2008/2012 only)
b. Choose CUSTOM to install one or more components on separate servers.
6. After installation, run the Configuration Wizard from the last step in the installer. This is a CRUCIAL process that must be
completed before launching the application (see next section).
7. Once configured, users launch the administrative console and complete the QUICK START wizard to set up licenses and users.
Note: Before users can log into a cube, ensure that either:
a. SPNs have been setup correctly for a multi-server deployment
i. See the Kerberos set-up step in the appendix of this document.
b. Or, the “log-on-locally” access rights have been granted for the alternative Basic and Forms Authentication deployments
i. See the Impersonation set-up step in the appendix of this document.
6 Pyramid Analytics| Version 4.6 Installation Guide
C. Configuration Wizard NOTE: Some steps may not be presented depending on which components have been installed on a particular server.
1. Data base confirmation: enter in all the details of the database into this panel. You cannot continue unless all of the information
is correct. The user ID must be a SQL Server user ID. This step is skipped if SQL authentication was used during installation.
2. Application License: enter the application license provided by Pyramid. Also mark off whether you will allow the system to auto-
submit errors to Pyramid’s central database. The auto-error logging feature does NOT capture user details, data or queries.
3. Master Account Setup: Enter a username and password for the application “master” account. These credentials will provide
access to the administrative console for configuring the application.
4. Active Directory: Provide the details of the operating system security framework being deployed. Using an Active Directory (2003
/ 2008 / 2012) is highly recommended (and required for multi-server deployments). Please see the appendix on Local OS and
Active Directory Impersonation Setup required for the application.
a. For Active Directories:
i. Provide the LDAP address for the root node of the AD in the form: “LDAP://dc=xx,dc=yy,dc=zz” where the AD
root node is xx.yy.zz. Click the “RESET” button to auto-generate this address
b. For Local OS Security:
i. Provide the WINNT address for the machine in the form: “WinNT:// machine -name” (note that “WinNT” is case
sensitive). Click the “RESET” button to auto-generate this address
c. For both security frameworks provide the domain name.
i. If this application is using local OS security, the domain is typically the machine name.
ii. If the application is using AD security, this is the first part of the AD root node: “xx” in “xx.yy.zz”.
d. Installers must indicate whether the installation is a multi-server installation.
e. When the installation does NOT detect an installed web component, you are also prompted to indicate what type of web
authentication model will be used: Basic, Forms or Windows Authentication. If Basic or Forms are chosen, administrators
can elect whether “Kerberos” or “Log-on-Locally” rights will be given to end users.
5. Datasources: The configuration wizard allows you to provide up to 3 different OLAP data-sources (you can add more in the
administrative console). Enter the name of the OLAP servers and their IP addresses. Instance names are optional.
a. These OLAP servers must be within the SAME security framework as entered in step 3 above. (i.e. They should all belong
to the same Active Directory as the server hosting the application). It is strongly recommended that you enter at least
one SSAS/OLAP server at this point.
6. Application Server: Provide the name, IP address and port number1 of the server hosting the application server. The default is the
current machine’s registered name and its first IP4 address.
a. Provide the SPN if using a multi-server deployment (see instructions for SPNs).
7. Router Server: Provide the name, IP address and port number2 of the server hosting the router server. The default is the current
machine’s registered name and its first IP4 address.
a. Provide the SPN if using a multi-server deployment (see instructions for SPNs).
8. Web Server: Provide the name and IP address of the server hosting the web application. The default is the current machine’s registered name and its first IP4 IP address. You must also provide the web site name that will be hosting the application. This will match the web URL you provided during the installation process.
a. Indicate whether you are going to use an SSL certificate for the web application. (See instructions in the appendix for deploying the site under HTTPS).
b. Indicate whether you want the configuration wizard to make entries in your local HOSTS file to temporarily enable browsing of the site URL while your permanent DNS settings are configured.
c. For forms authentication, indicate if you are using direct forms or federated forms. For federated forms, you must provide the web domain name for the overall site and the default login page address for redirects when auto-login fails.
9. ProClarity Analytics Server: Provide the details for the PAS 6.3 SQL Database content store for legacy content support. This
includes the SQL Server machine name, database name and a SQL Server user ID with the credentials to read from that database.
10. Click FINISH to commit your changes.
1 Port numbers should reflect ports that are open and available BETWEEN servers when in a multi-server deployment. 2 Ibid
7 Pyramid Analytics| Version 4.6 Installation Guide
Where installed, the configuration wizard will then start up the Pyramid Application and Router Services.
To check that the application and router servers have been launched successfully:
Open up the Windows Event Viewer, under Administrative Tools.
Open the Applications and Services Logs, and click on the “Pyramid” Catalog.
Logged events should show both the application and router servers have started successfully
See the troubleshooting guide if services do not start.
D. Post Configuration Steps Before attempting to login and start administering the application, administrators may need to complete the following steps.
i. Firewalls
In a multi-server deployment for both basic and windows authentication systems, administrators MUST ensure that the ports between the
different servers are OPEN for both the Router and Application Servers described in C6.a and C7.a above. In Windows 2008 Server, the
“Domain” firewall is typically the only Windows Firewall type that needs to have these ports opened. However, administrators may need to
tailor this to their own environments and conditions.
ii. Security Setup
Service Principal Names (SPNs) In a multi-server deployment the configurator will ATTEMPT to create and add SPNs on the relevant servers.
Administrators should manually check that this process completed successfully and setup all the server delegations for Kerberos and the
SPN’s if not. Details on this can be found in the appendix.
Log-on-Locally Access For deployments where administrators have elected to grant “log-on-locally” rights and use basic or forms authentication, administrators
MUST allow end users the right to “Log-on-Locally” to the host servers through the Active Directory GPO settings, to ensure users can be
authenticated for secure access. Details can be found in the appendix.
iii. Testing Communications: Diagnostics
An optional system tester is provided to ensure that the communication layer of the application is operating as expected. Administrators
can use this tool if they have trouble logging into the application. This can be found at the URL
"http://pyramidBIO.mysite.com/admin/diagnostics.aspx“
Where pyramidBIO.mysite.com is the host URL name you provided during installation.
The “ping” test will show if the application can open a basic communication channel from the web application, through the router and on
to the application server.
The separate “Kerberos” test is useful for Kerberos delegation and SPN testing.
8 Pyramid Analytics| Version 4.6 Installation Guide
2. Administration
A. Setting-up Licenses, Users and Roles Open up a browser and browse to the administrative console on the web server through the URL “http://pyramidBIO.mysite.com/admin/“
where pyramidBIO.mysite.com is the host URL name you provided during installation.
Login with the master account credentials entered during with the configuration wizard as per above.
Once logged into the administrative console, you need to launch the Quick Start Wizard by clicking on the large RED button on the settings
tab in the console or the following manual steps before attempting to access the client.
This manual process involves the administrator entering user licenses; creating users and roles; and applying access roles to data-source
servers.
1. Client Licenses: Go to the Client Licenses tab and add new client license packs provided by Pyramid.
2. Users: Go to the Users tab and Add a New User
a. Provide the user’s domain (this may be different to the default domain used for the application itself).
b. Type in a search key to lookup users from the security framework (Local OS or Active Directory). Select the desired user
and click next.
c. Select which license type this user will be deployed under.
3. Roles: Go to the Roles tab and Add a New Role
a. Provide a role name
b. Next, optionally attach existing application users to this role.
i. Users listed are those already added to the application in the previous step above.
c. Next, optionally attach security groups to this role.
i. Security groups are read from the Active Directory.
d. Click Finish. (Note that the finish button is disabled UNLESS there are at least users; groups; or both users and groups
selected).
4. Servers: Go to the Servers tab. Click the ROLES button next to each Data-Sources Server listed to assign role access to each data
source server.
a. Lookup existing roles in the system (from the previous step) and assign or un-assign to the data source as needed. (Note
that this is an application layer functional access control. The user must still have data access rights to the SSAS OLAP
server, underlying databases and cubes. These are typically set in the Analysis Services instance itself).
9 Pyramid Analytics| Version 4.6 Installation Guide
3. Client Open up a browser and browse to the URL http://pyramidBIO.mysite.com/
Log into the application using credentials for users licensed in the system as per the previous step above.
You can log in as the professional/administrative user added in the above steps.
As a professional user type, open a cube from the data-sources content section. If you cannot see a data-source (cube server)
check the troubleshooting guide.
Client Browsers Supported With SilverLight 5, there number and type of browsers supported has changed:
Browser Windows Mac
Internet Explorer 7 - Yes NA
FireFox 3.6 - Yes Yes
Safari 4 - * Yes
Chrome Yes **
Recommended Browser IE 9 Safari 5.x
*Safari has not been certified by Microsoft to work reliably on Windows.
**Chrome has not been certified by Microsoft to work reliably on Mac OS X.
If deploying a Windows Authentication web application, note that the Safari and Chrome browsers do NOT support Integrated Windows
Authentication (see Client Configurations for more)
SilverLight Isolated Storage - FireFox
All browsers support the isolated storage functionality of SilverLight – required for the application. However, FireFox needs to have certain
settings changed before supporting this feature.
From the FireFox browser, go to Tools; Options; Privacy Tab. The user should choose ‘Remember History’. Without this isolated storage will
NOT work.
Figure 1
10 Pyramid Analytics| Version 4.6 Installation Guide
4. Troubleshooting Guide
Issue Resolution
The cube server is not available in the client
Server Address: the data-sources are addressed through their Server names and then their IP addresses. In a volatile DNS and DHCP environment (with virtual machines for example), these IP addresses can get mixed up. Ensure that the server’s IP address in the admin console ACCURATELY reflects the machine’s actual IP address.
Data Security: Access to the cube server is driven through 2 “gateways”: the first is the Pyramid administrative layer; while the second is cube access as determined via SSAS cube role security. See administrative help for the former issue. Check the SSAS security roles for the latter. If both of these are correct, ensure that the server entry on the Pyramid administrative page reflects the correct IP address for that server. If these don’t work: check that the domain account on the application service has access to the cube servers; check that the application server can see the cube server (DNS resolution); check access using a third party tool like SQL Server Management Studio.
Kerberos: If these don’t remedy the issue, the authentication of the user may be failing. See the appendix on Kerberos authentication for more detail here.
Log-on-Locally: Ensure that the users have log-on-locally rights on all servers. Often, the GPO settings are not replicated to the server in a timely fashion and need to be updated by “force”
User tries to login and gets “Access Denied” message.
Ensure that the user has been given the right to “log on locally” to the server if the basic authentication and log-on-locally rights model has been deployed (as described here). Even if this has been setup correctly, it often takes time for the GPO settings to be distributed to all the servers in the network. If this problem persists, use a tool to force the GPO rules to replicate across the network on demand.
No Datasources/Cube Servers found
This is typically an oversight with the data security on the SSAS cube server. Ensure that the user has rights to see a cube via the Analysis Services Roles functionality.
Separately, ensure that users belong to a role in the Pyramid Application that has been given rights to view the data source servers (see the Pyramid Administrative Guide for more)
401.1 web error for LOCALHOST installations
This problem of a 401.1 no-access error when logging into the client application can occur on LOCALHOST installations when trying to login from the same machine hosting the application. In this scenario, one suggestion is to disable the “loopback” function in Windows.
See this article for more information: http://support.microsoft.com/kb/896861
“Error 500” This problem is potentially related to a communications issue. See sections Di, ii, iii above for more information. Also, ensure that the services have been started up on their respective servers and there are no port conflicts on each machine.
11 Pyramid Analytics| Version 4.6 Installation Guide
5. Appendix
A. SQL Server Settings The server housing the SQL Server database should have these capabilities enabled:
Mixed Authentication (the application uses SQL Authentication for all its activities)
o The user account provided by administrators to access the SQL Server should have FULL administrative rights to the
Pyramid Content Store Database.
Full Text Search
B. Distributed Transaction Coordinator Settings The application uses MSDTC to handle the many different transactions between it and the SQL Server Content Store. As such, MSDTC needs
to be running on ALL servers that are hosting aspects of the application – including the server hosting SQL SERVER itself.
Further, the MSDTC must be set to Allow Remote Clients.
12 Pyramid Analytics| Version 4.6 Installation Guide
C. Web Application Settings and Customizations
i. Web Site Deployment Options
The web application installation creates a new standalone web site the web server. This is named “pyramidBIO.mysite.com” by default, but
can be changed during the installation process. Administrators can elect to manually create the pyramid site as a Virtual Application within
an existing web site by replicating the settings as per below. If the site is to be secured via SSL, the web application needs to be configured
to handle the change in HTTPS protocol (see below).
Using a Stand-Alone Site Internally Note: some of these steps are completed for you with the configuration tool using the URL provided during installation.
To test the stand-alone web application without creating extranet DNS entries, edit the HOSTS file on the client workstation as follows:
Open c:\windows\system32\drivers\etc\hosts (note there is no file extension on this system file)
Add an entry to the bottom of the HOSTS file recording the IP address of the web application server and its decorated DNS name.
o For example we’d add the following entry to enable the URL “pyramidBIO.mysite.com” to work on the local machine:
127.0.0.1 pyramidBIO.mysite.com
Ensure you save the HOSTS file as is, without an extension.
On certain operating systems (mainly Windows 2008 and Windows 7) the user must disable the “loopback” check option. (see
http://support.microsoft.com/kb/896861 for more):
o In the registry, go to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
o Add a new DWORD value “DisableLoopbackCheck” and sets its value to 1.
To Create the Virtual Application:
Basic Authentication
Note: You should NOT attempt to change the authentication model used for the application after installation.
1. Create a web application node (e.g. “pyramid”) under an existing website.
a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to BASIC AUTHENTICATION
(anonymous authentication and WINDOWS authentication must be disabled).
c. Set its application pool to paBIO
2. Under the application node from the step 1 above, add a “virtual application” called “Admin”.
a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication
(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication)
c. Set its application pool to paBIOadmin
Forms Authentication
Note: You should NOT attempt to change the authentication model used for the application after installation.
1. Create a web application node (e.g. “pyramid”) under an existing website.
a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to ANONYMOUS AUTHENTICATION
(BASIC authentication and WINDOWS authentication must be disabled).
c. Set the authentication on the Services Directory to BASIC authentication
d. Set its application pool to paBIO
e. Change the “FormsLogon” application setting in the web.config to “true” and set the “WebDomain” value.
2. Under the application node from the step 1 above, add a “virtual application” called “Admin”.
a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\
13 Pyramid Analytics| Version 4.6 Installation Guide
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication
(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication)
c. Set the authentication on the ExtServices Directory to BASIC authentication
d. Set its application pool to paBIOadmin
For more information on forms authentication, see the appendix on forms authentication.
Windows Authentication
Note: You should NOT attempt to change the authentication model used for the application after installation.
1. Create a web application node (e.g. “pyramid”) under an existing website.
a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to WINDOWS AUTHENTICATION
(anonymous authentication and BASIC authentication must be disabled).
c. Set its application pool to paBIO
2. Under the application node from the step 1 above, add a “virtual application” called “Admin”.
a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\
b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication
(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication).
c. Set its application pool to paBIOadmin
ii. Using an SSL certificate and HTTPS
Before using the application with SSL, administrators must ensure that:
The site SSL certificate is installed into IIS as normal.
Steps to deploy the Pyramid Application with an SSL certificate in IIS7:
1. Obtain and install the SSL certificate into IIS 7 as generally directed. Follow this by binding the certificate as normal to the website that is hosting the application.
2. Open a command prompt by clicking the start menu and typing “cmd” and hitting enter. Then navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.
3. Run the following command for each of the websites on the IP address that need to use the certificate
appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']
4. Replace <IISSiteName> with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)
For IIS7, check the host header (site URL) has been bound to the SSL certificate using the “APPCMD” command line facility (as
described in the steps above)
The “IsHttps” flag in the site’s web.config file has been set to true. This option is set from the Installation Configuration Wizard.
However, it can be set manually as well:
1. Go to the web installation folder for “services” (typically c:\inetpub\wwwroot\pyramid analytics\paBio\) and open the
web.config file with Notepad.
2. Locate the string “<add key="IsHttps" value="false" />” and set its value to “true”.
3. Save the web.config file.
Offloaded SSL Processing If you are using other devices to offload SSL processing from IIS web server (like F5’s “SSL Acceleration”), then the above IsHttps flag
should be set to false.
14 Pyramid Analytics| Version 4.6 Installation Guide
D. Web Authentication Models The following briefly explains the different web authentication models available with the Pyramid Application.
i. Basic Authentication Models
The user is prompted to enter credentials when they browse to the Pyramid URL address. The credential prompt is supplied by Windows IIS
and is credentialed against the local OS security or the Active Directory. The resulting security token can be used directly against cube data
sources without any further translation. The user name and password are passed from the client browser to the server in clear text so Basic
Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network.
Basic Authentication works through firewalls and universally works on all browsers on both PC’s and MAC’s. It’s a mature, efficient and
incredibly fast authentication method and is highly recommended for extranet deployments.
ii. Windows Authentication Models
Windows Authentication provides a single sign on model for users of PC’s connecting to the Pyramid application. The user is NOT prompted
when they browse to the Pyramid URL address; instead their workstation credentials are used to authenticate against the website. The
authentication is handled by Windows IIS and is credentialed against the local OS security or the Active Directory. The resulting security
token can be used directly against cube data sources without any further translation.
Windows Authentication generally does NOT work through firewalls and only works on Internet Explorer and FireFox browsers on PC’s only.
Because of these limitations, it is used in limited circumstances. It’s a mature, efficient and incredibly fast authentication method and is
only recommended for intranet deployments.
iii. Forms Authentication Models
The user is forwarded to a login page where they are prompted to enter credentials. The credential prompt is supplied by application itself
and is authenticated inside client defined code. The authentication can be against any type of credentialing engine including against an
Active Directory or SQL Server data store. The resulting security token cannot be used directly against cube data sources and therefore
usually requires some type of translation. The user name and password are passed from the client browser to the server in clear text so
Forms Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network.
Forms Authentication works through firewalls and universally works on all browsers on both PC’s and MAC’s. Because it provides for
customized authentication frameworks, it is often used when an Active Directory cannot be used directly (or at all).
Pyramid supports forms authentication in 2 modes: “Direct Forms” and “Federated Forms”
Direct Forms – if deployed, users are redirected to a Pyramid provided login page where users can enter their details. The
authentication is applied against the Active Directory itself.
Federated Forms – is an automated mechanism for clients to redirect users from an alternative login framework to the Pyramid
Suite. In doing so, clients provide the impersonated Windows account that will be used for the given user. Pyramid in turn
provides a framework for the end user to auto-login into its application, delivering a virtual single-sign-on facility. Use of federated
forms requires clients to add new code to their custom forms login process. The code provides a conduit for Pyramid to issue a
session based cookie with encrypted tokens that will allow the user’s browser session to use the application without further
prompt.
For more details on Federated Forms and its implementation, please contact Pyramid Support.
15 Pyramid Analytics| Version 4.6 Installation Guide
E. “Log-on-Locally” Impersonation Setup If administrators wish to AVOID the complexities of Kerberos and SPNs, they can choose to deploy the application using Basic or Forms
Authentication with “Log-on-Locally” rights. Before the local OS and/or Active Directory can be used for the application in these
deployments, administrators MUST ensure that the server hosting the application has provided “local log on” rights to all users planning to
access the system. This feature is used to ensure that the end-user’s authentication is passed directly to the cube server as intended.
i. Local OS setup:
On the host server, go to Administrative Tools, Local Security Policy
In the pop-up, under Security Settings choose Local Policies, then User Rights Assignment
In the right hand panel, select “Allow Log on locally”
In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally
ii. Active Directory setup:
On the Active Directory Domain Controller, go to Administrative Tools, Group Policy Management
In the pop-up, open up the forest node, then domains, and then the domain node.
o For existing GPO’s, right click and choose Edit
o For new GPO’s, first create a new GPO and assign it to the computer in the AD, then right click and choose Edit
Under Computer Configuration, Policies, Window Settings, Security Settings, Local Policies, choose User Rights Assignment
In the right hand panel, select “Allow Log on locally”
In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally
o Ensure that the local Administrators group is ALSO added during this process
16 Pyramid Analytics| Version 4.6 Installation Guide
F. Kerberos Delegation Setup Adapted from “Microsoft ProClarity and Kerberos Delegation” by Microsoft Product Support, 12-4-2008
i. Introduction
When the server side applications and/or SSAS are deployed on separate machines administrators must configure Kerberos delegation on
the Active Directory for user authentication to succeed. The Active Directory provides an option through Kerberos delegation to pass the
user’s credentials from the client, to the web server, and then to other servers and finally to SSAS. This process is referred to as Kerberos
delegation.
Kerberos authentication can produce critical issues when there is a multi-leg or “double-hop” between multiple servers. The double-hop
problem is an intentional security restriction to discourage Active Directory objects from acting on behalf of other security accounts.
In the Pyramid Application, a double-hop is created when there is one hop from the SilverLight client to the web server (IIS) and one or
more other hops from the web server to one or more application servers (or the cube data server).
Application The following matrix outlines the possible deployment scenarios currently available with the Pyramid Application Suite and when Kerberos
delegation is required.
Figure 2
From the above, it is clear that Kerberos delegation setup is only required in multi-server deployment model, when users are authenticating
through Windows Authentication or Basic (and Forms) Authentication (without log-on-locally rights) on IIS. It can however also be used for
single server deployments as well.
All major client browsers are compatible with the application (“SilverLight”). However, only Internet Explorer and FireFox support Integrated
Windows Authentication on a PC. Other PC browsers and all Mac deployments require manual user logins even in Windows Authentication
mode. See client setups for more.
NOTE: Multi-Server includes the data/cube server. So the deployment is ‘multi-server’ if the cube server is on a separate machine,
irrespective of whether the entire Pyramid application is installed on a single machine or not.
ii. Other Documentation & Tools
Review the section “Infrastructure Requirements” in Microsoft’s Troubleshooting Kerberos Delegation
Review the following Microsoft document - How to configure SQL Server 2005 Analysis Services to use Kerberos authentication.
There are two common tools for editing SPN entries in Active Directory: AdsiEdit.msc and setSPN.exe.
Installed with the Pyramid Application is the Kerberos Tester. It can be found under
o the server’s default website “http://defaultwebsite/pyramid/admin/diagnostics.aspx” or
o the URL “http://pyramidBIO.mysite.com/admin/diagnostics.aspx“ where pyramidBIO.mysite.com is the host URL name
you provided during installation.
Security
Framework
Deployment
Model
Component Server Client Server Client Client
User
Authentication
Basic/Forms
AuthenticationNA
IE, FF, Safari,
ChromeNA
IE, FF, Safari,
ChromeLog-on-locally
Kerberos +
Delegation
IE, FF, Safari,
Chrome
Windows
AuthenticationNA
IE, FF, Safari,
ChromeNA
IE, FF, Safari,
Chrome
IE & FF only +
Trusted SiteKerberos + Delegation
Active Directory
Single Machine Single Machine Multi Machine
Local Operating System
Server
17 Pyramid Analytics| Version 4.6 Installation Guide
iii. Overview
The steps below will outline the steps for solving the “double hop” problem of cross server trust-delegation and will outline the
configuration in the case of separate Pyramid and data cube servers.
iv. Prerequisites
Prior to these configuration steps, your environment should have the following prerequisites met. If any of these items are not configured,
delegation will not function correctly.
Check your Active Directory Forest and Domain functional levels. They should be set to Native or 2003/2008/2012.
o Windows 2008 or Windows Vista machines should have the Microsoft hotfix KB969083 applied to correct the Kerberos issues
with SQL Server SSAS 2005/2008/2012. This does not need to be applied to Windows 2008 R2 / 2012 or Windows 7/8.
Kerberos delegation can function between trusted forests and domains.
o The resource forest or domain must trust the user forest or domain.
For Windows Authentication deployments, the site hosting the application must be in the client’s TRUSTED SITE list inside the browser.
o Alternatively, administrators can add the site as a trusted site using GPO’s on the Active Directory for all users.
Note that SPNs must be registered by a domain administrator with permissions.
v. Configuration Steps: Delegation and SPNs
Delegation on the Active Directory All servers hosting parts of the application must be able to delegate – including the Web Servers and servers hosting the router and
application services. You can use Full or Constrained Delegation.
To set Full Delegation:
Open the Active Directory “Users and Computers” panel in the Administrative tools on the active directory server (as per below).
From the tabs, choose “Delegation” and set it to “Trust Computer for delegation to any Service”.
Figure 3 Delegation Panel (Win 2008)
Figure 4 Delegation Panel (Win 2003)
18 Pyramid Analytics| Version 4.6 Installation Guide
Setting Service Principal Names (SPNs) Verify which account is running the IIS application pool which contains the application. It should be NETWORK SERVICE and it is likely this
account will already have SPN entries. From the command prompt type:
SetSPN –L MachineName
You will likely see SPN entries for this local service account in one of the following forms:
HOST/<MachineName>
HOST/<MachineName>.<domainName>
Adding an IIS SPN
When the site is running under the default web site (“localhost”) – no SPNs need to be added. However, if the site is running under a
different host header name / URL (for example “www.mycompany.com”), the configurator tool will add an SPN for this host header name /
URL. If this did not complete successfully, you should add the SPN using the following syntax:
setspn -s HTTP/MachineName MachineName
setspn -s HTTP/www.mycompany.com MachineName
Where the “MachineName” is the name of the hosting IIS server machine.
Duplicate SPNs break Kerberos Authentication. As such, once completed, run the following to ensure there are no duplicate SPN entries:
setspn –x
SPNs on Windows 2003
To use the “SetSPN” application on Windows 2003, you may need to download and install the Windows 2003 support tools first (Sp1 and
Sp2). Then browse to the support tools folder and run the setspn command application from there.
When using Windows 2003, swap the setspn commands from “setspn –s” to “setspn –a” since the “s” command is not available.
SQL Server Analysis Services Configuration SSAS should already have its SPNs preset as part of its own installation. This section allows administrators to ensure it is correct in the event
of impersonation and connection issues.
Before starting, ensure that the end user(s) is a part of the SSAS role for viewing cube data.
Using a local computer account for the SSAS service
Check the SQL Server Analysis Services (MSSQLSERVER) service to find out what account is being used to start the service.
If your SSAS service is running under a local computer account, such as LocalSystem, it is likely this account will already have SPN entries.
MSOLAPSvc.3/MachineName MachineName
MSOLAPSvc.3/MachineName.Company.com MachineName
Adding SPNs for SSAS
If you do not see the correct SPNs, you can add them. If the SSAS service is using LocalSystem and not a domain user account, you must set
the computer account for the data server in Active Directory to be trusted for delegation.
setspn -s MSOLAPSvc.3/MachineName MachineName
setspn -s MSOLAPSvc.3/MachineName.Company.com MachineName
If the SSAS service is running under domain accounts register these SPNs.
setspn -s MSOLAPSvc.3/MachineName domainAccount
setspn -s MSOLAPSvc.3/MachineName.Company.com domainAccount
If you are using a named instance for SQL Server SSAS the following SPN formats apply with domain account or machine name as required.
setspn –s MSOLAPSvc.3/ MachineName:instanceName domainAccount
setspn –s MSOLAPSvc.3/ MachineName.Fully_Qualified_domainName:instanceName domainAccount
You may have to force or wait for replication of the information to other domain controllers in the network.
19 Pyramid Analytics| Version 4.6 Installation Guide
vi. Client Configuration
User Accounts User accounts on the Active Directory, by default, should not need additional configuration. You may want verify that the “Account is
sensitive and cannot be delegated” box is NOT checked in the Active Directory account properties. If checked, the account will be
inoperable.
Have the users log out and back in to their client machine after changing any properties and before running Kerberos Delegation tests. This
will clear cached Kerberos tickets. You may also use the Kerbtray utility to clear Kerberos tickets without logging out and back in.
Client Computers All major client browsers are compatible with the application’s framework (“SilverLight”). However, only Internet Explorer and FireFox
support Integrated Windows Authentication. All previously mentioned browsers support Basic Authentication with or without SSL
certificates.
Enabling Integrated Windows Authentication in Internet Explorer 7.x, 8.x
From the client machine (browser) make sure Internet Explorer is set to use Integrated Authentication as shown below and that the web
site has been added to the list of TRUSTED SITES in the browser (or INTRANET sites for internal site addresses). This can also be enacted
through GPO’s on the Active Directory.
Have the end user log off and log on or use kerbtray.exe to clear cached security tickets.
Figure 5 Checking Client Browser Properties
Enabling Integrated Windows Authentication in FireFox
Launch FireFox and go to ‘about:config’ (figure below) . Add the URL of the web site to the following preferences:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.trusted-uris
network.negotiate-auth.delegation-uris
Figure 6 FireFox Configuration
20 Pyramid Analytics| Version 4.6 Installation Guide
vii. Testing Your Configuration
Once you have completed these steps, ensure your SSAS security is set correctly, and test the delegation by attempting to access a data
view in Pyramid Application. Do not test from the web server, application server or data server as this would only be a single hop test.
If you see an error in the client, please continue reading the following troubleshooting section.
viii. Troubleshooting
Confirm a Kerberos Delegation Issue It is important to first be sure that Kerberos delegation failure is indeed the cause of the error you are receiving in the client. Many of the
other possible causes of this error can be eliminated from consideration using the following steps:
1. Restart all machines involved in the Kerberos Delegation setup. This will force services to be restarted, which is required after SPN
changes, and Kerberos ticket caches to be cleared.
2. Attempt to access the client by using a browser on the web server itself. This will eliminate one of the credential hops and you should
be able to login. If you cannot see data, Kerberos delegation may not be the issue.
3. Check the Event Viewer Security logs on the web and data servers. The logs will report successes and failures and can identify if
Kerberos or NTLM is being used.
a. Looking at the audit logs in the Pyramid database will also highlight what type of authentication the user was using in
trying to log into the application.
4. Check to be sure cube security is set correctly and the test user is a member of a role that has access to the cube. It is recommended
that you temporarily grant your test user membership to the server Administrator role to help eliminate cube security as a cause of
any connection problems.
5. Check that the web server can communicate with the data server and that firewall ports are open. It is recommended that you
temporarily disable firewalls to help eliminate them as possible causes of any connection problems. If there are firewalls between the
client, web server and data server, be sure that they have the correct ports open.
Troubleshooting Kerberos authentication to SSAS service: If you're confident that the problem appears only when attempting to use Kerberos delegation, there are a few things to confirm:
1. Review the setup steps above to be sure your SPN entries are correct and that the data server, web server and client machines have
been properly configured for delegation.
2. You can check your SPNs and test for duplicates using a tool called DHCheck.
3. You can use the “Kerberos Delegation Tester” on the installed website, found at:
a. the server’s default website “http://defaultwebsite/pyramid/admin/diagnostics.aspx” or
b. the URL “http://pyramidBIO.mysite.com/admin/diagnostics.aspx“ where pyramidBIO.mysite.com is the host URL name
you provided during installation.
4. Use the MDX Sample Application from Analysis Services 2000 on the web server to test a Kerberos connection to Analysis Services. If
the tool connects successfully when forced to use Kerberos, then you likely have configured SPN entries for the SSAS service correctly.
To test a Kerberos connection, modify the “Provider” field when connecting to a server, as shown in this example:
21 Pyramid Analytics| Version 4.6 Installation Guide
Figure 7 Testing Kerberos with the MDX Sample Application
5. Review the section “Diagnosing delegation Problems: Four Checklists” in Microsoft’s Troubleshooting Kerberos Errors:
http://download.microsoft.com/download/1/e/e/1ee86ce4-8234-4aa1-94f4-
a37039837729/Troubleshooting_Kerberos_Delegation.DOC
Troubleshooting Kerberos on the web server: Once you have confirmed that you are able to authenticate to the SSAS service using Kerberos, test the application again from a client
machine. If you continue to have login issues, there may be some additional configuration steps necessary on the web server.
IIS 7.x on Windows 7/8 or Windows 2008/2012 Server
The following steps can be set directly in the IIS 7.x console found in the Administrative Tools on the server. You will need to install the
administrative tools for IIS7.x (which can be downloaded from the web or found under the tools menu on the Pyramid install CD)
Open up the IIS 7.x console and select the website from the tree on the left. Click on Configuration Editor.
Figure 8
22 Pyramid Analytics| Version 4.6 Installation Guide
In the panel, click on windows authentication. In the panel, click on providers and then click on the ellipsis at the far right of the screen.
Figure 9
Figure 10
Providers: Make sure there are 2 providers listed - Negotiate and NTLM
Figure 11
Advanced settings: In the authentication panel, make sure Extended protection is set to "off" in the drop down and make sure the Enable
kernel-mode authentication is checked
Figure 12
23 Pyramid Analytics| Version 4.6 Installation Guide
IIS 6 on Windows 2003 Server
An IIS metabase entry specifying the authentication headers available for the web site needs to be checked to ensure Kerberos is the
default security protocol option. You may check this with any IIS metabase browser, or from the IIS metabase xml file directly. Metabase
Explorer from the IIS 6 Resource Kit may be the easiest to use.
For the IIS service where the PAS virtual directory is located (in this case the default website) be sure the NTAuthenticationProviders
property is set to “Negotiate,NTLM” click apply, and reset IIS.
Figure 13 Web Service Properties via Metabase Explorer
The Negotiate authentication header will use Kerberos in most cases (for exceptions please refer to the following article:
http://support.microsoft.com/kb/215383). Therefore, if the website hosting PAS is configured to utilize the Negotiate header (as
specified above), the authentication protocol will generally be Kerberos without the need for further configuration. However, if
everything appears to be in place, but PAS will not authenticate to Analysis Services, it may be necessary to force the authentication
protocol to Kerberos on the OLE DB connection string. This can be done by following these steps:
Add a registry key called “Properties” to the existing Microsoft ProClarity Server registry key - the final path with look like this:
HKLM\SOFTWARE\Microsoft ProClarity Corporation\Server\Properties
Add a new string value -create a new string value by right clicking on the new Properties key and selecting New String value -
the string value will be "SSPI" without the quotes -the value will be "Kerberos" without the quotes.
Reset IIS
24 Pyramid Analytics| Version 4.6 Installation Guide
Other Troubleshooting Tips 1. You may also turn on verbose logging to capture security traffic on your web server and data server.
http://support.microsoft.com/kb/262177
Figure 14 Log Level Setting in the Registry
If you are using Constrained Delegation, temporarily disable the constraint and retest.
2. Are you using a split domain where machines can resolve with two different FQDNs? For example, when you ping the same server
from two different machines and it returns different FQDNs – such as MyDataServer.Company.com as well as
MyDataServer.AD.Company.com? If so, this may defeat the SPNs needed for Kerberos delegation. Please see your network
administrators and verify that the DNS names being requested by the browser to the web server match the SPNs on the server. Also
be sure that the DNS names requested by the web server to the data server match the SPNs registered on the data server.
3. Troubleshooting with Network Monitor or Wireshark? Two easy ways to pick Kerberos from NTLM in an HTTP capture.
4. Analysis Services should be installed, preferably from a fresh install that has not been imaged. It is also preferable that you use a
machine that has not been renamed.
25 Pyramid Analytics| Version 4.6 Installation Guide
G. Constrained Delegation:
i. Constrained Vs. Full: Overview
When you set a server to allow full trust delegation any Kerberos token from any service could be transferred to any other service on the
target server. Constrained delegation is more secure because you define exactly which service on which machine we will allow the Kerberos
token to be transferred to.
ii. Pyramid Multi Servers Architecture
Basically the flow is Client IIS Pyramid Router Pyramid Application server SSAS
The rule of thumb is that every machine should trust the machine\service that follows it in the queue. For example the router machine
should trust both app server SPNs (machines PyramidApp1 and PyramidApp2 above).
26 Pyramid Analytics| Version 4.6 Installation Guide
iii. Configurations from Domain Controller
1. From Active Directory Users and Computers, right click on the server you wish to configure; right click and choose properties. Go
to the Delegation tab:
Select the third option: ‘Trust this computer for delegation to specific services only’ and ‘Use Kerberos only’.
2. Press the Add button (in the dialog press the Users or Computers button)
Select the servers you wish to trust (e.g. the application servers).
27 Pyramid Analytics| Version 4.6 Installation Guide
3. In the Add Service dialog you’ll see all the available SPNs (services). Select the SPN you gave to this machine (in our case the
service type is HOST and the User or computer would be PyramidSrv or srv1).
We need to do that for each machine in the flow, again using the rule of thumb: each machine should trust the service in the
machine that follows.
iv. Summary
The web server should trust the HOST/<routerSPN> on the router machine.
The router server should trust All the HOST/<appSPN> (for each server machine).
Each application server should trust the MSOLAPSvc.3 service on the SSAS machine
28 Pyramid Analytics| Version 4.6 Installation Guide
H. Windows 8 & Windows Server 2012 Installing the application on servers running either Windows 8 or Windows Server 2012 may require that certain features be installed that
are not by default (unlike previous versions of the Windows operating system).
Most notably, the WCF Services need to be explicitly installed (see the images below).
Figure 15 Windows 8
Figure 16 Windows Server 2012
29 Pyramid Analytics| Version 4.6 Installation Guide
I. Performance Load Balancing Options The following settings can be activated to turn the performance based load balancing options on. These options are only available with the Enterprise License. To make changes, administrators need to locate the configuration file for the router application. Typically, this can be found at C:\Program Files\Pyramid Analytics\BI Office 4.0\Pyramid.Server.Router.exe.config. Values can be found under “appSettings” section in the config file.
Performance Routing
<add key="PerformanceRouting" value="false"/> When set to true, the Router Service prioritizes all registered Pyramid Application Services and diverts requests from clients to the highest
performing server as measured at that time. Priority gets calculated according to the CPU usage levels and Available Memory on the
targeted machine.
Server Check Interval
<add key="ServersCheckInterval" value="5000"/> This value marks the amount of time (in milliseconds) to wait between checking registered Pyramid Application Services and their host servers for performance values. In the process of checking an Application Service, the Router can start or restart an unresponsive Application Service. NOTE: If the Application Service has been stopped from the administrative console, it will not be restarted. However, if the service has been stopped from the server, the Router will attempt to restart it.