Microsoft BI - 2005 Kerberos Setup

InstallingandConfiguringthe MicrosoftBusinessIntelligence Platform
A Guide for security and deployment options in a distributed Dell PowerEdge multi-core Opteron based server environment

InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
TableofContents
1 Overview....................................................................................................................................6
1.1 Objectives ............................................................................................................................................. . 6 1.2 Audience ..........................................................................................................................................7 .
HardwareandSoftwareConfigurationforTestEnvironments.............................................8
2.1 2.2 2.3 Hardware.......................................................................................................................................... 8 Software............................................................................................................................................ 9 HighAvailabilityDeployment......................................................................................................10
DeploymentOptionsSecurityConsiderations.....................................................................11
3.1 3.2 3.3 3.3.1 3.3.2 3.3.3 3.4 3.4.1 3.4.2 3.4.3 3.4.4 SingleServerDeployment..............................................................................................................11 MultiServerDeployment.............................................................................................................. 3 . 1 DelegatingCredentials.................................................................................................................. 0 2 BasicAuthentication................................................................................................................. 0 2 ExplicitlySpecifyingCredentials.............................................................................................. 0 2 KerberosDelegation................................................................................................................... 1 2 WhyKerberos?...............................................................................................................................22 FasterAuthentication ...............................................................................................................22 . MutualAuthentication.............................................................................................................23 . SupportforDelegation..............................................................................................................23 SupportfortheSmartCardLogonFeature.............................................................................23
InstallMicrosoftBusinessIntelligenceTechnologyPlatform .............................................24 .
4.1 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.3 4.3.1 4.3.2 4.3.3 4.3.4 DomainControllerPreparation....................................................................................................24 InstallSQLServer2005DatabaseEngineandIntegrationServices .......................................... 6 . 2 ServerDetails............................................................................................................................. 6 2 RequirementsandPrerequisites .............................................................................................. 6 . 2 SecurityConsiderations............................................................................................................ 8 2 SQLServerSetup....................................................................................................................... 8 2 DataandLogFilesChangeDefaultPath..............................................................................32 InstallSQLServer2005AnalysisServices....................................................................................34 ServerDetails.............................................................................................................................34 SQLServerAnalysisServicesRequirementsandPrerequisites .............................................34 . SecurityConsiderations............................................................................................................35 SQLServerAnalysisServicesSetup .........................................................................................36 .
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentOverview
4.3.5 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7 4.7.1 4.7.2 4.7.3 4.8 4.8.1 4.8.2 4.8.3 4.8.4
DataandLogDirectoriesChangeDefaultPath...................................................................39 InstallSQLServer2005ReportingServices.................................................................................41 ServerDetails.............................................................................................................................41 SQLServerReportingServicesRequirementsandPrerequisites...........................................41 SecurityConsiderations............................................................................................................43 SQLServerReportingServicesSetup.......................................................................................43
InstallMicrosoftOfficeSharePointServer2007andExcelServices.........................................64 ServerDetails............................................................................................................................64 MOSSRequirementsandPrerequisites..................................................................................64 SecurityConsiderations............................................................................................................ 5 6 MOSSSetup............................................................................................................................... 5 6 InstallPerformancePointMonitoringServer...............................................................................81 ServerDetails.............................................................................................................................81 MonitoringServerRequirementsandPrerequisites...............................................................81 SecurityConsiderations............................................................................................................ 2 8 MonitoringServerSetup........................................................................................................... 2 8
InstallingtheDashboardDesigner............................................................................................... 7 8 DashboardDesignerRequirementsandPrerequisites........................................................... 7 8 SecurityConsiderations...........................................................................................................88 DashboardDesignerSetup......................................................................................................88 InstallProClarityAnalyticsServer6.3.........................................................................................89 ServerDetails............................................................................................................................89 PASRequirementsandPrerequisites......................................................................................89 SecurityConsiderations...........................................................................................................90 PASSetup..................................................................................................................................90
KerberosDelegation:SetupandConfiguration.....................................................................95
5.1 5.1.1 5.1.2 5.1.3 5.2 5.2.1 5.2.2 5.3 ActiveDirectorySettingsandConfigurations............................................................................. 5 9 DomainFunctionalLevel.......................................................................................................... 5 9 ServiceAccountSettings..........................................................................................................96 ServerComputerSettings.......................................................................................................108 BackendServerSettings...............................................................................................................116 SQLServerConfigurations......................................................................................................116 AnalysisServicesConfigurations.............................................................................................117 WebApplicationSettings ............................................................................................................117 .

5.3.2 5.3.3 5.3.4 5.3.5 5.4
ReportingServicesConfigurations..........................................................................................118 MicrosoftOfficeSharePointServerConfigurations...............................................................119 MicrosoftOfficePerformancePointServerConfigurations...................................................124 ProClarityAnalyticsServerConfigurations............................................................................ 27 1 EndUserSystemConfigurations................................................................................................128
UserAccessandSecurityConfigurations..............................................................................131
6.1 6.2 6.3 6.3.1 6.4 6.4.1 6.5 6.5.1 6.6 6.6.1 SQLServer2005DatabaseEngine...............................................................................................131 SQLServer2005AnalysisServices..............................................................................................133 . SQLServer2005ReportingServices............................................................................................ 38 1 UserPermissions...................................................................................................................... 39 1 MicrosoftOfficePerformancePointServer2007.......................................................................144 UserPermissions...................................................................................................................... 45 1 MicrosoftOfficeSharePointServer2007....................................................................................153 UserPermissions......................................................................................................................153 ProClarityAnalyticsServer..........................................................................................................157 UserPermissions......................................................................................................................157
Troubleshooting.....................................................................................................................164
7.1 7.2 7.3 7.4 SQLServerReportingServices ...................................................................................................164 . MicrosoftOfficeSharePointServer2007...................................................................................165 PerformancePointServer2007 ...................................................................................................165 . ProClarityAnalyticsServer.........................................................................................................166
Appendix.................................................................................................................................167
8.1 8.2 8.3 8.3.1 8.4 8.4.1 8.4.2 8.5 8.5.1 8.5.2 8.6 8.6.1 AppendixA...................................................................................................................................167 AppendixB...................................................................................................................................168 AppendixC...................................................................................................................................169 Running32bitApplicationson64bitWindows(IIS6.0)...................................................169 AppendixD..................................................................................................................................170 ServiceAccounts .....................................................................................................................170 . ApplicationPools .....................................................................................................................171 .
AppendixE....................................................................................................................................173 SANInformation......................................................................................................................173 SANConfigurationforSQLServerDATADirectory.............................................................174 AppendixF.................................................................................................................................... 77 1 Tempdb..................................................................................................................................... 77 1
1 Overview
BusinessIntelligencesolutionsarebecominganintegralpartofeveryenterprise. Thesesolutionshavegrownasnewhardwareandsoftwaretechnologieshave loweredcostandsimplifiedimplementation.Microsofthasdevelopedauniqueset oftoolsandprocessestomeetthedemandsforthistypeofinformation management.Inaddition,companieslikeDellandAMDprovideReference Configurationstoassistcustomersindeployinganoptimalhardwareinfrastructure tosupportthesesolutions. TheseBusinessIntelligencetoolsarenormallydeployedinadistributed environmenttoscaleuptothegrowingneedsofthesolution.Thisaddstothe complexityofthesystemsuserauthenticationandsecurity. Oneofthesecuritychallengesfacedtodaybyalotofcustomersinamultiserver environmentisthedoublehopordelegationscenario.AWebfrontendorWeb serviceisnotabletodelegateorpasstheclientuserscredentialstoauthenticate andaccessaresourceonadifferentserver. Inthisdocumentweshalldescribethestepstoinstallandconfigurethevarious applicationsintheMicrosoftBusinessIntelligenceTechnologyPlatformina distributedenvironmentfollowedbysettingupKerberosConstrainedDelegation.
1.1 Objectives
Thisdocumentcoverstheinstallationandconfigurationofthefollowingcomponentsof theMicrosoftBusinessIntelligenceTechnologyPlatforminamultiserverenvironment. MicrosoftSQLServer2005: a. SQLServer2005DatabaseEngine b. SQLServer2005IntegrationServices c. SQLServer2005AnalysisServices d. SQLServer2005ReportingServices 2. MicrosoftOfficeSharePointServer2007 3. MicrosoftOfficePerformancePointServer2007MonitoringServer 4. MicrosoftProClarityAnalyticsServer
Note: PerformancePointServer2007PlanningandBudgetingcomponentwillnotbecoveredinthis document.
1.
Note: ReportingServiceswillbedeployedinnativemode.SharePointintegrationmodewithSP2is notcoveredinthisdocument. Aftertheindividualcomponentsareinstalledandconfiguredweshallwalkthroughthe stepsrequiredtoimplementKerberosConstrainedDelegation.
1. ActiveDirectorydirectoryservicesanduseraccountpreparationforKerberos 2. KerberosDelegationsettingsinthevariouscomponents. 3. Useraccesssettingsandconfiguration.
1.2 Audience
Thisdocumentprovidesthenecessaryinformationandstepstoplananddeploya MicrosoftBusinessIntelligencePlatforminamultiserverenvironment.Deployingthe variousMicrosoftBIcomponentsinadistributedenvironmentrequiressomeadditional planningandsecurityconsiderationswhencomparedtoasinglemachinestandalone installation. Thisdocumentprovidesguidanceonhowtoinstallandconfigurethevariousindividual componentsandsetuptheenvironmentwithKerberosConstrainedDelegation. Whoshouldreadthisdocument? ArchitectswhoareplanningamultiserverdeploymentoftheMicrosoft BusinessIntelligenceTechnologyPlatform. InfrastructurePersonnelwhoareresponsibleforsettingupthehardware. NetworkAdministratorswhomanagetheActiveDirectorydirectoryservices, userroles,andpermissions. ServerandDatabaseAdministratorswhoareresponsibleforinstallation, configuration,andmaintenanceoftheindividualcomponents.
2 HardwareandSoftwareConfigurationfor TestEnvironments
Inthissectionweshalldiscussthehardware,software,andtheinitialconfiguration requiredforaBusinessIntelligence(BI)solutionusingDELLServersforourtest environment.
2.1 Hardware
Regardlessofthemethodofbuildingandreportingonadatawarehouse,theamount andtypeofhardwareisextremelyimportant.Adatawarehouseistypicallyverylarge, oftenexceedingmultiterabytes.BIcanbeveryCPU,memory,andI/Ointensiveona databasesystem.Inaddition,thelargerthedatawarehouse,themoreimportantitisto properlysizeandconfigureit.Notonlyisitimportanttoproperlysizethedatabase server,butthereportingandanalysisserversaswell.Asaresult,theseapplicationscan beveryhardwareintensive. DellPowerEdgeserversaredesignedtodeliverthehighestperformanceformission criticalenterpriseapplicationsfordatabase,businessintelligence,anddata warehousing.Todaysproprietarysystemsareincreasinglyexpensivetomaintainboth inmanpowerandmaintenancecosts.EffortstoreduceITcostsandleveragetechnical skillsetshavepushedtheindustrytomovetoastandardsbasedhardwareandsoftware architecture.CustomerslookingforeaseofimplementationchoosetodeployDell PowerEdgeserversbecausetheyarestandardsbasedsystemswhichareeasytomanage, simpletodeployandupgrade,andscalableastheenterprisemovestoconsolidateand virtualizecomputingresources. ThefollowingtableliststheDELLhardwareusedinthetestenvironment: ServerName MSDELLSQL ServerConfiguration DellPowerEdge6950 4xdualcoreAMDOpteron CPUs 64GBRAM 4x73GB15KSASInternal Disks DellPowerEdge6950 4xdualcoreAMDOpteron CPUs 64GBRAM DiskConfiguration FiveexternalSASDisk Controllers FiveDell PowerVaultMD1000 StorageArrays 75x73GB10KSAS Drives FiveexternalSASDisk Controllers FiveDellPowerVault MD1000StorageArrays 75x73GB10KSAS
MSDELLAS
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentHardwareandSoftwareConfigurationforTestEnvironments
ServerName
ServerConfiguration 4x73GB15KSASInternal Disks PowerEdge2970
DiskConfiguration Drives
MSDELLWEBSRV1
MSDELLWEBSRV2
32GBRAM 2xdualcoreAMDOpteron CPUs 4x73GB,10KSASInternal Disks PowerEdge2970

8GBRAM 2xdualcoreAMDOpteron CPUs 4x73GB,10KSASInternal Disks
Note: ForadditionalinformationonSANConfigurationpleaserefertoAppendixE
2.2 Software
Thefollowingtableliststhesoftwareforeachoftheservers. ServerName MSDELLSQL PrerequisiteSoftware MicrosoftWindowsServer 2003Enterprisex64Edition R2SP2 WindowsServer2003 Enterprisex64EditionR2SP2 WindowsServer2003 Enterprisex64EditionR2SP2 InternetInformationServices (IIS6.0) Applicationtobe installed SQLServer2005 EnterpriseEditionx64 SP2(DatabaseEngine, IntegrationServices) SQLServer2005 EnterpriseEditionx64 SP2(AnalysisServices) SQLServer2005 EnterpriseEditionx64 SP2(Reporting Services) PerformancePoint Server2007Monitoring Serverx64 SharePointServer2007 x64SP1
MSDELLAS
MSDELLWEBSRV1
ServerName MSDELLWEBSRV2
PrerequisiteSoftware WindowsServer2003 Enterprisex86EditionR2SP2 InternetInformationServices (IIS6.0)
Applicationtobe installed ProClarityAnalytics Server6.3 [ReferNoteBelow]
Note ProClarityAnalyticsServerisanx86application.Itwillinstallonx64versionsofWindows butrequiresIIStorunin32bitmode.OnceIISrunsin32bitmodeother64bitapplications likePPS,MOSS,andReportingServiceswillceasetoworkonthatmachine. TorunIISin32bitmodeonax64machineandconfigureProClarityonthatIIS,refertothe articleRunning32bitapplicationson64bitWindows(IIS6.0)inAppendixC
2.3 HighAvailabilityDeployment
SQLServer2005DatabaseEngineandAnalysisServicesareclusterawareapplications andcanbedeployedinafailoverclustertoensurehighavailability. WebapplicationslikeReportingServices,SharePoint,andProClarityAnalyticsServer canbeusedinanetworkloadbalancedmodeinascaleoutdeploymenttoensure betterperformanceandscalability. ImplementingKerberosDelegationforafailoverinstanceofSQLServerandAnalysis ServicesandnetworkloadbalancedinstancesofWebapplicationsinvolvesafew additionalstepsandisnotcoveredinthisdocument.
10
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
3 DeploymentOptionsSecurity Considerations
AllthecomponentsoftheMicrosoftBITechnologyPlatformcanbeinstalledonone serveroracrossmultipleservers.Basedonvariousfactorslikeserverconsolidation, performancerequirements,andsecurity,organizationsmightchoosevarious deploymentoptions. Inthissectionweshalldiscusstwodifferentdeploymentoptionsandtherelated securityconsiderations.
3.1 SingleServerDeployment
InasingleserverdeploymentalltheSQLServercomponentsMOSS,PerformancePoint, andProClarityAnalyticsServerresideonthesameserver.Inotherwords,theWebserver andtheresourcesrequiredbytheWebapplicationareonthelocalmachine. Insuchascenario,whenaclienttriestobrowseaWebapplicationlikeaSharePointsiteor ReportingServicespage,IISAuthenticatestheclientuserwithActiveDirectorydirectory serviceandpassesanauthenticationtokentoASP.Net.ThentheWebapplicationhasto accessotherresourceslikeSQLServerorAnalysisServiceswhicharelocatedonthesame machine.
Figure1. SingleServerImpersonationnotenabled
11
BydefaultImpersonationisnotenabledinASP.Net.HencetheWebapplicationconnectsto thelocalresourcesusingthecredentialsoftheApplicationPoolIdentityAccountunder whichitruns(ProcessIdentity). ForAnalysisServicesbasedreports,tousetherolebaseddimensionsecurityyouwouldwant theconnectionbetweentheWebapplicationandAnalysisServicestohappenusingthe credentialsoftheclient.Tofacilitatethis,theASP.NetWebapplicationhastobeconfigured toImpersonatecredentialsoftheusertothelocalresources.Thiscanbedonebysetting <identityimpersonate="true"/>intheweb.configfileoftheWebapplication.
Figure2. OnceImpersonationisenabled,theWebapplicationsaccessthelocalresourcesusingthe credentialsoftheclient. SingleServerImpersonationenabled
12
Figure3. APerformancePointdashboardonasingleserverdeployment
Note: Apartfromthe<identityimpersonate="true"/>,therearesomeadditionalsettingsthat arerequiredtoensurethatthecredentialsarebeingpassedfromSharePointtoPPSandonto SQLServerorAnalysisServices.Thesesettingswillbediscussedindetailinlatersections.
3.2 MultiServerDeployment
Inadistributedenvironment,theWebserversandtheresourcesrequiredbytheWeb applicationareondifferentmachines.EnablingImpersonationontheWebapplicationis notsufficienttopasstheusercredentialsacrossthenetwork.Impersonationacrossa networkorDelegationoftheusercredentialsfromtheWebapplicationstotheremote resourcesrequiresadditionalsettings.
13
Figure4. WhenDelegationisnotimplementedandtheremoteresourcesarenotconfiguredtoallow accesstoanonymoususers,theWebapplicationsnormallygenerateerrorslikeAccess DeniedorDataSourcenotfound.Belowareafewscreenshotsoftheerrorsexperienced byuserswhiletryingtobrowseadashboardonaSharePointsitewhichaccessesdatafrom remoteservers. MultiServerImpersonationnotenabled
14
Figure5. PerformancePointdashboardshowingerrormessage
15
Figure6. ProClarityReportembeddedinaSharePointsitegivingerror TheCubecouldnotbefound
16
Figure7. Reportingservicesreportbasedonarelationaldatabasegiving errorCannotcreateaconnectiontoDatasource AdventureWorksOLTP
17
Figure8. Reportingservicesreportbasedonananalysisservicesdatabase givingerrorCannotcreateaconnectiontoDatasource AdventureWorksOLAP
18
Figure9. Excelservicesreportbasedonananalysisservicesdatabase givingerrorThedatasourcemaybeunreachable,maynotbe respondingormayhavedeniedyouaccess

Note: ThedelegationscenariocanalsobeverifiedbyrunningSQLProfilerontherelational databaseandAnalysisServicesdatabase.Whenausertriestoopenadashboard,ProClarity report,orreportingservicesreporttheuserscredentialsdonotgetpassedtothedatabase serversandhenceyouwouldseeanANONYMOUSLOGONoneachoftheProfilerTraces.
19
3.3 DelegatingCredentials
Thereismorethanonewayyoucanbypassthedelegationscenario.Someapproaches aremoresecurethanothers.Basedontheapplicationssecurityrequirementsyoucan evaluateandchooseeitheroftheseoptions. InsomeenvironmentsitisnotrequiredthattheWebapplicationsaccesstheremote resourceslikedatabasesandfilesharesbydelegatingthecredentialsoftheenduser. ThedatatheWebapplicationaccessesfromremotesourcesmightnotbetiedtoausers credentialsormightnotbeimportantenoughtosecure.InsomecasestheWeb applicationalonecontrolsthesecurityofthesystem.
3.3.1
BasicAuthentication
Inthismethodofauthenticationtheuserispromptedforcredentialswhenaccessinga Webapplication. Forexample:AuseristryingtoaccessaReportingServicespage.Theuserisprompted forcredentials.Oncetheuserentersthecredentialsandisauthenticated,Reporting Servicesisabletoauthorizetheuserandgivetheuseraccesstothereport. ThemostimportantsecurityconcernofusingBasicAuthenticationisthattheusers credentialsaresentoverthenetworktotheserverinplaintext.InthiscaseSecure SocketLayers(SSL)isrequiredtoensuresecurecommunicationbetweentheservers.
3.3.2
ExplicitlySpecifyingCredentials
Inthismethodofauthentication,whenanapplicationisaccessingaresource,the credentialstoaccessthatresourceareexplicitlyspecifiedintheconnectionstring. Thisiscommonlyusedintwoscenarios: Whentheapplicationitselfhandlessecurityandrestrictsthedataseenbythe user. Whennodataissecurityisrequired.Anyuserwhoaccessesthereportseesthe samedata.
Forexample:YouarecreatingaReportingServicesreportwhichshowssalesacross regions.Thereportaccessesdatafromarelationalsource.TheSQLqueryfiltersdataby usingasecuritytablewhichmapsuserstoregions.BypassingtheclientuserIDtothe queryasaparameter,youcanfiltertheresultsettoonlythoseregionstheuserhas accessto.Insuchacase,ReportingServicesdoesnotneedtoconnecttoSQLServer usingthecredentialsoftheclientuserID.Instead,credentialsofanaccountwhichhas permissionsonSQLServerarespecifiedintheconnectionstring.
20
Figure10. MultiServerExplicitlySpecifyCredentials Inthismethodofauthentication,theenduserisnotvalidatedbySQLServer.Hencethe developerneedstoimplementsecurityandaccessrightsintheapplication. Ifthecredentialsusedtoaccessthedatasourcechange,alltheconnectionstrings wheretheuserIDandpasswordwereusedwillhavetobeupdatedwiththenew password.Insomecases,thecredentialsthatarestoredintheconnectionstringare storedinplaintext.Measureshavetobetakentoencryptthatpieceofinformation. Additionally,keyfunctionalitieslikerolebaseddatasecurityinAnalysisServiceswill notbeuseddirectly.ItwillhavetobeimplementedusingfunctionslikeCustomData() intheconnectionstring.
3.3.3
KerberosDelegation
Kerberoshasbeendesignedtofacilitateauthenticationanddelegation,or impersonation,acrossanetwork. TheKerberosProtocoldescribeshowclientsinteractwithaNetworkAuthentication Service,obtainticketsfromtheKerberosKeyDistributionCenter(KDC)andthey presenttheseticketstothenetworkresourceswhentheywanttoaccessthem. EssentiallytheKerberosauthenticationprotocolprovidesamechanismformutual authenticationbetweenentities.
21
Figure11. MultiServerWithKerberosDelegation
MicrosoftActiveDirectorydirectoryservicesimplementsKerberosauthenticationand delegation.Ataveryhighlevelthesearethestepsthatneedtobetakentoimplement KerberosDelegation: 1. Createserviceprincipalnamestoidentifyservicesonanetwork. 2. Configuretheserviceaccountsorhostcomputerstodelegatecredentials tootherservicesorcomputersonthenetwork. 3. ConfiguretheapplicationstouseKerberos.
3.4 WhyKerberos?
Kerberoshasmanybenefitsoverbasicauthenticationandexplicitlyspecifying credentials.InthissectionweshallbrieflydiscussafewofthesecuritybenefitsKerberos offers.
3.4.1
FasterAuthentication
TheKerberosprotocolusesauniqueticketingsystemthatprovides fasterauthentication. Everyauthenticateddomainentitycanrequestticketsfromitslocal KerberosKDCtoaccessotherdomainresources. Theticketcanbeusedmorethanonceandcanbecachedontheclient side.
22
3.4.2
MutualAuthentication
Kerberossupportsmutualauthentication.Whentheclientauthenticatestotheservice thatisresponsiblefortheresource,theservicemayalsoauthenticatetotheclient.This isabigdifferencefromNTLM(NTLANManager).TheNTLMchallengeresponse providesonlyclientauthentication:Theserverchallengestheclient,theclient calculatesaresponseandtheservervalidatesthatresponse.UsingNTLM,usersmight providetheircredentialstoabogusserver.
3.4.3
SupportforDelegation
InadistributedenvironmentKerberosenablesservicestoimpersonatetheclientusers credentialswhileaccessingresourcesacrossmultipleserverhopsonthenetwork.
3.4.4
SupportfortheSmartCardLogonFeature
ThroughtheKerberosPKINITextension,bothWindows2000andWindowsServer 2003includesupportforthesmartcardlogonfeature.Thesmartcardlogonfeature providesmuchstrongerauthenticationthanthepasswordlogonfeaturedoesbecauseit reliesonatwofactorauthentication:Tologon,auserneedstopossessasmartcard andknowitsPINcode.
23
4 InstallMicrosoftBusinessIntelligence TechnologyPlatform
SQLServer2005providesmultiplecomponentsthatareusedinaBusinessIntelligence solutionincludingrelationaldatabase,ETLcomponent,OLAPdatabases,reporting, analyticsandmanagementtools.AdditionaltoolslikeOfficePerformancePointServer 2007andOfficeSharePointServerareusedforadvancedanalytics,performance managementincludingdashboards,planningbudgeting,forecastingandconsolidation. Inthissectionwewillwalkthroughinstallationandconfigurationofthevarious MicrosofttechnologiesforBusinessIntelligenceinadistributedenvironment.
4.1 DomainControllerPreparation
Forthepurposeofdemonstratingthedelegationscenariousingthehardware mentionedintheTestEnvironment,theDomainControllerwascreatedonavirtual machinehostedonMSDELLWEBSRV2.AlltheserverswerethenjoinedtotheDomain Controller.
Important: Whenyouareimplementingthissolutioninyourenvironmentyoushouldusetheexisting ActiveDirectoryinstanceinyourenterprise . Note: Addingaccountsandperformingnecessaryconfigurationsonadomaincontrollerneedtobe donebyaNetworkAdministratorwhomanagesthedomaincontroller. Theremightbesecuritypoliciesthatareenforcedwhichhavetobetakenintoconsideration whileperformingtheseconfigurations.
ToinstallandcorrectlyconfiguretheMicrosoftBusinessIntelligenceapplicationsina distributedenvironmentyouneedmultipledomainuseraccountsthatserveasService StartupAccountsorApplicationPoolIdentityAccounts. Note TounderstandtheroleandimportanceofApplicationPools,ApplicationPoolIdentity,and ServiceStartupAccountsrefertoAppendixD. Thissectiondescribesthestepsthatgointopreparationoftheenvironmentwith respecttoActiveDirectoryanduseraccountsbeforebeginningtoinstalltheMicrosoft BITechnologyPlatform.
24
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
1.
DomainFunctionalLevel:ToshowcasetheimplementationofKerberos ConstrainedDelegation,wewillconsideranActiveDirectorysettoWindows2003 DomainFunctionalLevel.RefertoFunctionalLevelsBackgroundInformationin AppendixAformoreinformation.Jointheserverstothedomainiftheyhavenot alreadybeenadded. 2. AdministrativePrivilegesAccount:MSDELLBI\DomainAdmin.Thisaccountis usedinthetestenvironmenttoresembleanaccountthathasadministrative privilegesontheDomainControllerandalltheotherserversbeingusedinthetest environment.Alltheapplicationinstallations,configurationsandKerberos ConstrainedDelegationconfigurationswillbedonebythisuser. Toinstallandconfiguretheapplicationsinyourenvironment,youcanuseasingle accountthathasadministrativeprivilegesonalltheserversormultipledifferent accountsthathaveadministrativeprivilegesonindividualservers. 3. ServiceStartupandApplicationPoolIdentityAccounts:Createthefollowing domainuseraccountswhichwouldserveasservicestartupaccountsforWindows servicesandapplicationpoolidentityaccountsforWebservices. a. MSDELLBI\SQLServiceAccount:ThisaccountwillbeusedrunSQLServer Windowsservice.TheServicePrincipalNameforSQLServerwillbecreated usingthisaccount. b. MSDELLBI\ASServiceAccount:ThisaccountwillbeusedrunAnalysis ServicesWindowsservice.TheServicePrincipalNameforAnalysisServices willbecreatedusingthisaccount. c. MSDELLBI\WebServiceAccount:Thisaccountwillbeusedastheservice startupaccountandastheidentityaccountfortheapplicationpoolsusedby thevariousWebservicesdeployedonMSDELLWEBSRV1. Note:
Whenyoucreatetheuseraccounts(whicharetobeusedasservicestartup accountsorapplicationpoolidentityaccounts),ensurethattheydonot haveanyadministrativeprivilegesonanyoftheserversorActiveDirectory. Duringthecourseofinstallationandconfigurationwhenyouspecifythese accountstobeusedbytheapplication,theapplicationsetupor configurationutilitywillprovidetheseaccountswiththenecessary privilegesonlocalserverresourceslikefilesystempermissionsforrelevant foldersandspecificgroupmemberships.
4. EndUserAccounts:MSDELLBI\User1&MSDELLBI\User2:Theseaccountsare usedtosimulateenduseraccess.Theseaccountsdonothaveanyadministrative privilegesontheserversordomaincontroller.Optionally,theseaccountscanhave elevatedpermissionsontheendusermachinesfromwheretheyaccesstheBI applications.

Note Forthepurposeofdemonstratingtheconfigurationandsettingsthatarerequiredto
25
Note implementKerberosConstrainedDelegationforaservicethatisnotrunningundera dedicateddomainuseraccount,wearerunningProClarityAnalyticsServerunderthedefault applicationpoolidentityofabuiltinsystemaccount(NETWORKSERVICE). Werecommendusingadomainuseraccountastheapplicationpoolidentityaccountfor ProClarityAnalyticsServer..
4.2 InstallSQLServer2005DatabaseEngineand IntegrationServices

4.2.1 ServerDetails
Inthetestenvironment,SQLServer2005DatabasesEngineandSQLServer IntegrationServicesareinstalledonMSDELLSQL.
4.2.2
RequirementsandPrerequisites
PleaserefertothefollowingBooksOnlinearticlefordetailedinformationonSQL ServerHardwareandSoftwarerequirements: http://technet.microsoft.com/enus/library/ms143506.aspx
4.2.2.1
OperatingSystemRequirements
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
WOW641 Yes WOW641 Yes WOW641 Yes
26
SQLServer x64EnterpriseEditionSP1
1
Enterprise Edition
Developer Edition
Standard Edition
:TheseeditionsofSQLServer2005canbeinstalledtotheWindowsonWindows (WOW64)32bitsubsystemofa64bitserver.
4.2.2.2
SoftwareRequirements
SQLServerSetuprequiresMicrosoftWindowsInstaller3.1orlaterandMicrosoftData AccessComponents(MDAC)2.8SP1orlater.YoucandownloadMDAC2.8SP1from thisMicrosoft Web site. SQLServerSetupinstallsthefollowingsoftwarecomponentsrequiredbytheproduct: Microsoft.NETFramework2.0 SQLServerNativeClient SQLServerSetupsupportfiles
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately. OnlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.2.2.3
InternetRequirements
Internetrequirementsforboththe32bitand64bitversionsofSQLServer2005arethe same.ThefollowingtableliststheInternetrequirementsforSQLServer2005. Component

Internet software1
Requirement
MicrosoftInternetExplorer6.0SP1orlaterisrequiredforall installationsofSQLServer2005,asitisrequiredforMicrosoft ManagementConsole(MMC)andHTMLHelp.Aminimalinstallation ofInternetExplorerissufficient,andInternetExplorerisnotrequired tobethedefaultbrowser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
:InternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio,Business IntelligenceDevelopmentStudio,andtheReportDesignercomponentofReportingServices.
27
4.2.3
4.2.3.1
SecurityConsiderations
Userrightsforinstallation
ThepersoninstallingSQLServermustbeamemberoftheAdministratorsgrouponthe
serverwhereSQLServerisbeinginstalled(MSDELLSQL).
4.2.3.2
UserrightsforServiceAccount
TheSQLServerserviceshouldrununderthecredentialsofadomainuseraccountas describedinServiceStartupandApplicationPoolIdentityAccountsunderthe DomainControllerPreparationsection.Wewillbeusing MSDELLBI\SQLServiceAccountastheservicestartupaccountinthisinstallation. FormoreinformationonServiceAccountsandtheirimportancepleasereferto AppendixD. ThefollowingSQLServercomponentscannotbeconfiguredatinstalltime.Theywillbe installedwithdefaultsettings. NotificationServices IntegrationServices FullTextSearch ActiveDirectoryHelper SQLWriter
4.2.4
4.2.4.1
SQLServerSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofSQLServerDatabaseEngineand IntegrationServices. ProgramFlowforStandardInstall 1. OntheMSDELLSQLserver,tobegintheinstallationprocess,inserttheSQLServer2005 DVDintotheDVDdrive.IftheautorunfeatureonyourDVDdrivedoesnotlaunchthe installationprogram,navigatetotherootoftheDVDandlaunchsplash.hta.Ifinstalling fromanetworkshare,navigatetothenetworkfolderandlaunchsplash.hta. 2. Fromtheautorundialog,clickRuntheSQLServerInstallationWizard.
28
3. OntheEndUserLicenseAgreementpage,readthelicenseagreement,andthenselect thecheckboxtoacceptthelicensingtermsandconditions.Acceptingthelicense agreementactivatestheNextbutton.Tocontinue,clickNext.ToendSetup,clickCancel. 4. OntheInstallingPrerequisitesscreen,SetupinstallssoftwarerequiredforSQLServer 2005.Tobeginthecomponentupdateprocess,clickInstall.Tocontinueaftertheupdate completes,clickNext. 5. OntheWelcometotheMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 6. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheckParametersfortheSystem ConfigurationChecker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems groupedbyresult,clicktheFilterbuttonandthenselectacategoryfromthedropdown list.ToviewareportofSCCresults,clicktheReportbuttonandthenselectanoption fromthedropdownlist.OptionsincludeViewingthereport,Savingthereporttoa file,CopyingthereporttotheClipboard,andSendingthereportasemail.To proceedwithSetupaftertheSCCscancompletes,clickNext. Note
TheserveronwhichweareinstallingSQLServerDatabaseEngine(MSDELLSQL)does notrequireIIStobeinstalledaswearenotinstallinganyWebservicecomponentslike ReportingServicesorSharePointonthatserver. IfIISisnotinstalledyoumightreceiveawarninglikeIISFeatureRequirement (Warning)MicrosoftInternetInformationServices(IIS)iseithernotinstalledoris disabled.IISisrequiredbysomeSQLServerFeatures..Thiswarningcanbeignored.
7. OntheRegistrationInformationpage,enterinformationintheNameandCompany textboxes.Tocontinue,clickNext. 8. OntheComponentstoInstallpage,selectthefollowing a. SQLServerDatabaseServices b. IntegrationServices c. OptionallyyoucanchooseWorkstationComponents,BooksOnline,and DevelopmentTools.Thisinstalls: o ClientconnectivitycomponentslikeOLEDBdrivers.
29
ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager. PerformancetoolslikeSQLServerProfilerandTuningAdvisor. BusinessIntelligenceDevelopmentStudio. SQLServerDocumentation.
o o o
ThesecomponentsarenotrequiredfortheSQLServerDatabaseEnginetorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely. Toinstallindividualcomponents,clickAdvanced.Otherwise,clickNexttocontinue. 9. IfyouclickedAdvancedonthepreviouspage,theFeatureSelectionpagedisplays.On theFeatureSelectionpage,selecttheprogramfeaturestoinstallusingthedrop downboxes.Toinstallcomponentstoacustomdirectory,selectthefeatureandthen clickBrowse.Formoreinformationaboutthefunctionalityofthispage,clickHelp.To continuewhenyourfeatureselectionsarecomplete,clickNext.ClickNext. 10. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstanceNametopicinSQLServer2005BooksOnline. ClickNext. 11. OntheServiceAccountpage,specifytheusername,password,anddomainnamefor SQLServerserviceaccount.Youcanoptionallychoosetostartothercomponentsat WindowsStartup.ClickNext. Note
WecreatedadomainuseraccountMSDELLBI\SQLServiceAccounttoruntheSQLServer Windowsservice.Incaseifyouhavenotcreatedthisaccount,contactyournetworkor Windowsadministratortodothis.
30
Figure12. SQLServerSetupServiceAccountpage 12. OntheAuthenticationModepageyoucanchooseMixedMode.Specifyapasswordfor theSAlogininSQLServer.ItallowsforbothWindowsauthenticationandSQLLogins. ClickNext. Note

WeareusingMixedModeAuthenticationinSQLServertoenablethecreationofProClarity AnalyticsServerdatabasewhichrequiresaSQLServerLogin.
13. OntheCollationSettingspage,choosethecollationsettingsappropriateforyour environment.ClickNext. 14. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting. 15. OntheReadytoInstallpage,reviewthesummaryoffeaturesandcomponentsforyour SQLServerinstallation.Toproceed,clickInstall. 16. OntheInstallationProgresspage,youcanmonitorinstallationprogressasSetup proceeds.Toviewthelogfileforacomponentduringinstallation,clicktheproductor
31
statusnameontheInstallationProgresspage.OncetheSetupProcesscompletes,click Next. 17. OntheCompletingMicrosoftSQLServer2005Setuppage,youcanviewtheSetup summarylogbyclickingthelinkprovidedonthispage.ToexittheSQLServerInstallation Wizard,clickFinish. 18. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation.
4.2.5
DataandLogFilesChangeDefaultPath
1. FromSQLServer2005launchSQLServerManagementStudio. 2. FromtheObjectExplorer 3. isvisibleonthescreenclickConnectandchooseDatabaseEngine.Ifnot,clickView >ObjectExplorerorhittheF8key. 4. ConnecttoServerwindow,specifythenameoftheserverwhereSQLServeris installed.IfSQLServer2005wasinstalledasanamedinstance,specifythe ServerName/InstanceName. 5. ChooseWindowsAuthentication.IfyouwishtochooseSQLServerAuthentication youneedtouseraSQLServerloginwithAdministrativerightsontheSQLServer. Connecttotheserver.Youwillseetheservernamewithalistoffolders(Databases, Security,ServerObjects,andsoon). 6. TolaunchtheServerPropertieswindowrightclickSQLServerintheObject ExplorerandclickProperties.Thispagecontainsallserverlevelproperties includingpropertiestoconfigureDataandLOGdirectoriesforyourserver. 7. ClickDatabaseSettingsintheSelectapagesectionontheleftsideoftheServer Propertieswindow.UnderDatabasedefaultlocationschangethelocationofData andLogdirectories.Youcanclicktheellipsesnexttoeachofthetextboxesand browsetothenewfolderortypethenewpath.
32
Figure13. Pleaserefertothefollowingproductdocumentationarticlefordetailedinformationon configuringdatadirectoriesforSQLServerdatabaseengineusingTSQLstatements. http://msdn2.microsoft.com/enus/library/ms189133.aspx TempdbisasystemdatabasethatisusedbySQLServerforvariousactivitieslikeIndex creation,Cursorsetc.Formoreinformationonoptimizingtempdbusagepleasereferto AppendixF SQLServerDatabaseSettings
33
4.3 InstallSQLServer2005AnalysisServices
4.3.1 ServerDetails
InthetestenvironmentSQLServer2005AnalysisServicesisinstalledonMSDELL AS.
4.3.2 SQLServerAnalysisServicesRequirementsand Prerequisites

PleaserefertothefollowingBooksOnlinearticlefordetailedinformationonSQL ServerAnalysisServicesHardwareandSoftwarerequirements. http://technet.microsoft.com/enus/library/ms143506.aspx
4.3.2.1
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit x64EnterpriseEditionSP1
1
Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
4.3.2.2
SQLServerSetuprequiresMicrosoftWindowsInstaller3.1orlaterandMicrosoftData AccessComponents(MDAC)2.8SP1orlater.YoucandownloadMDAC2.8SP1from thisMicrosoft Web site. SQLServerSetupinstallsthefollowingsoftwarecomponentsrequiredbytheproduct:
34
.NETFramework2.0 SQLServerNativeClient SQLServerSetupsupportfiles
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately; onlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.3.2.3

Internet software1
Requirement
InternetExplorer6.0SP1orlaterisrequiredforallinstallationsof SQLServer2005,asitisrequiredforMicrosoftManagementConsole (MMC)andHTMLHelp.AminimalinstallationofInternetExplorer issufficient,andInternetExplorerisnotrequiredtobethedefault browser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
Internet Information Services(IIS)
IIS5.0orlaterisrequiredforSQLServer2005ReportingServices (SSRS)installations. FormoreinformationabouthowtoinstallIIS,seeHowto:Install MicrosoftInternetInformationServices.Formoreinformationabout howtoinstallIIS7.0onWindowsVista,seethisMicrosoftWebsite. ASP.NET2.0isrequiredforReportingServices.Wheninstalling ReportingServices,SQLServerSetupwillenableASP.NETifitisnot alreadyenabled.
ASP.NET2.02
:InternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio,Business IntelligenceDevelopmentStudio,andtheReportDesignercomponentofReportingServices. :ForReportingServices(64bit)installationson64bitservers,the64bitversionof ASP.NETmustbeinstalled.

2
4.3.3
4.3.3.1
UserRightsforInstallation
ThepersoninstallingSQLServerAnalysisServicesmustbeamemberofthe
AdministratorsgroupontheserverwhereSQLServerAnalysisServicesisbeing installed(MSDELLAS).
35
4.3.3.2
TheSQLServerAnalysisServicesserviceshouldrununderthecredentialsofadomain useraccountasdescribedinServiceStartupandApplicationPoolIdentityAccounts undertheDomainControllerPreparationsection.Wewillbeusing MSDELLBI\ASServiceAccountastheservicestartupaccountinthisinstallation. FormoreinformationonServiceAccountsandtheirimportancepleasereferto AppendixD.
4.3.4
4.3.4.1
SQLServerAnalysisServicesSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofSQLServerAnalysisServices.
4.3.4.1.1 ProgramFlowforStandardInstallation
1. InstallfromeithertheSQLserver2005DVDoranetworkshare.Ifinstallingfroma networkshare,navigatetothenetworkfolderandlaunchsplash.hta. 2. Fromtheautorundialog,clickRuntheSQLServerInstallationWizard. 3. OntheEndUserLicenseAgreementpage,readthelicenseagreement,andthenselect thecheckboxtoacceptthelicensingtermsandconditions.Acceptingthelicense agreementactivatestheNextbutton.Tocontinue,clickNext.ToendSetup,clickCancel. 4. OntheInstallingPrerequisitespage,SetupinstallssoftwarerequiredforSQLServer 2005. 5. OntheWelcometotheMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 6. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheckParametersfortheSystem ConfigurationChecker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems groupedbyresult,clicktheFilterbuttonandthenselectacategoryfromthedropdown list.ToviewareportofSCCresults,clicktheReportbuttonandthenselectanoption fromthedropdownlist.OptionsincludeViewingthereport,Savingthereporttoa file,CopyingthereporttotheClipboard,andSendingthereportasemail.To proceedwithSetupaftertheSCCscancompletes,clickNext.
36
Note TheserveronwhichweareinstallingAnalysisServices(MSDELLAS)doesnothaveIIS installedaswearenotinstallinganyWebservicecomponentslikeReportingServicesor SharePointonthatserver.
If IIS is not installed you might receive a warning like IIS Feature Requirement (Warning) Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server Features.This warning can be ignored.
7. OntheRegistrationInformationpage,enterinformationintheNameandCompany textboxes.Tocontinue,clickNextandFillouttheregistrationinformation. 8. OntheComponentstoInstallpage,selectthefollowing a. b. SQLServerAnalysisServices OptionallyyoucanchooseWorkstationComponents,BooksOnlineand DevelopmentTools.Thisinstalls: o o ClientconnectivitycomponentslikeOLEDBdrivers ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager o o o c. PerformancetoolslikeSQLServerProfiler,TuningAdvisor BusinessIntelligenceDevelopmentStudio SQLServerDocumentation.
ThesecomponentsarenotrequiredforSQLServerAnalysisServicestorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely.
9. Toinstallindividualcomponents,clickAdvanced.ThisdisplaystheFeatureSelection page.Selecttheprogramfeaturestoinstallusingthedropdownboxes.Toinstall componentstoacustomdirectory,selectthefeatureandthenclickBrowse.Formore informationaboutthefunctionalityofthispage,clickHelp.Tocontinuewhenyour featureselectionsarecomplete,clickNext. 10. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea
37
uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstanceNametopicinSQLServer2005BooksOnline. ClickNext. 11. OntheServiceAccountpage,specifytheusername,passwordanddomainnamefor AnalysisServicesserviceaccount. Note WecreatedadomainuserMSDELLBI\ASServiceAccountwhichisusedtorunthe AnalysisServiceswindowsservice.Thisuserhastohavereaderpermissionsonallthe datasourcesusedbyAnalysisServices.Incaseifyouhavenotcreatedthisaccount contactyournetworkorWindowsadministratortocreateanaccount.
Figure14. AnalysisServicesSetupServiceAccountpage 12. OntheCollationSettingspage,choosethecollationsettingsappropriateforyour environment..
38
13. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting. 14. OntheReadytoInstallpage,reviewthesummaryoffeaturesandcomponentsforyour SQLServerinstallation.Toproceed,clickInstall. 15. OntheInstallationProgresspage,youcanmonitorinstallationprogressasSetup proceeds.Toviewthelogfileforacomponentduringinstallation,clicktheproductor statusnameontheInstallationProgresspage. 16. OntheCompletingMicrosoftSQLServer2005Setuppage,youcanviewtheSetup summarylogbyclickingthelinkprovidedonthispage. 17. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation.
4.3.5
DataandLogDirectoriesChangeDefaultPath
1. LaunchSQLServerManagementStudiofromSQLServer2005. 2. IftheObjectExplorerisvisibleonthescreenclickConnectandchooseDatabase Engine.Ifnot,clickViewandthenclickObjectExplorerorhittheF8key. 3. IntheConnecttoServerwindow,specifythenameoftheserverwhereSQLServer AnalysisServicesisinstalled.IfAnalysisServiceswasinstalledasanamedinstance, specifytheServerName/InstanceName. 4. Onceitconnects,youseetheservernamewithDatabasesandAssembliesfolders underit. 5. TolaunchtheAnalysisServicesPropertieswindow,rightclicktheAnalysis ServicesinstancenameintheObjectExplorerandclickProperties.Thispage containsallserverlevelpropertiesincludingpropertiestoconfigureDATAandLOG directoriesforAnalysisServices. 6. ClickGeneralintheSelectapagesectionontheleftsideoftheAnalysisServices Propertieswindow.Alistofpropertiesisdisplayedwithvariouscolumns.TheValue columnletsyousetavalueforaproperty.TheCurrentValuecolumndisplaysthe currentvaluethatssetforthatproperty.Similarlythereareothercolumnslike Default,Restart,Type,Units,andCategory.IftheRestartcolumnshowsavalue
39
7. 8. 9.
10.
yesforanyproperty,changingthatpropertywillrequireyoutorestartAnalysis Servicesbeforethenewvaluetakeseffect. ChangethevalueofDataDirtopointtothenewfolderwhereAnalysisServicesData fileswillbestored. ChangethevalueofLogDirtopointtothenewfolderwhereAnalysisServicesLog fileswillbestored. OptionallyyoucanalsochangethedefaultpathfortheBackupDirandTempDir propertiesofAnalysisServices.TodisplayTempDirinthepropertieslistcheckthe ShowAdvanced(All)PropertiescheckboxatthebottomoftheAnalysisServices Propertieswindow. .RestartAnalysisServices.OpentheAnalysisServicesPropertieswindowandverify thechangeintheCurrentValuecolumnofthepropertiesyouchanged.
Figure15.
AnalysisServicesServerProperties
FormoreinformationonAnalysisservicesserverpropertiespleaserefertothe followingSQLservertechnicalarticle.
40
http://www.microsoft.com/technet/prodtechnol/sql/2005/ssasproperties.mspx
4.4 InstallSQLServer2005ReportingServices
4.4.1 ServerDetails
InthetestenvironmentSQLServer2005ReportingServicesisinstalledon MSDELLWEBSRV1.
4.4.2 SQLServerReportingServicesRequirementsand Prerequisites

PleaserefertothefollowingBooksOnlinearticlefordetailedinformationonSQL ServerReportingServicesHardwareandSoftwarerequirements. http://technet.microsoft.com/enus/library/ms143506.aspx
4.4.2.1
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit x64EnterpriseEditionSP1
1
Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
41
4.4.2.2
SQLServerSetuprequiresMicrosoftWindowsInstaller3.1orlaterandMicrosoftData AccessComponents(MDAC)2.8SP1orlater.YoucandownloadMDAC2.8SP1from thisMicrosoft Web site. SQLServerSetupinstallsthefollowingsoftwarecomponentsrequiredbytheproduct: .NETFramework2.0 SQLServerNativeClient SQLServerSetupsupportfiles
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately; onlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.4.2.3

Internet software1
Requirement
InternetExplorer6.0SP1orlaterisrequiredforallinstallationsof SQLServer2005,asitisrequiredforMicrosoftManagementConsole (MMC)andHTMLHelp.AminimalinstallationofInternetExplorer issufficient,andInternetExplorerisnotrequiredtobethedefault browser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
Internet Information Services(IIS)
IIS5.0orlaterisrequiredforSQLServer2005ReportingServices (SSRS)installations. FormoreinformationabouthowtoinstallIIS,seeHowto:Install MicrosoftInternetInformationServices.Formoreinformationabout howtoinstallIIS7.0onWindowsVista,seethisMicrosoftWebsite. ASP.NET2.0isrequiredforReportingServices.Wheninstalling ReportingServices,SQLServerSetupwillenableASP.NETifitisnot alreadyenabled.
ASP.NET2.02
:MicrosoftInternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio, BusinessIntelligenceDevelopmentStudio,andtheReportDesignercomponentofReporting Services. :ForReportingServices(64bit)installationson64bitservers,the64bitversionof ASP.NETmustbeinstalled.

2
42
4.4.3
4.4.3.1
ThepersoninstallingSQLServerReportingServicesmustbeamemberofthe
AdministratorsgroupontheserverwhereSQLServerReportingServicesisbeing installed(MSDELLWEBSRV1).
AdministratorrightsforSQLServerThepersoninstallingSQLServerReporting
ServicesmusthaveAdministratorrightsontheSQLServerwheretheReporting Servicesdatabaseiscreated.ThisprivilegeisrequiredsothattheReportingServices ConfigurationWizardcancreatetherequiredReportingServicesdatabasesandgrant therightlevelofpermissionstotheReportingServicesDatabaseAccessAccount.Once ReportingServicesisconfigured,theDatabaseAccessAccountspecifiedduringthe configurationwillbeusedtoconnecttotheReportingServicesdatabases.
4.4.3.2
TheSQLServerReportingServicesserviceshouldrununderthecredentialsofadomain useraccountasdescribedinServiceStartupandApplicationPoolIdentityAccounts undertheDomainControllerPreparationsection.Theapplicationpoolidentity accountsfortheReportServerandReportManagervirtualdirectorieswillalsousethe sameserviceaccount.WewillbeusingMSDELLBI\WebServiceAccountastheservice accountinthisinstallation. FormoreinformationonServiceAccountsandtheirimportancepleasereferto AppendixD.
4.4.4
4.4.4.1
SQLServerReportingServicesSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofSQLServerReportingServices.
4.4.4.1.1 ProgramFlowforStandardInstall
1. InstallfromeithertheSQLserver2005DVDoranetworkshare.Ifinstallingfroma networkshare,navigatetothenetworkfolderandlaunchsplash.hta. 2. RuntheSQLServerInstallationWizard. 3. OntheInstallingPrerequisitespage,SetupinstallssoftwarerequiredforSQLServer 2005.Tobeginthecomponentupdateprocess,clickInstall.Tocontinueaftertheupdate completes,clickNext.
43
4. OntheWelcometoMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 5. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheck Parameters for the System
Configuration Checker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems
groupedbyresult,clickFilterandthenselectacategoryfromthedropdownlist.Toview areportofSCCresults,clickReportandthenselectanoptionfromthedropdownlist. OptionsincludeViewingthereport,Savingthereporttoafile,Copyingthereportto theClipboard,andSendingthereportasemail. 6. OntheRegistrationInformationpage,enterinformationintheNameandCompany textboxes. 7. OntheComponentstoInstallpage,selectthefollowing a. ReportingServices b. OptionallyyoucanchooseWorkstationComponents,BooksOnlineand DevelopmentTools.Thisinstalls: o o ClientconnectivitycomponentslikeOLEDBdrivers. ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager. o o o PerformancetoolslikeSQLServerProfiler,TuningAdvisor. BusinessIntelligenceDevelopmentStudio. SQLServerDocumentation.
ThesecomponentsarenotrequiredforSQLServerReportingServicestorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely. 8. Toinstallindividualcomponents,clickAdvanced.TheFeatureSelectionpagedisplays. Selecttheprogramfeaturestoinstallusingthedropdownboxes. 9. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea
44
uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstance NametopicinSQLServer2005BooksOnline. ClickNext. 10. OntheServiceAccountpage,specifytheusername,passwordanddomainnameforSQL Serverserviceaccount. Note WecreatedadomainuserMSDELLBI\WebServiceAccountwhichisusedtorunthe windowsserviceandapplicationpoolidentitiesofalltheWebservicecomponents installedonMSDELLWEBSRV1.
Figure16. ReportingServicesSetupServiceAccountpage
45
11. IfaSQLServerDatabaseEngineinstanceexistedonthemachinewhereReporting Servicesisbeinginstalled,thesetupwizardwouldprovideyoutwooptionsontheReport ServerInstallationOptionspage: Installthedefaultconfiguration:ThisoptioncreatestheReportingServices databaseonthelocalsystemandperformstheReportingServicesconfigurationlike creationofvirtualdirectories,configuringstartupaccounts,andothertasksusingthe defaultsettings. Installbutdonotconfiguretheserver:Thisoptionisusedifyouwanttocreate theReportingServicesdatabasesonaremoteinstanceofSQLServerandspecifythe virtualdirectorysettingsandstartupaccountsforReportingServices. Inourcase,wehavenotinstalledaSQLinstanceontheReportingServicesbox,hencewe willbecreatingtheReportingServicescatalogdatabaseonaremoteinstanceofSQL Serverandconfigurethevirtualdirectoriesandstartupaccountsmanually.
Figure17.
ReportingServicesSetupReportServerInstallationOptions page
46
IfyouclickDetailsontheReportServerInstallationpage,youseethefollowingscreen whichstatesthereasonwhysetupchosetheInstallbutdonotconfiguretheserver option.
Figure18. ReportingServicesSetupInstallationInformation 1. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting.
2. OntheReadytoInstallpage,reviewthesummaryoffeaturesandcomponentsforyour SQLServerinstallation. 3. OntheInstallationProgresspage,youcanmonitorinstallationprogressasSetup proceeds.Toviewthelogfileforacomponentduringinstallation,clicktheproductor statusnameontheInstallationProgresspage. 1. OntheCompletingMicrosoftSQLServer2005Setuppage,youcanviewtheSetup summarylogbyclickingthelinkprovidedonthispage.
47
2. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation. ReportingServicesSharePointIntegratedMode SQLServer2005ServicePack2addsanadditionalfeaturetoReportingServices. ReportingServicescanbeintegratedwithSharePoint.OnceyouupdateaReporting ServicesinstancewithServicePack2intheReportingServicesConfigurationWizardyou getanadditionaloptioncalledSharePointIntegration.ThishelpsyousetupaReporting ServicesdatabasefornewSharePointintegrationmodeandmakethenecessarysettings. RefertotheDeploymentModesforReportingServicesinAppendixAforadditional information.
4.4.4.1.2 ConfiguretheReportServerandCreatetheRemoteDatabase
1. FromSQLServer2005,pointtoConfigurationTools,clickSQLServerSurfaceArea Configuration. 2. InSurfaceAreaConfigurationforServicesandConnections,verifythattheReportServer Windowsserviceisrunning. 3. InSurfaceAreaConfigurationforFeatures,verifythatScheduledEventsandReport Delivery,HTTPandWebServiceRequests,andWindowsintegratedsecurityareall enabled. 4. OpenReportingServicesConfiguration.ClickStart,pointtoAllPrograms,pointto MicrosoftSQLServer2005,pointtoConfigurationTools,clickReportingServices Configuration.
48
5. Selectthelocalreportserverinstanceyoujustinstalled.ClickConnect.
Figure19. ConnecttoReportServerInstance 6. TheServerStatusindicatesthattheReportServerisstarted.Ifnot,clickStart.Oncethe ServerstatusturnsgreenandServiceStatusshowsRunning,clickReportServerVirtual Directory.
49
Figure20. CheckReportServerStatus 7. TocreateanewvirtualdirectoryforReportServer,clickNew.
Figure21. ReportServerVirtualDirectoryNotConfigured 8. ChoosetheIISWebsitewhereyouwanttocreatetheReportServerVirtualDirectoryand typethenameforthevirtualdirectory.TheIISWebsitedefaultstoDefaultWebSiteand virtualdirectorynamedefaultstoReportServer.CreatetheReportServervirtualdirectory.
Figure22. NewVirtualDirectory 9. OncethevirtualdirectorynameandWebsitenameappearintherespectivetextboxes clickApply.
50
Figure23. ReportServerVirtualDirectoryConfigured 10. TocreateanewvirtualdirectoryforReportManager,clickReportManagerVirtual Directory.ClickNew.
51
Figure24. ReportManagerVirtualDirectoryNotConfigured 11. ChoosetheIISWebsitewhereyouwanttocreatetheReportManagervirtualdirectory andtypethenameforthevirtualdirectory.TheIISWebsitedefaultstoDefaultWebSite andvirtualdirectorynamedefaultstoReports.ClickOktocreatetheReportManager virtualdirectory.
Figure25. NewVirtualDirectory 12. OncethevirtualdirectorynameandWebsitenameappearintherespectivetextboxes clickApply.
52
Figure26. ReportManagerVirtualDirectoryConfigured 13. ClickWindowsServiceIdentity.Thissettingwasconfiguredduringsetupwherewe specifiedthedomainuseraccounttousetoruntheReportServer.Verifythatthe ReportingServiceswindowsserviceisrunningundertheserviceaccountspecified (MSDELLBI\WebServiceAccount).
53
Figure27. WindowsServiceIdentity 14. ClickWebServiceIdentity.Hereyouneedtoconfiguretheapplicationpoolusedbythe twovirtualdirectoriesandtheidentityaccounttheapplicationpoolrunsunder. FormoreinformationonApplicationPoolsandApplicationPoolIdentityAccountsplease refertoAppendix D.
54
Figure28. WebServiceIdentityNotConfigured 15. ClickNewnexttoReportServer.TypetheApplicationPoolnameandspecifyaWindows accountfortheapplicationpoolsecurity.
55
Figure29. NewApplicationPool 16. YoucouldusetheapplicationpoolthatwascreatedforReportServervirtualdirectoryto runReportManagervirtualdirectorytoo.Ifyouchoosetocreateanewapplicationpool clickNewnexttoReportManager.TypetheApplicationPoolnameandspecifya Windowsaccountfortheapplicationpoolidentity.
56
Figure30. WebServiceIdentityCreatebutnotApplied 17. OncethenewapplicationpoolshavebeencreatedclickApplytoconfigurethevirtual directoriestousethenewapplicationpools.
57
Figure31. Connect.
WebServiceIdentityConfigured
18. ClickDatabaseSetup.HereweneedtospecifytheremoteinstanceofSQLServer.Click
58
Figure32. DatabaseSetupNotConfigured 19. TypetheServerNamewhereSQLServerwasinstalled.IfSQLServerwasinstalledasa namedinstanceyouneedtospecifytheServerNameasHostname/InstanceName.Ifthe userrunningtheconfigurationwizardhasadministrativeprivilegesontheSQLServer chooseCurrentUserIntegratedSecurityelsechooseSQLServerAccountandkeyinthe SQLServerAccountcredentialswithadministrationprivilegesontheServer.
59
Figure33. SQLServerConnectionDialogBox 20. NexttotheDatabaseNameclickNewtocreateanewReportServerdatabase.TheSQL ServerConnectiondialogboxopens.Typethenameofthenewdatabaseandthe credentialsusedtocreatethedatabase.IfyoualreadyhaveaReportServerdatabaseyou wanttouse,youcanselectitratherthancreateanewone.
60
Figure34. SQLServerConnectionDialogBox 21. FromtheCredentialsTypedropdown,selectthetypeofaccountyouwantReportServer tousetoconnecttotheReportServerdatabase.YoucanusetheServiceCredentialsora WindowsdomainuseraccountorSQLServerlogin. Inourcase,letschooseServiceCredentialswhichessentiallymeansthatReporting Serviceswillusetheserviceaccountitrunsundertoconnecttoitscatalogdatabase. IfyouchoseWindowsCredentialsorSQLServerCredentials,typetheusernameand passwordthatthereportserverusestoconnecttothereportserverdatabase.Formore information,seeConfiguringaReportServerDatabaseConnection. 22. ClickApplytosaveyourchanges.
61
Figure35. DatabaseSetupConfigured Note TheEncryptionKeyspageisusedtomanagethesymmetrickeythatisusedbythe reportservertoencryptanddecryptthedata.FormoreinformationonEncryptionKeys refertothefollowingarticlehttp://msdn2.microsoft.com/enus/library/ms189422.aspx TheInitializationpageshowsthestatusofthereportserverinascaleoutdeployment orisusedtojoinareportservertoascaleoutdeployment.ItcurrentlyshowsaredX nexttoitbecausethereportserverisnotconfiguredtoencryptordecryptthedatainthe reportserverdatabase.FormoreinformationonInitializationrefertothefollowinglink http://msdn2.microsoft.com/enus/library/ms181357.aspx 23. Openhttp://MSDELL-WEBSRV1/reportserverandhttp://MSDELL-WEBSRV2/reports toverifyyourinstallation.
62
Figure36. ReportServerhomepage
Figure37. ReportManagerhomepage
63
4.5 InstallMicrosoftOfficeSharePointServer2007 andExcelServices

4.5.1 ServerDetails
InthetestenvironmentMOSS2007isinstalledonMSDELLWEBSRV1.
ForthepurposeofthisdocumentwewillbeinstallingMicrosoftOfficeSharePoint Server2007onasingleserver.InstallationandconfigurationofSharePointinaWeb serverfarmisoutofthescopeofthisdocument.
4.5.2
MOSSRequirementsandPrerequisites
PleaserefertothefollowingMicrosoftTechNetarticlefordetailedMicrosoftOffice SharePointServer2007hardwareandsoftwarerequirements. http://technet2.microsoft.com/Office/enus/library/4d88c40224f2449b86a6 6e7afcfec0cd1033.mspx?mfr=true
4.5.2.1
OperatingSystem
OfficeSharePointServer2007runsonWindowsServer2003withSP1orlater.We recommendthatyouapplyallcriticalupdates.YoucanusethefollowingWindows Server2003editions: WindowsServer2003,StandardEdition WindowsServer2003,EnterpriseEdition WindowsServer2003,DatacenterEdition
4.5.2.1.1 WindowsComponents
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0,including: Commonfiles WWW SimpleMailTransferProtocol(SMTP):Onlyifyouwanttoenableemail notification.
YoumustconfiguretheservertouseIIS6.0workerprocessisolationmode.Thisisthe defaultsettinginnewinstallations.However,ifyouhaveupgradedfromIIS5.0on WindowsServer2000,RunWWWinIIS5.0isolationmodeisenabled,andyoumust changethissettingtouseIIS6.0workerprocessisolationmode.
64
4.5.2.2
Microsoft.NETFramework3.0
BeforeinstallingOfficeSharePointServer2007,youmustinstalltheMicrosoft.NET Framework3.0andthenensurethatASP.NET2.0isenabled. ToenableASP.NETv2.0.50727,opentheWebserviceextensionintheIISsnapinonthe MicrosoftManagementConsole(MMC).IfASP.NET2.0isinstalledonthecomputer beforeIISisenabled,youmustenableASP.NET2.0byrunningthecommand aspnet_regiis -i.
4.5.2.3
OfficeSharePointServer2007administrationfunctionsrequireMicrosoftInternet Explorer6.0withthemostrecentservicepacksorInternetExplorer7.0.
4.5.3
4.5.3.1
ThepersoninstallingMOSSmustbeamemberoftheAdministratorsgrouponthe
serverwhereMOSSisbeinginstalled(MSDELLWEBSRV1).
4.5.3.2
AdministratorRightsforSQLServer
ThepersoninstallingMOSSmusthaveAdministratorrightsontheSQLServerInstance wheretheMOSSdatabasesarecreated.
4.5.3.3
TheMOSSservicesshouldrununderthecredentialsofadomainuseraccountas describedinServiceStartupandApplicationPoolIdentityAccountsunderthe DomainControllerPreparationsection.Wewillbeusing MSDELLBI\WebServiceAccountastheservicestartupaccountinthisinstallation. FormoreinformationonServiceAccountsandtheirimportancepleasereferto AppendixD.
4.5.4
4.5.4.1
MOSSSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallMOSS
4.5.4.1.1 ProgramFlowforStandardInstall
1. OntheMSDELLWEBSRV1server,fromtheproductdisc,runSetup.exe,orfromthe productdownload,runOfficeserver.exe. 2. OntheChoosetheinstallationyouwantpageyouhavetwooptions.
65
TheBasicoptioninstallsSharePointinthedefaultlocationwiththedefaultsettings whichincludesalocalinstanceofSQLServerExpressEdition. UsingtheAdvancedoption,youcancustomizethecomponentsofSharePointtobe installedandtheSQLServerinstancewhereSharePointdatabaseswillbecreated.Click Advanced. 3. IntheServerTypepage,chooseComplete.Optionally,youcanchangethedefault installlocation. 4. WhenSetupfinishes,selectRuntheSharePointProductsandTechnologies ConfigurationWizard 5. OntheWelcometoSharePointProductsandTechnologiespage,clickNext. 6. Inthedialogboxthatnotifiesyouthatsomeservicesmightneedtoberestartedorreset duringconfiguration,clickYes.
Figure 38.
SharePoint Configuration Wizard warning.
7. OntheConnecttoaserverfarmpage,selectNo,Iwanttocreateanewserverfarm. 8. IntheSpecifyConfigurationDatabaseSettingspage,typetheSQLServername(ifthe instanceisanamedinstancetypethehostname/instancename).ThedefaultSharePoint configurationdatabasenameisSharePoint_Config.Youcanchangethisifrequired.Inthe SpecifyDatabaseAccessAccountsectionspecifythedomainuseraccountthatyou createdforSharePoint.

Note
TheaccountthatyouspecifyastheDatabaseAccessaccountisaddedtoSQLServerasa loginwithmembershiptotheDatabaseCreatorandSQLServerSecurityAdministrator roles.Thisaccountisalsousedastheapplicationpoolidentityfortheapplicationpools beingusedbySharePointCentralAdministrationsite.

Note
WecreatedadomainuserMSDELLBI\WebServiceAccountwhichisusedtorunthe windowsserviceandapplicationpoolidentitiesofalltheWebservicecomponents installedonMSDELLWEBSRV1.
66
Figure39. SharePointConfigurationDatabaseSettings 9. IntheConfigureSharePointCentralAdministrationWebApplicationpage,specifya portnumber.ChooseNTLMastheauthenticationproviderfortheWebapplication.We shallconfigureSharePointtouseKerberoslater. 10. ReviewthesettingsspecifiedbeforeclickingNext. 11. OnceSharePointcompletestheconfigurationclickFinish. 12. TheSharePointCentralAdministrationWebSitehomepageopensup.
Note Ifyouarepromptedforyourusernameandpassword,youmightneedtoaddtheSharePoint CentralAdministrationsitetothelistoftrustedsitesandconfigureuserauthentication settingsinInternetExplorer.
67
Figure40. SharePointCentralAdministrationHomePage 13. BeforeconfiguringSharePoint,youcanrunthelatestupdatesandservicepacks.Atthe timethisdocumentwaspreparedthelatestservicepackwasWSS3.0SP1andMOSS2007 SP1. 14. OntheSharePointCentralAdministrationhomepageyouseeawarningthatthe ServerFarmconfigurationnotcomplete.ClickOperations.ClickServicesonServer. HereyouseealistofservicesthatMicrosoftOfficeSharePointprovides.ClickStartnext toExcelCalculationServices.ThisserviceisrequiredtoprovideExcelServicesandExcel WebAccessontheSharePointsite.ClickStartnexttoOfficeSharePointServerSearch.
Note TosuccessfullycreateanSSPonyourserveryourequireanIndexServer.Youmuststart MicrosoftOfficeSharePointSearchontheservertocreateanIndexServer.
Note: FormoreinformationonthebenefitsandfeaturesofferedbyEnterpriseSearchinMOSS2007 refertothefollowingarticle.http://msdn2.microsoft.com/enus/library/ms497338.aspx
68
Figure41. SharePointServicesonServer 15. ClickApplicationManagement.UnderOfficeSharePointServerSharedServices sectionclickCreateorconfigurethisfarmssharedservices. 16. ThisstepisrequiredtocreateanewSharedServiceProviderwhichwouldprovidefeatures likeExcelServicestotheSharePointWebApplication.IntheManagethisFarmsShared ServicespageclickNewSSP. 17. OntheNewSharedServicesProviderPagetypeanamefortheSharedServices Provider.ASSPneedsaWebapplicationtohostitsAdminSite.ClickCreateanewWeb
69
Application.
Figure42. SharePointNewSharedServicesProvider 18. OntheNewWebApplicationpage,selectCreateanewIISWebsite,typeaWebsite name,specifytheport.LeavetheauthenticationasNTLM;weshallconfiguretheWeb ApplicationtoexecuteunderKerberosDelegationinalatersection. 19. SelectNounderAllowAnonymous. 20. UnderApplicationPool,selectCreateanewApplicationPool.Specifyanameforthe applicationpoolandundertheapplicationpoolsecurityaccountselectConfigurableand specifythedomainuseraccountusedtorunSharePoint (MSDELLBI\WebServiceAccount). 21. YoucanorestartIISmanuallyorautomatically.SpecifytheSQLServerinstancenameas thedatabaseserver.Youcanoptionallychangethedatabasename.UnderDatabase Authentication,selectWindowsAuthentication.
70
Figure43. WebApplicationSettings NewApplicationPool,SecurityAccount,DatabaseServer,DatabaseAuthentication 22. IfyouinitiatedtheSearchServiceinMOSS,selectthesearchserverfromthedropdown list,otherwiseleavethedefaultsettingforSearch. 23. ThiscreatesanewWebapplicationandreturnsyoutotheSharedServicesProvider creationpage.TheWebapplicationyoujustcreatedisnowchosenastheWebapplication tohosttheSSPsadminsite.OptionallyyoucancreateanewWebapplicationifyouwish toprovidetheenduserswiththeMySitefeature.Formaintenanceandmanageability reasons,werecommendhavingaseparateWebapplicationtohosttheMySite.
71
Figure44. BacktoSharedServicesProvidercreationpage
Note
SharePointconfigurationtasksaredonethroughtheCentralAdministrationWebsite. YoucanopentheCentralAdministrationfromaremoteworkstationtoperformanyof theconfigurationtasks.IfSharePointisnotsetuptouseSecureSocketLayers(SSL)you receiveawarningwhichstatesthattheinformationyouprovideisnotsecuredfor communication. EnablingSSLonSharePointisnotcoveredinthisdocument. 24. UnderSSPServiceCredentials,specifytheserviceaccount (MSDELLBI\WebServiceAccount)forSpecifythesameSQLInstancenameasunderthe DatabaseServerandyoucanoptionallychangethedatabasename.ChooseWindows AuthenticationastheDatabaseAuthenticationmethod.
72
Figure45. SharedServicesProviderSettings NewApplicationPool,SecurityAccount,DatabaseServer,DatabaseAuthentication 25. IfyoucreatedaSharePointSearchServiceandIndexingServicesyoucanoptionallycreate aSearchdatabaseandspecifytheIndexingServerdetails,elseleaveitasdefault. 26. OntheSharedServicesProviderCreatedSuccessfullypage,clickOk. 27. IntheCentralAdministrationhomepage,clickApplicationManagement.Under SharePointSiteManagement,clickCreatesitecollection.
73
28. Typeatitleforthesitecollection,specifytheURLandchooseatemplate.
Figure46. SharePointSiteCollectionCreation 29. UnderthePrimarysitecollectionadministratorspecifyauserwhowouldbethe administratoroftheSharePointsitecollection.Youcanoptionallyprovideasecondary administrator.
74
Figure47. SharePointSiteCollectionCreation
75
30. TheTopLevelSiteSuccessfullyCreatedpage.Youcanopenthesitecollectionhome pagebyclickingonthelinkprovided.
Figure48. NewSharePointSiteCollection 31. OncetheTopLevelsiteiscreatedyouneedtocreatethefollowing: DocumentLibraryforPerformancePointdashboarditems DocumentLibraryforExcelReports DataConnectionLibraryfordatasourceconnectionfiles Tocreatethedocumentlibraries,onthesitecollectionhomepageclickSiteActions ontherightsideofthepage,thenselectCreate. IntheCreatepageunderLibraries,clickDocumentLibrary. Specifyanameforthedocumentlibrary.YoucanselecttheNavigationOptions, DocumentVersionHistorysettingsandaDocumentTemplate.ClickCreate. RepeatthesamestepsagaintocreateanotherdocumentlibraryforExcelReports.
32. Theaccessmodelforthesitewillbeconfiguredinalatersection.
76
Figure49. DocumentLibraryCreation 33. OntheCreatepageunderLibraries,selectDataConnectionLibrary.Typethenameof thedataconnectionlibrary.YoucanselecttheNavigationOptionsandDocument VersionHistorysettings.ClickCreate. 34. TocorrectlyconfigureExcelServicesyouneedtoaddthedocumentlibrarycreatedfor ExcelReportstoanExcelServicesTrustedFileLocation.OpentheCentral Administrationhomepage.UndertheSharedServicesAdministrationsection,select theSharedServiceProviderlisted.OntheSSPAdministrationhomepage,select TrustedFileLocationunderExcelServices. 35. IntheAddTrustedFileLocationspagepastetheURLoftheExcelDocumentLibrary. ChangetheAllowExternalDatatoallowdatafromTrusteddataconnectionlibraries only.Theremainingsettingscanbeleftastheirdefaults.
77
Figure50. URLfortheDocumentLibrary
78
Figure51. AddingthedocumentlibrarytoExcelServicesTrustedFile Location 36. OncetheExcelDocumentLibraryhasbeenaddedtoTrustedFileLocations,weneedto addtheExcelDataConnectionLibrarytotheTrustedDataConnectionLibraries.Onthe SharedServicesAdminhomepage,underExcelServices,clickTrustedData ConnectionLibraries.CopytheURLoftheExcelDataConnectionLibraryandpasteit intheAddressbox. 37. Tocreateanewdataconnectioninthedataconnectionlibrary,openMicrosoftOffice Excel2007.ClicktheDatatab.ClickFromOtherSourcesandselectAnalysisServices. 38. IntheDataConnectionWizard,typethenameoftheAnalysisServicesinstance,choose WindowsAuthentication. 39. IntheSelecttheDatabaseandTablepage,selectthecubeorperspective. 40. Typeafilenameandfriendlynameforthedataconnectionfile.CheckAlwaysattemptto usethisfiletorefreshdata.
79
Figure52. CreatinganewExcelDataSourceConnection 41. ClickAuthenticationSettingsandensurethatitssettoWindowsauthentication. ClickOk.ClickFinishtosavethedataconnectionfile. 42. ToaddthisdataconnectionfiletotheExcelDataConnectionlibrary,openthedata connectionlibrary.ClickUploadandclickUploadDocument.Browsetothefolder wherethedatasourcewascreatedanduploadthefiletothedataconnectionlibrary.By defaultthedataconnectionfileisstoredintheMyDocuments/MyDataSourcesfolder. 43. Oncethefilehasbeenadded,SharePointwillpromptyoutoapprovethedocument.Click Oktoapprovethedocument. 44. TocreateanyreportsinExcel,theusershouldusethedataconnectionfilefromtheExcel DataConnectionLibraryontheSharePointServer. 45. OncetheExcelreportiscreated,itcanbepublishedtotheExcelDocumentLibrarythat wascreatedearlier.
80
4.6 InstallPerformancePointMonitoringServer
4.6.1 ServerDetails
InthetestenvironmentsetupPPSMonitoringServerisinstalledonMSDELL WEBSRV1.
4.6.2 MonitoringServerRequirementsand Prerequisites

PleaserefertothefollowingMicrosoftTechNetarticleregardingthehardwareand softwarerequirementsforMicrosoftOfficePerformancePointMonitoringServer2007. http://technet.microsoft.com/enus/library/bb838773.aspx
4.6.2.1
OperatingSystem
OfficePerformancePointServer2007runsonWindowsServer2003withSP1orlater. Werecommendthatyouapplyallcriticalupdates.YoucanusethefollowingWindows Server2003editions: WindowsServer2003,StandardEdition WindowsServer2003,EnterpriseEdition WindowsServer2003,DatacenterEdition
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0. YoumustconfiguretheservertouseIIS6.0workerprocessisolationmode.Thisisthe defaultsettinginnewinstallations.However,ifyouhaveupgradedfromIIS5.0on WindowsServer2000,RunWWWinIIS5.0isolationmodeisenabled,andyoumust changethissettingtouseIIS6.0workerprocessisolationmode. YoumusthaveMicrosoft.NETFrameworkversion2.0ontheserverwithMicrosoft ASP.Net2.0enabled.
4.6.2.2 4.6.2.3

81
InternetExplorerRequirements OtherComponents:
SQLServer2005DatabaseEngine.(Thiscanbeonaremoteinstance) SQLServerNativeClient9.0SP2 ADOMD.Net9.0SP2

MicrosoftInternetExplorer6.0or7.0
ASP.NET2.0AJAXExtensions1.0 MicrosoftSharePointServices3.0orMicrosoftOfficeSharePointServer2007.
4.6.3
4.6.3.1
ThepersoninstallingPerformancePointMonitoringServermustbeamemberofthe AdministratorsgroupontheserverwherePerformancePointMonitoringServer2007is beinginstalled(MSDELLWEBSRV1).
4.6.3.2
AdministratorrightsforSQLServer
ThepersoninstallingPerformancePointMonitoringServermusthaveAdministrator rightsontheSQLServerwherethePerformancePointdatabaseiscreated.
4.6.3.3
UserRightsforServiceAccount
ThePerformancePointWebserviceshouldrununderthecredentialsofadomainuser accountasdescribedinServiceStartupandApplicationPoolIdentityAccountsunder theDomainControllerPreparationsection.Wewillbeusing MSDELLBI\WebServiceAccountastheapplicationpoolidentityaccountinthis installation. ForadditionalinformationonApplicationPoolsandApplicationPoolIdentityAccount pleaserefertoAppendixD.
4.6.4
4.6.4.1
MonitoringServerSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofMonitoringServer.
4.6.4.1.1 ProgramFlowforStandardInstallation
1. OntheMSDELLWEBSRV1machine,installPerformancePointServerfromtheCD. 2. Onthestartupscreen,clickInstallMonitoringServer.Ifitdoesnotautomatically launch,doubleclicktheMonitoringServerMSI(PSCSrv.msi). 3. Hardwareandsoftwareprerequisitecheckingisperformedbycallinganexternalpre requisitevalidationenginetoensurethetargetserverissuitableforinstalling MonitoringServer.ThePrerequisitescreenwillnotappearifthemachinemeetsall prerequisiterequirements. 4. OntheDirectorySelectionpage,youcanchoosethelocationtoinstallthebinaries. ClickNext.
82
5. OntheInstallpage,clickNext. 6. OncetheMonitoringServerInstallationiscomplete,ensurethattheRunthe MonitoringServerConfigurationManagerWizardcheckboxisselectedbeforeyou clickFinish.ThiswillinvoketheConfigurationManagerWizard.Ifyoudonotwishto runtheConfigurationManagerWizardnow,youhavetorunitbeforeyoubegintouse PerformancePointServer. 7. ThePrerequisitesscreendisplaysthecomponentsthatareneededtobeinstalledpriorto settingupthewebbasedportionofMonitoringServer. 8. TheInstallationOptionspagehastwooptions: StandaloneConfiguration:Thisrequiresallservicestobeinstalledandrunning onthelocalserver.Thisoptioncannotbecustomized. DistributedConfiguration:Thisallowstheabilitytoinstallcomponents independentlyondifferentserversandprovidesmoreflexibility.These componentswillbeavailablebasedontheprerequisiteschecktodeterminewhich componentscanbeinstalledonthemachine.Theavailablecomponentstoinstall areasfollows: a. MonitoringSystemDatabase:TheMonitoringSystemDatabasecanbe createdonaremoteSQLInstance. b. MonitoringServer:Installsthreeservices: MonitoringWebServiceisafrontendWebservicefacilitatesthe communicationbetweenDashboardDesignerandMonitoring Systemdatabase. DashboardWebPreviewisapreviewfeaturethatprovidesthe capabilitytodeployandviewdashboardsasASP.NETWebpages. DashboardDesignerInstallationSiteisaninstallationsitefor userstoinstallDashboardDesignerondemandusingMicrosoft ClickOnceTechnology.Itisacentralpointforuserstodownload theDashboardDesignerclient. c. ScorecardViewerforReportingServices:InstallsSQLServer2005 ReportingServicescustomerdataextensionforaSQLServerReports Server.Thisextensionenablestheautomateddeploymentandrenderingof DashboardsinReportDefinitionLanguage(RDL). d. DashboardViewerforSharePointServices:InstallsMonitoringWeb partsthatenablesdeploymentandviewingofdashboardsinWindows SharePointServices3.0orOfficeSharePointServer2007. e. MonitoringPluginforReportDesigner(VisualStudio2005):Installsa SQLServer2005ReportingServicescustomerdataextensionforMicrosoft VisualStudio2005.ThisextensionenablestheconsumptionofDashboards usingReportDefinitionLanguage(RDL)inVisualStudio. SelectDistributedConfigurationandensurethatthecheckboxesnexttoallthe componentsarechecked.
83
Figure53. InstallationOptionsforPerformancePointMonitoringServer 9. OntheDatabasescreen,typethenamefortheSQLServerinstance.Typethedatabase name.ClickCreateMonitoringSystemDatabase.ClickNext.
84
Figure54. PerformancePointServerDatabaseSettings 10. OntheWebsitescreenifyouhaveSSLimplementedonyourWebsite,selectthe RequireSSLconnectionstoMonitoringWebSitebox. 11. OntheApplicationPoolIdentityAccountscreenselectConfigurableandtypeinthe domainname,serviceaccountname,andpassword.ClickNext. Note WecreatedadomainuserMSDELLBI\WebServiceAccountwhichisusedtorunallthe WebservicecomponentsinstalledonMSDELLWEBSRV1(SSRS,MOSS&PPS).
85
Figure55. ApplicationPoolIdentityforPerformancePointMonitoring Server
86
12. OntheWebPartspagetypetheURLfortheSharePointsitecollection. 13. TheSQLServerReportingServicesscreenisusedtodefinealocalReportingServer instanceonwhichtodeploytheMonitoringPlugin. 14. TheValidationscreenshowsthecomponentsthatwillbeinstalled. 15. TheReviewOptionsscreenshowsallthechoicesmadethroughouttheConfiguration wizard.ClickConfigure. 16. TheProgressscreenshowseachcomponentthatisbeinginstalledandconfigured. 17. TheSummaryscreenconfirmsthattheinstallationiscomplete. Note PerformancePointMonitoringservercreatesthreeapplicationpools. PPSMonitoringCentral,PPSMonitoringPreview,andPPSMonitoringWebService.Ensure thatalltheseapplicationpoolsarerunningundertheidentityoftheserviceaccount specifiedduringtheconfiguration.Bydefault,thePPSMonitoringCentralapplicationpool executesundertheidentityofNETWORKSERVICE.Thisapplicationpoolisusedbythe DesignerInstallvirtualdirectorythatinstallstheDashboardDesigneronclientmachines. Changetheidentityofthisapplicationpooltotheserviceaccountusedduring configurationofPPS.
4.7 InstallingtheDashboardDesigner
4.7.1 DashboardDesignerRequirementsand Prerequisites
ThissectiondetailsthehardwareandsoftwarerequirementstoinstallDashboard Designer.ItalsoliststhesoftwareprerequisitesforinstallingDashboardDesigner.
4.7.1.1

WindowsServer2003SP1orlater WindowsXPProfessionalSP2orlater WindowsVista InternetExplorer6.0orlater
ThefollowingaresoftwarerequirementstoinstallDashboardDesigner:
87
MicrosoftOfficeVisio2007(forstrategymaps) OfficeExcel2007(touseExcelasadatasource)
4.7.1.2
SoftwarePrerequisites
Microsoft.NETFramework2.0
ThefollowingaresoftwareprerequisitestoinstallDashboardDesigner:
4.7.2
4.7.2.1
ThepersoninstallingDashboardDesigneranditsprerequisitesmustbeloggedontothe computerasauserwithfollowingaccessrights.UsersgroupThepersoninstalling DashboardDesignermustbeamemberoftheUsersgrouponthecomputerwhere DashboardDesignerisbeinginstalled.NoAdministrativerightsarenecessarytoinstall DashboardDesigner.
4.7.3
4.7.3.1
DashboardDesignerSetup
TheSetup
Inthissection,wediscussthesequenceofuseractionsrequiredtoinstallanew instanceofDashboardDesigneronamachinenotalreadyrunningDashboardDesigner.
4.7.3.1.1 ProgramFlowforaStandardInstallation
1. InstalltheDashboardDesigneronaclientmachinefromhttp://MSDELL WEBSRV1:40000/Central/.Toinstallitontheserver,theDashboardDesigner installsasaClickOnceapplicationfromMicrosoftOfficePerformancePointServer 2007 2. ClickRunnexttoDownloadDashboardDesigner. 3. ASecurityWarningscreenwillappearpromptingtoclickeitherRunorDont RuntoinstallMicrosoftOfficePerformancePointServerDashboardDesigner. 4. ClickRun.TheDashboardDesignerinstallsasaClickOnceapplication.Youcan findthelinktoopenDashboardDesignerbynavigatingtoStart,thenProgram Files,MicrosoftOfficePerformancePointServer2007,andfinallyDashboard Designer.
88
Figure56. PerformancePointServerDashboardDesigner
4.8 InstallProClarityAnalyticsServer6.3
4.8.1 ServerDetails
InthetestenvironmentProClarityAnalyticsServerisinstalledonMSDELL WEBSRV2.
4.8.2
PASRequirementsandPrerequisites
PleaserefertothefollowingProClarityAnalyticsServerproductdocumentationfor detailedhardwareandsoftwareprerequisites. http://download.microsoft.com/download/1/7/3/173dd1cff6804c379763 c209806af9fb/ProClarity%20Analytics%20Server.pdf
89
4.8.2.1
OperatingSystem
YoucanusethefollowingWindowsServer2003editionstoinstallandrunProClarity AnalyticsServer6.3: WindowsServer2003,StandardEdition WindowsServer2003,EnterpriseEdition WindowsServer2003,DatacenterEdition WindowsServer2003,WebEdition
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0withActiveServerPagesandServerSideIncludessettoAllowed. YoumusthaveMicrosoft.NetFrameworkversion2.0ontheserverwithMicrosoft ASP.Net2.0enabled.
4.8.2.2 4.8.2.3
InternetExplorerRequirements OtherComponents:
MicrosoftInternetExplorer6.0or7.0
SQLServer2005DatabaseEngine.(Thiscanbeonaremoteinstance)
4.8.3
4.8.3.1
ThepersoninstallingPASmustbeamemberoftheAdministratorsgroupontheserver
wherePASisbeinginstalled(MSDELLWEBSRV2).
4.8.4
4.8.4.1
PASSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallPAS.
4.8.4.1.1 StandardInstallation
1. InstallProClarityAnalyticsfromtheproductCD. 2. OntheChooseInstallationTypepage,selectFullProduct.
90
3. OntheSetUpWebSitepage,typeinthenameoftheProClarityAnalytics ServerVirtualDirectory:PAS.
Figure57. PASVirtualDirectory 4. IntheChooseLocationpage,selectthepathfortheProClarityWebStandard files. 5. OntheSelectaMicrosoftSQLServerpage,selectChooseanotherSQL ServerandtypethenameoftheSQLServer(IfyouinstalledSQLServerasa namedInstancespecifytheSQLServernameashostname/instancename).Type incredentialsofaSQLLoginwithadministrativeprivilegesontheSQLServer.
91
Figure58. PASDatabaseSetup 6. OntheSetupAnalyticsServerdatabasescreentypeanamefortheProClarity AnalyticsServerdatabase.SetupcreatesaSQLServerLogintoconnecttothe ProClaritydatabase.Typeinthenewusernameandpassword.
92
Figure59. PASDatabaseAccessAccount 7. Reviewtheinstallationoptions

Note Forthepurposeofdemonstratingtheconfigurationandsettingsthatarerequiredto implementKerberosConstrainedDelegationforaservicethatisnotrunningundera dedicateddomainuseraccount,wearerunningProClarityAnalyticsServerunderthedefault applicationpoolidentityaccountofabuiltinsystemaccount(NETWORKSERVICE). Itisrecommendedtouseadomainuseraccountastheapplicationpoolidentityaccountfor ProClarityAnalyticsServer..
8. Browsetothehttp://MSDELLWEBSRV2/passitetoviewtheProClarity AnalyticsServerhomepage.
Figure60. PASHomepage 9. UpdatetheProClarityAnalyticsServerwiththelatestupdatesandpatches: ProClarityAnalyticsServerCumulativeHotfix2213 ProClarityAnalyticsServerCumulativeHotfix2214 10. ToenableProClarityWebProfessionalasadownloadforusersfromthePASsite, copytheWebProfessionalfolderfromthesetupmediaandplaceitinthePAS VirtualDirectoryfolder.OpentheProClarityAdministrationTool.Rightclick Components,clickNewComponent.
93
Figure61. PASAdministrationTool 11. BrowsetotheWebProfessionalfolderyoujustcopiedover.Selectthe WebProfessional.xmlcomponentinformationfile.SelectMakethisaRequired downloadforWebProfessionalusers.
Figure62. NewComponentinPASAdministrationTool
94
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
5 KerberosDelegation:Setupand Configuration
KerberosDelegationprovidesasecuremeansforclientsandservicesonthenetworkto identifyandcommunicatewitheachother.Itisthemostsecuremeansof authenticationbetweenservices. ToimplementKerberosDelegationtherearevariouslevelsofsettingsthatneedtobe doneatthedomaincontroller,applicationlayer,andclient.Inthissectionweshalltake youthroughthesetupandconfigurationofKerberosConstrainedDelegationinamulti serverenvironment.
Note
Mostofthesettingsthatneedtobedoneonthedomaincontrollerwillneedtobe performedbyanetworkadministrator. Caution SettingslikecreatingusersintheActiveDirectorydirectoryservices,adding computerstothedomain,andchangingthedelegationsettingsofuseraccountsand computersshouldtobeperformedwithcautionasitmayimpactotherexisting applicationsandserversonthenetwork.
5.1 ActiveDirectorySettingsandConfigurations
5.1.1 DomainFunctionalLevel
Windows2000domainfunctionalleveloffersUnconstrainedDelegationinwhicha servicecandelegateusercredentialstoanyotherserviceinthedomain.Thisposesa securityriskifaserviceiscompromisedbyamalicioususer.Amoresecurewayof delegatingcredentialsistouseConstrainedDelegationwhichisnewinWindows2003. WithaWindows2003domainfunctionallevelandusingConstrainedDelegation,we canexplicitlydefinetheresourcesorservicestowhichaservicecandelegateusers credentials. ForthepurposeofthisdocumentwewillconsiderConstrainedDelegation.
95
5.1.2
ServiceAccountSettings
Inourscenario,SQLServer2005DatabaseEngineandSQLServer2005Analysis ServicesaretheremoteresourceswhichneedtobeaccessedbyotherWebserviceslike ReportingServices,MOSS,PerformancePoint,andProClarityAnalyticsServer.Hence theseservicesneedtoidentifySQLServerandAnalysisServicesonthenetworkand delegateusercredentialstothem.SQLServerandAnalysisServicesdonotneedto delegatecredentialsfurthertoanyotherservice/resourceonthenetwork.
Figure63. CredentialDelegation
5.1.2.1
ServicePrincipalNames
AServicePrincipalName(SPN)isamappingintheActiveDirectorydirectoryservices oftheservicetothesecurityprincipalortheaccountunderwhichitisrunning.SPN helpsaclientuniquelyidentifyaninstanceofaserviceandisusedtosupportmutual authenticationbetweenaclientapplicationandaservice. Whenaclientwantstoconnecttoaservice,itlocatesaninstanceoftheservice, composesanSPNforthatinstance,connectstotheservice,andpresentstheSPNfor theservicetoauthenticate. ToenableKerberosAuthenticationweneedtocreateSPNsforthedomainuser accountsunderwhichthevariousservicesrun. TheSETSPNcommandlineutilityisapartoftheWindows2003SupportTools.Itcan alsobedownloadedfromtheMicrosoftDownloadCenter.
96
ThegeneralsyntaxoftheSETSPNcommandtolistSPNscreatedforadomainuser accountis:
setspn l useraccount
TolistSPNscreatedforaServerorhost:
setspn l hostname
TocreateSPNsforaservicerunningunderadomainuseraccount:
setspn a serviceclass/hostname:port useraccount setspn a serviceclass/fully_qualified_domain_name:port useraccount
Whenyourunaserviceunderabuiltinsystemaccountyoudonothavetocreatean SPNbecauseSPNsforbuiltinsystemaccountsareautomaticallycreatedwhenthe machineisjoinedtoadomain.TheserviceclassusedisHOSTandcoversmostofthe commonservicesincludingHTTP. TheServiceClasscanbeSQLServerDatabase(MSSQLsvc),AnalysisServices (MSOLAPsvc.3),Webservice(HTTP),WebservicewithSecureSocketLayers(HTTPS), HOST(itcoversmostofthecommonlyusedservices),andothers. Theportnumberisrequirediftheserviceisrunningunderadifferentportthanthe defaultportforthatserviceclass.
5.1.2.1.1 SQLServerDatabaseEngine
TocreateaSPNforSQLServerDatabaseEngine,logontothedomaincontrollerusing anaccountthathasadministrativeprivilegesontheDomainController. Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefaultlocationof theSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit. Runthefollowingcommands: Syntax:
setspn -a MSSQLsvc/hostname:1433 useraccount setspn a MSSQLsvc/hostname.mydomain.com:1433 useraccount
Example:
setspn -a MSSQLsvc/MSDELL-SQL:1433 SQLServiceAccount setspn a MSSQLsvc/MSDELL-SQL.MSDELLBI.COM:1433 SQLServiceAccount
97
Figure64. ServicePrincipleName(SPN)Creation
5.1.2.1.2 SQLServerAnalysisServices
TocreateaSPNforSQLServerAnalysisServices,logontothedomaincontrollerusing anaccountthathasadministrativeprivilegesonthedomaincontroller: 1. Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefault locationoftheSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit. 2. Runthefollowingcommands:
Syntax: setspn -a MSOLAPsvc.3/hostname useraccount setspn a MSOLAPsvc.3/hostname.mydomain.com useraccount Example: setspn -a MSOLAPsvc.3/ MSDELL-AS ASServiceAccount setspn a MSOLAPsvc.3/MSDELL-AS.MSDELLBI.COM ASServiceAccount
98
Figure65. SPNCreationforAnalysisServices
5.1.2.1.3 SQLServerReportingServices,MicrosoftOfficeSharePointServer2007, MicrosoftOfficePerformancePointServer2007

TocreateaSPNfortheWebservicesrunningontheWebserver(MSDELLWEBSRV1), logontothedomaincontrollerusinganaccountthathasadministrativeprivilegeson thedomaincontroller. 1.
Important
Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefault locationoftheSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit.
IfmorethanoneWebserviceishostedonasingleWebserver,eachWebserviceruns underadifferentport.Forexample:http://servername(defaultport80)and http://servername:8888.BothWebapplicationsaresetuptouseKerberosAuthentication. ClientsaccesstheWebapplicationsthroughInternetExplorerusingtheURL http://servernameandhttp://servername:8888. InternetExplorerhastoobtainaKerberostickettoauthenticatewiththeserver.While passingtheURLtoobtaintheticket,InternetExplorerdoesnotpasstheportnumber. HenceInternetExplorergetsavalidtickettoauthenticatewiththeWebservicerunning underthedefaultport80(http://servername)butisnotabletousetheKerberosProtocol toauthenticatewithanyotherWebapplicationonthesameserverthatsrunningundera differentport. Therearethreewaysyoucanworkaroundthisproblem: RunalltheWebapplicationsontheserverusingthesamedomainuseraccountand createoneSPNforthatserviceaccountusingtheappropriateserviceclass.Trustthe serviceaccounttodelegatecredentialstotheotherresourcesonthenetwork.
99
Important YouwillhavetocreatedifferentHostHeadernamesforeachWebsiteinIIS.Define thehostheadernamesintheDNSasclassAentries.CreateSPNsusingtheHost Headernameinsteadofusingthehostnamewithdifferentserviceaccountsforeach Webservice.Trusttheserviceaccountstodelegatecredentialstootherresourceson thenetwork. UpdateIISwithahotfixasdescribedintheKBarticle http://support.microsoft.com/kb/908209/ThisinvolvesreplacingaDLLonserverand modifyingtheclientregistrysettingstopasstheportnumberwhilerequestingthe ticket.
Syntax: Setsetspn setspn a Example: setspn -a setspn a
-a http/hostname useraccount http/hostname.mydomain.com useraccount
http/MSDELL-WEBSRV1 WebServiceAccount http/MSDELL-WEBSRV1.MSDELLBI.COM WebServiceAccount
Figure66. SPNCreationforWebServices
5.1.2.1.4 ProClarityAnalyticsServer
ProClarityAnalyticsServerisinstalledonMSDELLWEBSRV2.ItisaWebservice runningundertheapplicationpoolidentityofNETWORKSERVICE.Insuchacasewe donothavetocreateaSPNtoidentifythisservicebecauseSPNsforbuiltinsystem
100
accountsareautomaticallycreatedwhenthemachineisjoinedtoadomain.Theservice classusedisHOSTandcoversmostofthecommonservicesincludingHTTP.
5.1.2.2
TrustAccountforDelegation
TheWebapplicationsneedtobeconfiguredtodelegatecredentialstootherbackend services.ToimplementConstrainedDelegationweneedtoexplicitlyspecifytheservices towhichcredentialscanbedelegated.Thisisamuchmoresecuremeansofdelegating credentialsandisanaddedfeatureinWindows2003DomainFunctionalLevel. Inourscenario,alltheWebcomponentsrunningonMSDELLWEBSRV1serverare runningunderthecredentialsofMSDELLBI\WebServiceAccount.Weneedtotrustthis accounttodelegateusercredentialstoSQLServerDatabaseEngineandSQLServer AnalysisServices. 1. OntheDomainControlleropenActiveDirectoryUsersandComputers.Click Users.RightclickWebServiceAccountandclickProperties.
Figure67. TrustAccountforDelegation 2. ClicktheDelegationtab.BydefaulteveryaccountissetasDonottrustthis userfordelegation.
101
Figure68. WebServiceAccountProperties 3. IfyouchooseTrustthisuserfordelegationtoanyservice,theapplications runningunderWebServiceAccountwillbeabletodelegatetheuserscredentials toanyresourceonthenetworklikeanotherSQLServerorAnalysisServices instances.Thiscouldposeasecuritythreat.ToimplementConstrained DelegationchooseTrustthisuserfordelegationtospecifiedservicesonly.
102
Figure69. WebServiceAccountPropertiesSpecifiedServices 4. ClickAdd.ClickUsersorComputers.
103
Figure70. AddServices 5. TypeintheserviceaccountthatyoudefinedforSQLServerDatabaseEngine, clickCheckNames.ClickOk.ClickUsersandComputersonceagain.Type theserviceaccountthatyoudefinedforSQLServerAnalysisServices,click CheckNames.ClickOk.
Figure71. SelectUsersorComputers 6. SelectboththeservicenamesthatshowupintheAddServicespageandclick Ok.
104
Figure72. AddServicesSelectAll 7. TheseservicesareaddedtothelistofservicesthatWebServiceAccountcan delegatecredentialsto.ClickApplyandclickOk.
105
Figure73. MSDELLBI\WebServiceAccountProperties NowwehaveconfiguredtheserviceaccountofReportingServices,SharePoint,and PerformancePointtodelegatecredentialstoSQLServerDatabaseEngineand AnalysisServices. Note

ProClarityAnalyticsServerisrunningundertheNETWORKSERVICEaccount.Unlikein thecaseoftheotherWebservices,whichranundertheapplicationpoolidentityof dedicatedserviceaccountswherewetrustedtheserviceaccountfordelegation,to configurePASfordelegationwewillhavetotrustthecomputerfordelegation.Thisis coveredinthenextsection.
8. Noneoftheotherserviceaccountsneedtobeconfiguredtodelegateuser credentials.EnsurethatforthoseaccountsDonottrustthisaccountfor delegationisselected.
106
Figure74. MSDELLBI\SQLServiceAccountProperties
107
Figure75. MSDELLBI\ASServiceAccountProperties
Note EnsurethatforalltheenduseraccountstheAccountissensitiveandcannotbe delegatedcheckboxiscleared.
5.1.3 ServerComputerSettings
Thefollowingsectiondescribestheconfigurationsettingsthatneedtobedonein ActiveDirectorytothevariousservers.
5.1.3.1
TrustComputerforDelegation
Inthecaseofservicesthatrununderdomainuseraccountswetrusttheaccountto delegatecredentials.Forservicesthatdonotrununderdomainuseraccountswe needtotrustthemachineaccounttheyarerunningontodelegatecredentials.Inour
108
scenario,ProClarityAnalyticsServerisrunningundertheidentityofNETWORK SERVICE.WeneedtotrustMSDELLWEBSRV2todelegatecredentialstoAnalysis Services. 1. OntheDomainControlleropenActiveDirectoryUsersandComputers.

Note: YoucanalsomanageActiveDirectoryUsersandcomputersfromaremoteworkstation usingtheWindowsServer2003AdministrationToolsPack.
2. ClickComputers.RightclickMSDELLWEBSRV2,clickProperties.
Figure76. ActiveDirectoryUsersandComputers 3. ClickDelegationtab.BydefaulteverycomputerissettoDonottrustthis computerfordelegation.ChooseTrustthiscomputerfordelegationto specifiedservicesonly.
109
Figure77. ServerPropertiesDelegation 4. ClickAdd.ClickUsersandComputers.
110
Figure78. AddServicesDelegation 5. TypetheAnalysisServicesserviceaccountnameandclickCheckNames.
Figure79. SelectAnalysisServicesaccountname 6. SelecttheAnalysisServicesserviceaccountfromtheAddServicepage.
111
Figure80. Allowservicestobedelegated 7. OncetheAnalysisServicesserviceaccounthasbeenaddedtothelistofservices towhichtheMSDELLWEBSRV2computercandelegatecredentialsto,click Apply.
112
Figure81. MSDELLBI\MSDELLWEBSRV2Properties 8. Nootherserverinthissetupisrequiredtodelegatecredentialstootherresources onthenetwork.EnsurethatalltheothercomputersaresettoDonottrustthis computerforDelegation.
113
Figure82. MSDELLBI\MSDELLSQLProperties
114
Figure83. MSDELLBI\MSDELLASProperties
115
Figure84. MSDELLBI\MSDELLWEBSRV1Properties
5.2 BackendServerSettings
5.2.1 SQLServerConfigurations
ForaclienttoauthenticatewithSQLServerithastoconnecttoSQLServerusingTCP/IP. ThiscanbeaccomplishedbyplacingtheTCP/IPprotocolatthetopoftheclientprotocols list. 1. 2. 3. 4. 5. OpenSQLServerConfigurationManager. ExpandtheSQLNativeClientConfiguration. RightclickClientProtocolsandclickProperties. IfTCP/IPisdisabled,clickTCP/IPintheDisabledProtocolslistandenableit. ClickTCP/IPandmoveittothetopofthelist.
116
Figure85. SQLServerClientAuthentication
5.2.2
AnalysisServicesConfigurations
NoadditionalconfigurationisrequiredonAnalysisServicestoimplementKerberos AuthenticationandDelegation.
5.3 WebApplicationSettings
5.3.1.1 AnonymousAccess
Whenanonymousaccessisturnedon,noauthenticatedusercredentialsarerequiredto accessthesite.Thisoptionisbestusedwhenyouwanttograntpublicaccessto informationthatrequiresnosecurity.WhenausertriestoconnecttoyourWebsite,IIS assignstheconnectiontotheIUSER_ComputerNameaccount,whereComputerNameis thenameoftheserveronwhichIISisrunning.Bydefault,theIUSER_ComputerName accountisamemberoftheGuestsgroup.Thisgrouphassecurityrestrictions,imposed byNTFSfilesystempermissions,thatdesignatethelevelofaccessandthetypeof contentthatisavailabletopublicusers.
117
Ifyouturnonanonymousaccess,IISalwaystriestoauthenticateusersbyusing anonymousauthenticationfirst,evenifyouturnonadditionalauthenticationmethods.
5.3.2
ReportingServicesConfigurations
ThefollowingsectiondescribesthatconfigurationsthatneedtodonetoReporting ServicestoenableKerberos.
5.3.2.1
1.
DisableAnonymousAccess
DisableanonymousaccesstoReportingServicesvirtualdirectories. RightclicktheReportServervirtualdirectory.ClickProperties.Click DirectorySecurity.ClickEditundertheAuthenticationandaccesscontrol. CleartheEnableanonymousaccessboxandselectIntegratedWindows authentication. 2. RepeatthesameprocessforReportManagervirtualdirectory.
Figure1. AuthenticationMethodsinIIS
118
5.3.3 MicrosoftOfficeSharePointServer Configurations

1. EnsurethatalltheSharePointWebsitesandvirtualdirectorieshavetheEnable anonymousaccessclearedandIntegratedWindowsAuthenticationselected. 2. DuringconfigurationwesettheauthenticationmodeofSharePointWebapplication toNTLM.UsingNTLMwillnotfacilitateImpersonationofusercredentialsacrossthe network.WenowneedtosetittouseKerberos.Tochangetheauthenticationmode openSharePointCentralAdministrationhomepage.ClickApplication Management.ClickAuthenticationProviders.
Figure86. ApplicationManagementinCentralAdministration 3. IntheAuthenticationProviderspageensurethatyourWebapplicationischosenin thedropdownlist.ClickDefault.
119
Figure87. AuthenticationProvidersinWebApplications 4. IntheEditAuthenticationpagechangetheIISAuthenticationSettingsfromNTML toKerberos.YoumightbepromptedthatKerberosDelegationrequiresadditional settingsbytheNetworkAdministrator.ClickYesandsave.
120
Figure88. EditingAuthenticationProviders 5. ForExcelServices,bydefaulttheaccessmodelissettoTrustedsubsystem.Setthis toDelegation. Trustedsubsystem(defaultinaSharePointfarmdeployment)isamodeinwhichthe frontendandbackendservercomponentshaveatwowaytrust.Thisallowsfilesto beretrievedfromOfficeSharePointServer2007byusingtheExcelServicesaccount. However,eventhoughExcelServicesretrievesthefiles,itperformsasecuritycheck toverifythattheuserrequestingthefilehastheappropriatepermissions.Inthis mode,thebackendExcelCalculationServicesserverdoesknowtheusersidentity, butdoesnothaveafullusersecuritytokenandsocannotdelegateittoother computers. Delegationisamodeinwhichthefrontendserversofthefarmalwaysdelegatethe usersidentitytothebackendservers.Inthiscase,filesareretrievedastheenduser whoisrequestingtheworkbookinsteadoftheExcelServicesaccount.Thebackend ExcelCalculationServicesserverhastheusersfullidentity(securitytoken)andso candelegateittootherservers. Todothis,youhavetoruntheseSTSADMcommandsfromthecommandprompt. NavigatetothedirectorywhereSTSADM.exeislocated.Bydefaultitsinstalledat
121
C:\ProgramFiles\CommonFiles\MicrosoftShared\Webserverextensions\12\BIN, andtype:
stsadm -o set-ecssecurity -ssp ShareServicesProviderName accessmodel delegation stsadm -o execadmsvcjobs
Example:
stsadm -o set-ecssecurity -ssp MSDELL-SSP -accessmodel delegation stsadm -o execadmsvcjobs
6. OncetheMonitoringServerWebPartsaredeployedontheSharePointsite,inthe SharePointWeb.configfile,changetheBpm.ServerConnectionPerUservalueto True. TheBPM.ServerConnectionPerUserconfigurationvalueforcestheMonitoringServer tousetheidentityoftheAuthenticatedusertoaccesstheremoteresourceslike AnalysisServices. 7. ToidentifythepathoftheWeb.configfile,openIISManager,rightclickthe SharePointWebsiteandclickProperties.OntheHomeDirectorytab.theLocal PathgivesthefolderlocationforthatWebsitesWeb.configfile.
Figure89. SharePointWeb.config 8. EnsurethattheSharePointWebsiteinIISsupportsbothNTLMandKerberos 9. LocatethenumericidentifierfortheSharePointWebsite.
122
10. ClickStart,clickRun,typeinetmgr,andthenpressENTER. 11. Expandthelocalcomputernode,andthenclicktheWebSitesfolder.Theidentifier foreachWebsiteislistedintheIdentifiercolumn. 12. Openacommandpromptandchangetothefollowingdirectory: %systemdrive%\Inetpub\adminscripts. 13. FortheSharePointidentifier,runthefollowingcommandtocheckwhatthecurrent AuthenticationProviderissetto. cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders. 14. IftheresultdoesnotshowNegotiateinityouneedtosettheAuthenticationprovider usingthefollowingcommand: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM" Thissettingisnotalwaysautomaticallyapplied.Forinformation,seeHowtoconfigure IIStosupportboththeKerberosprotocolandtheNTLMprotocolfornetwork authenticationintheMicrosoftKnowledgeBase.
Figure90. SettingtheAuthenticationmodeoftheSharePointWebsite
123
5.3.4 MicrosoftOfficePerformancePointServer Configurations

1. EnsurethatallthePerformancePointWebsitesandvirtualdirectorieshavetheEnable anonymousaccessclearedandIntegratedWindowsAuthenticationselected. 2. IneachofthePerformancePoint,WebServicesandPreviewfolders,intheWeb.config fileschangetheBPM.ServerConnectionPerUservaluetoTrue. TheBPM.ServerConnectionPerUserconfigurationvalueforcesMonitoringServertouse theidentityoftheAuthenticatedusertoaccesstheremoteresourceslikeAnalysis Services. ToidentifythepathoftheWeb.configfiles,openIISManager,expandthe PPSMonitoringWebsite,rightclickWebServicevirtualdirectoryandclick Properties.OntheVirtualDirectorytab,theLocalPathgivesthefolderlocationwhere theWeb.configforthatvirtualdirectoryislocated.SimilarlyrightclickPreviewand identifythelocationwheretheWeb.configfileforPreviewvirtualdirectoryislocated.
Figure91. IdentifyingthelocationoftheWeb.config
124
Figure92. Web.configforPPSWebService
125
Figure93. Web.configforPPSPreview EnsurethatthePPSMonitoringWebsiteinIISsupportsbothNTLMandKerberos LocatethenumericidentifierforthePPSMonitoringWebsite. ClickStart,clickRun,typeinetmgr,andthenpressENTER. Expandthelocalcomputernode,andthenclicktheWebSitesfolder.Theidentifierfor eachWebsiteislistedintheIdentifiercolumn. Openacommandpromptandchangetothefollowingdirectory: %systemdrive%\Inetpub\adminscripts ForthePPSMonitoringidentifier,runthefollowingcommandtocheckwhatisthe currentAuthenticationProvidersetto: cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders IftheresultdoesnotshowNegotiateinityouneedtosettheAuthenticationprovider usingthefollowingcommand: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM" Thissettingisnotalwaysautomaticallyapplied.Forinformation,seeHowtoconfigure IIStosupportboththeKerberosprotocolandtheNTLMprotocolfornetwork authenticationintheMicrosoftKnowledgeBase.
3. 4. 5. 6. 7. 8.
9.
126
Figure94. SettingtheAuthenticationmodeofthePPSWebsite
5.3.5
1.
ProClarityAnalyticsServerConfigurations
EnsurethatthePASvirtualdirectoryhastheEnableanonymousaccessclearedand IntegratedWindowsAuthenticationselected. 2. OpentheGlobal.asafileinC:\Inetpub\wwwroot\PASandchangethemethodnamed pool.negotiateauthenticationtoTrue.ThissettingisrequiredtoensurethatProClarity usestheauthenticateduserscredentialstoaccessAnalysisServices.
127
Figure95. ProClarityGlobal.asa
5.4 EndUserSystemConfigurations
1. InInternetExplorerAdvancedsettings,enableIntegratedWindows Authentication.
128
Figure96. IntegratedWindowsAuthentication 2. AddtheSharePointWebsite,ReportingServicesWebsiteandPASWebsite.Under UserAuthentication,seethattheuserbrowsestotheTrustedSitecollectionand securityforthatzonetoAutomaticlogonwithcurrentusernameandpassword.
129
Figure97. 3. Theuserwillneedsufficientpermissionsonthelocalsystemtoinstallenduser componentsanddevelopmenttools,.
130
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
6 UserAccessandSecurityConfigurations
Inatypicalbusinessintelligencescenario,therearemultipleanalyticalsolutionsdeployed withmanyusersaccessingthem.Eachuserorusergrouphasdifferentsetsofpermissions. Thesepermissionsincludeauthorizationtoviewreports,accessbackenddatabaseservers, rolebasedsecuritytorestrictthedatatheycansee,permissiontoalterorpublishtheirown content,manageotheruserstoseecontent,andothers.
6.1 SQLServer2005DatabaseEngine
IntheMicrosoftBusinessIntelligenceTechnologyPlatformSQLServerisusedfor:
Note: ReportdatacanbefetchedfromAnalysisServices,Excelorotherdatasourceswhichsupport OLEDB,ODBCandotherformats. AnalysisServicescanfetchdatafromothersourcesaswell.
ApplicationCatalogDatabase:MOSS,ReportingServices,PerformancePoint,and ProClarityAnalyticsServerneedSQLServertohosttheircatalogdatabase. ReportData:InourscenarioReportingServices,PerformancePointServerand MOSSaccessSQLServertofetchdataforreports. AnalysisServicesProcessing:AnalysisServicesusesSQLServerdatabasetofetch datatoprocesstheCube.
Therearetwowaystheuserscanaccessthebackenddatasource. 1. StoredCredentials:Ifthedatasourcedoesnotrestrictdatabasedontheuser credentialsorifthedatasecuritylogicisimplementedintheapplicationitself,then thecredentials(WindowsaccountorSQLServerlogin)canbehardcodedinthe applicationsdatasourceconnectionstring.Thereareotherrelatedsecurityissuesif youusestoredcredentialslikeensuringthepasswordisnotstoredaspaintextorit isnotsentoveranunsecurenetworketc. 2. WindowsAuthentication:Thisisthesafestwaytoaccessabackenddatabase server.LoginsandrolesontheSQLServerdefinethelevelofaccessdomainuserora usergrouphas.
131
Figure98. WindowsUserLogininSQLServer.Thelogincouldbeforasingle userorausergroup.
132
Figure99. PermissionsandRoleMembershipinSQLServer
6.2 SQLServer2005AnalysisServices
AnalysisServicesisaprimarysourceforreportingandanalyticalapplicationslikeReporting Services,PerformancePointServer,ProClarity,Excel,andothers. UnliketheSQLServerdatabaseengine,AnalysisServiceshasarolebasedsecuritywhichnot onlydefineswhatobjectsoftheOLAPsolutionauserhasaccessto,butalsodefineswhat datatheuserispermittedtosee.Thisisnormallyusedinbusinessintelligenceapplications wheredifferentusers/usergroupshaveaccesstotheirregionalordepartmentaldataonly.
133
Figure100. Role
134
Figure101. RoleMembership.SingleusersorUserGroupscanbeaddedas memberstoarole
135
Figure102. DefiningAttributesecurityforarole ThisrolerestrictstheMSDELLBI\User1withreadpermissiontotheAnalysisServices databaseandthedataforUnitedStatesandCanada.Usersbelongingtothisrolewillnotbe abletoprocessoralterthedatabasestructure.
136
Figure103. ExcelServicesViewUser1.RestrictedRolebasedaccessto counties PowerusersorAdministratorscanhaveunrestrictedaccesstotheAnalysisServices Database.Theywillbeabletoseealldata,alterthedatabasestructureandprocessthe database.
137
Figure104. ExcelServicesViewDomainAdmin.Unrestricteddataaccess
Note: SimilartotheexampleshownaboveinExcelServices,otherapplicationslikeReporting ServicesandPerformancePointServercanrestrictdatabasedontheusersroleinAnalysis Services.
6.3 SQLServer2005ReportingServices
InSQLServerReportingServices,authorizationisprovidedthrougharolebasedsecurity modelthatisspecifictoReportingServices. AllusersinteractwithReportingServiceswithinthecontextofarole.Ausercanbeassigned todifferentkindsofrolesfordifferentitems.Forexample,auserwhoisamemberofthe ContentManagerroleforonereportmaybeamemberoftheBrowserroleforanotherreport. Predefinedrolesareprovidedthatgrouprelatedtasksintologicalunits.Examplesofsomeof therolesthatareavailableincludeContentManager,Publisher,andBrowser.Youcancreate newrolesormodifytheexistingonestocustomizethetasksthateachrolesupports.
138
Theuserandgroupaccountsthatyouspecifyinroleassignmentsarecreatedandmanaged throughActiveDirectorydirectoryservices.Onlyvalidaccountscanbespecified. UserscanbegivenvariouslevelsofaccessonaReportServer.Someoftherolesthat ReportingServicesprovidesbydefaultare

Role Permissions Browser Mayviewfolders,reportsandsubscribetoreports. ContentManager MaymanagecontentintheReportServer.Thisincludesfolders, reports,andresources. Publisher MaypublishreportsandlinkedreportstotheReportServer. ReportBuilder Mayviewreportdefinitions.
6.3.1
1.
UserPermissions
Toprovideuserpermissionsatareportfolder,openReportManager,browsetothe folderandclickProperties.
Figure105. ReportManagerHome(Rootlevelfolder)
139
2. ClickNewRoleAssignment.
Figure106. PropertiesforHomefolderinReportManager 3. Specifytheusernameorthegroupaccounttowhichyouwanttogivepermissionsto viewtheReportingServicesHomefolder.SelectoneormoreRoleDefinitionstouse withthisassignment.
140
Figure107. NewRoleAssignment 4. NowMSDELLBI\User2haspermissionsontheHomefolderofReportingServices.
141
Figure108. MSDELLBI\User2added 5. Todeleteauserorgroup,selecttheuserorgroup,andclickDelete.
142
Figure109. DeletingpermissionsforMSDELLBI\User2fromReporting Services 6. Toeditauserroleassignment,selectEditnexttotheuserorgroup.
143
Figure110. EditingpermissionsforMSDELLBI\User2
6.4 MicrosoftOfficePerformancePointServer2007
MonitoringServer,acomponentofPerformancePointServer,hasseveralrolesfor individualswhoperformvariousactivities.Insmallorganizations,oneormorepeople mayberesponsibleforadministeringallthefeaturesofMonitoringServer.Inlarger organizationsonegroupmaybeadministratorsonthesystemwhileanothergroup createslibrariesforreportsandkeyperformanceindicators(KPIs),anddesignsand buildsdashboards. Permissionsaregrantedtorolesandpermissionsareappliedtoanyuserwhobelongstoa role. TherearefourtypesofserverrolesforMonitoringServer: Administrator:ThisroleprovidescompletecontroloverMonitoringServerand accesstoalldashboarddata.AmemberoftheAdministratorrolecancreate,edit, anddeletealldashboardelements,andcanpublishtotheserver. Creator:Thisroleenablesuserstocreatereports,KPIs,scorecards,andother indicators.MembersoftheCreatorrolecanpublishdashboardelementsto
144
MonitoringServer.ACreatormembercanalsodeleteelementsifthereareEditor permissionsontheelement.Afteranelementhasbeencreated,theidentityofthe CreatormemberisautomaticallyaddedtotheEditorroleoftheelement. Datasourcemanager:Thisroleenablesuserstocreateanddeletedatasources. MembersoftheDataSourceManagerrolecanalsopublishdatasourcesto MonitoringServer. PowerReader:Thisrolegrantsreadonlyaccesstoalldashboardelementson theMonitoringServercomputer.Thisroleisintendedforusebyserviceaccounts orbackendservicesthatneedcompleteaccesstothesystem.
PerformancePointmonitoringserverrolesarecreatedandmanagedusingdashboard designer.
6.4.1
1.
UserPermissions
OpenDashboardDesignerusingthecredentialsofUser1.User1willnotbeableto createdatasourcesordashboarditemsusingthedesignerastherearenopermissions assignedtoUser1.
Figure111. MSDELLBI\User1hasinsufficientpermissionstocreateadata source .
145
2. ToaddaUser1toarole,opendashboarddesignerusinganaccountthathas AdministratorprivilegesonMonitoringServer.
Figure112. Dashboarddesigneroperatedbyauserhavingadminrightson PPS 3. ClicktheOfficebuttonandclickOptions.
146
Figure113. Options
4.
ClickConnecttoconnecttoMonitoringServer.
147
Figure114. ConnecttoMonitoringServer 5. ClickPermissionstoviewalltheavailablerolesontheserver.
148
Figure115. AllAvailableRolesontheServer 6. CurrentlytherearenorolesdefinedforUser1ontheMonitoringServer.
149
Figure116. NoRolesDefined 7. ClickAddandtypeintheMSDELLBI\User1andselectDataSourceManagerasthe role.
150
Figure117. AddedpermissionsforMSDELLBI\User1asDataSourceManager
8.
NowUser1willbeabletocreatedatasourcesusingtheDashboardDesigner.
151
Figure118. MSDELLBI\User1haspermissionstocreatedatasources 9. Ifapoweruserhascreateddatasources,KPIs,reports,scorecards,anddashboards, otherusersneedtohavepermissionsonthoseobjectsforthemtobeabletoviewor modifytheobjects.Forexample:Togiveauserpermissiononascorecard,clickthe scorecard,clickPropertiesandaddthenewuserwithReaderorEditor permissionsbasedonthelevelofaccessyouwanttogranttheuser.
152
Figure119. ProvidingMSDELLBI\User1withreadaccesstoascorecard
6.5 MicrosoftOfficeSharePointServer2007
6.5.1
1.
UserPermissions
ForausertobeabletoopenaSharePointpage,theuserneedstohaveatleastreader permissionsonthepage.
153
Figure120. MSDELLBI\User1accessdeniedtoSharePointsite 2. TogiveUser1permissionsontheSharePointsite,openthesiteusinganaccountthat hasadministrativeprivileges.ClickSiteActions,clickSiteSettings. 3. IntheSiteSettingspageunderUsersandPermissionsclickPeopleandGroups.
154
Figure121. SiteSettings 4. ToviewthelistofuserswhocurrentlyhavepermissionsonthesiteclickAllPeople. ToassignMSDELLBI\User1visitorpermissions,clickVisitors.ClickNew. 5. TypeMSDELLBI\User1.
155
Figure122. AssignVisitorPermissions 6. User1nowhaspermissiontobrowsetheSharePointsite.
156
Figure123. User1accessgrantedtoSharePointsite
6.6 ProClarityAnalyticsServer
6.6.1 UserPermissions
TheAnalyticsServersecuritymodelprovidesarobust,yetflexible,structurefor controllingaccesstoAnalyticsServerandanyreferencedMicrosoftAnalysisServices servers.BecausethisrolebasedmodelleveragesexistingWindowsNTuserinformation, itiseasilyintegratedintoWindowsenvironments.Moreover,youcanuseAnalytics ServersecurityincombinationwithAnalysisServices(OLAP)security. TheprimaryelementsoftheAnalyticsServersecuritymodelareroles,accessrights,and permissions: Roles:Determineaccess.NousercanaccessAnalyticsServerwithoutbeinga memberofanAnalyticsServerrole. Accessrights:DeterminethetypeofaccessrolemembershavetoAnalytics Server,theoptionsbeingAdministrator,Author,orReader.

157
Permissions:AssociatearolewithanitemonAnalyticsServer,suchasalibrary orbriefingbook.Thisassociationdetermineswhethertheitemisvisibletothe rolemembers.TheAnalyticsServersecuritymodelusestheprincipleof inheritancetoapply(propagate)securitytoallitemsontheserver.Inheritance, combinedwithrolemembership,affectshowpermissionstakeprecedence. Whilethissystemmayappearcomplexatfirst,itprovidesgreatflexibility.
6.6.1.1
1.
GrantingAccesstoPASWebsite
WhenausertriestoconnecttoaProClarityAnalyticsServerpage,theuserreceivesa messagethattherearenolibrariesavailableortheuserdoesnothaveaccessto them.
Figure124. MSDELLBI\User1insufficientprivilegestoseelibrariesonPASSite 2. TogiveauseraccesstothePASWebsiteandlibraries,opentheProClarity AdministrationTool.CreateanewrolecalledReader.ClicktheMembershiptab andclickAdd.TypeMSDELLBI\User1andaccepttoaddUser1tothatrole.Youcan specifyadditionalPublishingandAccessrights.
158
Figure125. NewReaderroleonProClarityAdministrationTool
159
Figure126. AddingMSDELLBI\User1toReaderRole 3. NowUser1willbeabletoaccessthelibrariesandpagesonthesite.
160
Figure127. MSDELLBI\User1hassufficientpermissionstoviewlibrarieson PASSite 4. YoucanalsoprovidetheuserpermissiontoinvokeWebProfessionalfromthesite. IntheProClarityAdministrationtoolclickUsers.Rightclicktheuser,click Properties.SelectAllowProfessionalAccess.
161
Figure128. ProvidingMSDELLBI\User1withWebProfessionalAccess
162
Figure129. SelectingProfessionalAccess
163
7 Troubleshooting
ThefollowingsectionsummarizesthestepsrequiredtoconfigureKerberosDelegation foreachWebapplicationandalsoprovidestroubleshootingstepsforsomeofthebasic errors.
7.1 SQLServerReportingServices
1. WhenyouopentheReportServerorReportManagerinabrowseandyoureceivean errorServiceUnavailable. EnsurethattheReportingServicesServiceisrunning. OpenIISManager.EnsurethattheWebsiteunderwhichthereportingservicesvirtual directoriesarecreatedisnotstoppedandthereportingservicesapplicationpoolsarenot stopped. 2. Ifyouarenotabletoseethedeployedreportsorreportfoldersorifyougetanerror messageThepermissionsgrantedtouserDomain\Usernameareinsufficientfor performingthisoperation. Ensurethattheuseryouarelogginginashaspermissionstoviewthereports.Log ontoReportManagerusinganAdministratoraccountandmakesuretheuserhas permissionstoviewthereports.RefertoUserAccessandSecurityConfigurationfor detailsonhowtoassignausertoaroleinReportingServices. 3. IfyouarenotabletoconnecttothedatasourceandyoureceiveanerrorCannot createaconnectiontodatasourceDataSourceName.Loginfailedforuser Domain/Username. Youneedtoverifyiftheuserhaspermissionstoaccessthedatasource.Foruser permissionsonSQLServerandAnalysisServicesrefertotheUserAccessandSecurity Configurationsection. 4. IfyouarenotabletoconnecttothedatasourceandyoureceiveanerrorCannot createaconnectiontodatasourceDataSourceName.LoginfailedforuserNT AUTHORITY\ANONYMOUSLOGON. Thiserrorindicatesthattheuserscredentialsarenotpassedacrossthenetworktothe databaseserver.YouneedtorevisitthestepsrequiredtosetupKerberosDelegation. 5. IfReportingServicesdoesnotdisplaytheerrorandinsteaddisplaysFormore informationaboutthiserror,navigatetothereportserveronthelocalservermachine, orenableremoteerrors.
164
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentTroubleshooting
Youcanopenthereportontheserverinsteadofaremoteworkstationtoviewtheerror detailsorenableremoteerrorsonReportingServices.Refertothefollowinglinkto enableremoteerrors.http://msdn2.microsoft.com/enus/library/aa337165.aspx ForinformationonmoreReportingServiceserrorsandtroubleshootingstepsreferto thefollowingSQLServer2005BooksOnlinearticlehttp://msdn2.microsoft.com/en us/library/ms159135.aspx
7.2 MicrosoftOfficeSharePointServer2007
1. IfyouarenotabletoaccesstheSharePointsiteoryougetanError:AccessDenied. EnsurethattheuseryouarelogginginashaspermissionstoviewtheSharePointsite. LogontoSharePointsiteusinganAdministratoraccountandmakesuretheuserhas permissionstoviewthesite. 2. WhilebrowsinganExcelServicesReportifyoureceiveDataRefreshFailed.Unableto retrieveexternaldataforthefollowingdataconnections:DataSourceName.Thedata sourcesmaybeunreachable,maynotberesponding,ormayhavedeniedyouaccess. MakesuretheuseryouareloggedinasauserwhohaspermissionsontheDataSource. Iftheuserhaspermissionsonthedatasourceandyoureceivethiserror,youshould makesurethattheDataConnectionLibraryisaddedtotheTrustedDataConnection Libraries. MakesureyouhaveenabledWindowsIntegratedAuthenticationinthedatasourceand enabledAlwaysattempttousethisfiletorefreshdata. MakesureyouhavechangedtheaccessmodelfromTrustedSubsystemto DelegationforExcelServices. RunSQLProfilertoidentifytheuserIDwithwhichExcelServicesistryingtoconnectto thedatasource.IftheloginisfailingduetoaNTAUTHORITY\ANONYMOUSUSER youneedtorevisitthestepsrequiredtoconfigureKerberosforSharePointandExcel Services.
7.3 PerformancePointServer2007
1. WhilecreatingaDataSourceinDashboardDesigner,whenyouclickTest ConnectionyoureceiveanerrorDataSourceConnectionFailed. Ensurethattheuserhasaccesstothedatasource. RunSQLProfilertoidentifytheuserIDwithwhichDashboardDesigneristryingto connecttothedatasource.

165
2. IfyouarenotabletoaccessaPerformancePointDashboarditemfromtheSharePoint site: Ensurethattheuseryouarelogginginashaspermissionstoviewthe PerformancePointobject.UsingPerformancePointDashboardDesigner,connectto PerformancePointServerusinganAdministratoraccountandmakesuretheuserhas permissionstoviewtheobjects. 3. IfyoucanviewthedashboardonaSharePointsitebutthedatadisplayedisnot accordingtothesecuritydefinedintheAnalysisServicesroles. RunSQLProfilertoidentifytheuserIDwithwhichPerformancePointDashboard ViewerWebpartistryingtoconnecttothedatasource. ToensurethatPerformancePointcanimpersonatetheclientuserscredentialstoother serviceslikeSQLServerandAnalysisServicesensurethat BPM.ServerConnectionPerUservalueissettoTrueintheWeb.configfilefor PerformancePointServerandSharePointServer.
7.4 ProClarityAnalyticsServer
1. WhenyouopentheProClarityAnalyticsServerpage,youdonotseeanybriefing books. RuntheProClarityAdministrationtoolusingaProClarityAdministratoraccountand makesuretheuserhassufficientpermissionstoviewthebriefingbook. 2. IntheProClarityAnalyticsPageyoudonotseetheoptionforLaunchWeb Professional. LaunchProClarityAdministrationtoolusingaProClarityAdministrationaccountand ensurethattheuserhasAllowProfessionalAccesschecked. 3. WhenyouopenaProClarityAnalyticsServerpageandreceiveanerrorThecubeused bythispagecouldnotbefound. Makesuretheuseryouareloggedinashaspermissionsonthecube. RunSQLProfilertoidentifytheuserIDwithwhichProClarityAnalyticsServeristrying toconnecttothedatasource.IftheloginisfailingduetoaNT AUTHORITY\ANONYMOUSUSERyouneedtorevisitthestepsrequiredtoconfigure KerberosforPAS.
166
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8 Appendix
8.1 AppendixA
FunctionalLevelsBackgroundInformation: http://technet2.microsoft.com/windowsserver/en/library/4a589ca2b57248cd94d2 7d5b0c817f411033.mspx WhetsNewisSQLServer2005SP2: http://download.microsoft.com/download/2/B/5/2B5E5D379B17423DBC8F B11ECD4195B4/WhatsNewSQL2005SP2.htm DeploymentModesforReportingServices: http://msdn2.microsoft.com/enus/library/bb326345.aspx ReportServerHowtoTopics(SharePointIntegratedMode): http://msdn2.microsoft.com/enus/library/bb283321.aspx HardwareandSoftwareRequirementsforInstallingSQLServer2005: http://technet.microsoft.com/enus/library/ms143506.aspx InstallingSQLServerDatabaseEngine: http://technet.microsoft.com/enus/library/ms144296.aspx InstallingSQLServerAnalysisServices: http://technet.microsoft.com/enus/library/ms143708.aspx InstallingSQLServerReportingServices: http://technet.microsoft.com/enus/library/ms143736.aspx InstallingSharePointinastandalonemachine: http://technet2.microsoft.com/Office/enus/library/bd99c3a903334c1c9793 a145769e48e61033.mspx?mfr=true DeployingSharePointinasimpleServerFarm: http://technet2.microsoft.com/Office/enus/library/bd99c3a903334c1c9793 a145769e48e61033.mspx?mfr=true MonitoringServerHardwareandSoftwarePrerequisites: http://technet.microsoft.com/enus/library/bb838773.aspx
167
8.2 AppendixB
SETSPNOverview: http://technet2.microsoft.com/windowsserver/en/library/b3a029a17ff04f6f87d2 f2e70294a5761033.mspx?mfr=true KerberosAuthenticationinWindowsServer2003:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerber os/default.mspx
HowtouseKerberosauthenticationinSQLServer: http://support.microsoft.com/kb/319723 HowtoconfigureSQLServer2005AnalysisServicestouseKerberosauthentication: http://support.microsoft.com/kb/917409/enus HowtoconfigureaWindowsSharePointServicesvirtualservertouseKerberos authenticationandhowtoswitchfromKerberosauthenticationbacktoNTLM authentication: http://support.microsoft.com/kb/832769/ ConfiguringKerberosforSharePoint2007Blog: http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuringkerberosfor sharepoint2007part1baseconfigurationforsharepoint.aspx InternetExplorer6cannotusetheKerberosauthenticationprotocoltoconnecttoa WebsitethatusesanonstandardportinWindowsXPandinWindowsServer2003: http://support.microsoft.com/kb/908209/ EssentialTipsonKerberosforSharePointDeployersblog: http://blogs.msdn.com/james_world/archive/2007/08/20/essentialguidetokerberosin sharepoint.aspx KerberosauthenticationanddelegationforMonitoringServer: http://technet.microsoft.com/enus/library/bb794629.aspx ConfigureMonitoringServerforKerberosconstraineddelegation: http://technet.microsoft.com/enus/library/bb794629.aspx UsingAnalysisServicesdatainExcelServices :http://www.sharepointblogs.com/tonstegeman/archive/2007/03/11/usinganalysis servicesdatainexcelservicespart1preparingtheadforkerberos.aspx
168
HowtoforceKerberostouseTCPinsteadofUDPinWindowsServer2003,inWindows XP,andinWindows2000: http://support.microsoft.com/kb/244474 HowtoconfigureIIStosupportboththeKerberosprotocolandtheNTLMprotocolfor networkauthentication: http://support.microsoft.com/kb/215383
8.3 AppendixC
8.3.1 Running32bitApplicationson64bitWindows (IIS6.0)
WindowsServer2003TM,ServicePack1enablesIIS6.0torun32bitWebapplicationson 64bitWindowsusingtheWindows32onWindows64(WOW64)compatibilitylayer. IIS6.0usingWOW64isintendedtorun32bitpersonalproductivityapplications neededbysoftwaredevelopersandadministrators,including32bitInternet InformationServices(IIS)Webapplications.
8.3.1.1 ToenableIIS6.0torun32bitWebapplicationson64 bitWindows

1. Openacommandpromptandnavigatetothe%windir%\Inetpub\AdminScripts directory. 2. Typethefollowing: cscript.exe adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 true 3. PressENTER.
ForadditionalinformationpleaserefertothefollowingTechNetArticle: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0aafb 9a01b1c4a39ac9a994adc902485.mspx?mfr=true
8.3.1.2 AdditionalSettingsforProClarityrunningona64bit Windows

OnceyouhaverunthecommandintheprevioussectiontoenableIIStorunin32bit modeonx64versionofWindows,installProClarityAnalyticsServer. Insomecases,abatchscriptisnotexecutedduringtheinstallationphasewhile installingPASonIISrunningin32bitmodeon64bitWindows.Browsetothefolder
169
C:\Inetpub\wwwroot\PAS\x64extraandcheckifthePInitx.batfileexistsinthefolder.If itexists,ithasnotbeenrun.Doubleclickthefiletorunit.Rebootthemachineto completeinstallation. Afterreboot,ensurethattheWebServerExtensionASP.Netv2.0.50727(32bit)issetto Allowed.
8.4 AppendixD
8.4.1 ServiceAccounts
ServicesinWindowsareprogramsthatruninthebackground.Thesecanbesettostart automaticallywhenthesystemstartsuportheycanbestartedmanually.Theyarenot dependentontheuserwhoisloggedontothecomputer. TheServiceAccountistheaccountthattheservicerunsas.Servicesmusthavealogon accounttooperate.ThisrequirementisnecessarysinceallprogramsrunninginNTor latermusthaveanaccountcontexttocontrolthescopeoftheiraccess.Sincethereis nobodyloggedontothemachinewhenitbootsinitially,theserviceaccountallowsthe servicetostartwellbeforeanyuserhasloggedontoamachine.Theaccount requirementalsoallowsaprogramtopersistaftersomeonehasloggedoffofamachine. Serviceskeeprunningunderthecontextofthelogonaccountforeachserviceuntil eachserviceisrestartedorthemachineisrebooted. Usingtherightserviceaccountwiththeleastpossiblepermissionsisveryimportant.If not,anattackercouldcompromisetheaccounttogainfullandunrestrictedaccessto thecomputer,domain,oreventotheentireforest.So,weneedtoidentifyservicesthat canrunwithlesserprivileges,anddowngradethoseprivilegesmethodicallywithjust therightamountofaccesstotheresourcesitneeds. Aserviceaccountcouldbeabuiltinsystemaccountoradomainuseraccount.During installationmostapplicationsgiveyouadefaultoptionofchoosingtheLocalSystem accountorNetworkServiceaccountasstartupaccounts.Forastandalonetestmachine thiswouldworkwell,butanenterpriseapplicationserverusingbuiltinsystem accountshasitsownsecurityimplications.Normally,applicationsrunondistributed environmentsandservertoservercommunicationisrequired.Whenservicesonthe serversrununderthesebuiltinsystemaccounts,implementingcertainrequired securityconfigurationcouldbeachallenge.
8.4.1.1
BuiltInSystemAccounts:
LocalServiceAccount TheLocalServiceaccountisaspecial,builtinaccountthatissimilartoan authenticateduseraccount.TheLocalServiceaccounthasthesamelevelofaccess
170
toresourcesandobjectsasmembersoftheUsersgroup.Thislimitedaccesshelps safeguardyoursystemifindividualservicesorprocessesarecompromised.Services thatrunastheLocalServiceaccountaccessnetworkresourcesasanullsessionwith nocredentials. NetworkServiceAccount TheNetworkServiceaccountisaspecial,builtinaccountthatissimilartoan authenticateduseraccount.TheNetworkServiceaccounthasthesamelevelof accesstoresourcesandobjectsasmembersoftheUsersgroup.Servicesthatrun astheNetworkServiceaccountaccessnetworkresourcesusingthecredentials ofthecomputeraccount. LocalSystemAccount TheLocalSystemaccountisapredefinedlocalaccountusedbytheservice controlmanager.Thisaccountisnotrecognizedbythesecuritysubsystem,so youcannotspecifyitsnameinacalltotheLookupAccountNamefunction.It hasextensiveprivilegesonthelocalcomputer,andactsasthecomputeronthe network.ItstokenincludestheNTAUTHORITY\SYSTEMand BUILTIN\AdministratorsSIDs;theseaccountshaveaccesstomostsystem objects.
Itisrecommendedtouseadomainuseraccountastheservicestartupaccountand applicationpoolidentityaccount. SettingupWindowsServiceAccounts: http://msdn2.microsoft.com/enus/library/ms143504.aspx#Use_startup_accounts FormoreinformationonServicesandServiceAccountsSecurity,pleaserefertothe followingplanningguide: http://www.microsoft.com/technet/security/guidance/serversecurity/serviceaccount/de fault.mspx
8.4.2
ApplicationPools
WhenyourunIIS6.0inworkerprocessisolationmode,youcanseparatedifferentWeb applicationsandWebsitesintogroupsknownasapplicationpools.Anapplicationpool isagroupofoneormoreURLsthatareservedbyaworkerprocessorsetofworker processes.AnyWebdirectoryorvirtualdirectorycanbeassignedtoanapplication pool. Everyapplicationwithinanapplicationpoolsharesthesameworkerprocess.Because eachworkerprocessoperatesasaseparateinstanceoftheworkerprocessexecutable, w3wp.exe,theworkerprocessthatservicesoneapplicationpoolisseparatedfromthe workerprocessthatservicesanother.Eachseparateworkerprocessprovidesaprocess boundarysothatwhenanapplicationisassignedtooneapplicationpool,problemsin
171
otherapplicationpoolsdonotaffecttheapplication.Thisensuresthatifaworker processfails,itdoesnotaffecttheapplicationsrunninginotherapplicationpools.
8.4.2.1
IsolatingWebSitesandApplications
ToprovidecomprehensivesecurityforyourWebsitesandapplications,youmighthave toensurethattheWebsitesandapplicationsareprotectedfromotherWebsitesand applicationsthatarehostedonthesameserver.Byusingdifferentapplicationpoolsfor eachWebsiteandapplicationsinIISWebserveryoucanachieveisolationbetweens theapplicationandthussecurity. Forexample,anenterpriseorganizationmightplaceitshumanresourcesWebsiteand itsfinanceWebsiteonthesameWebserver,butindifferentapplicationpools. Likewise,anISPthathostsWebsitesandapplicationsforcompetingcompaniesmight runeachcompanysWebservicesonthesameserver,butindifferentapplicationpools. Usingdifferentapplicationpoolstoisolateapplicationshelpspreventonecustomer fromaccessing,changing,orusingconfidentialinformationfromanothercustomers site.
8.4.2.2
ApplicationPoolIdentity
Foreachapplicationpool,youcanspecifyanapplicationpoolidentity,whichisauser accountthatisassignedtoanapplicationpool.Afterspecifyingtheapplicationpool identity,youassignpermissions(suchasNTFSpermissionsorSQLdatabase permissions)foreachapplicationpoolidentity.Becauseindividualapplicationpoolscan usedifferentidentities,youcanselectivelygrantordenyresourceaccesstoan applicationpool.TheWebsitesandapplicationsrunninginanapplicationpoolhave thesameuserrightsandresourcepermissionsassignedtotheapplicationpoolidentity. Forexample,ifyouarerunningtwoWebapplicationsonthesameWebserver,each applicationhavingitsownSQLServerdatabaseandfileshare.Theapplicationpool identityunderwhichoneapplicationrunsshouldnothavepermissionsontheother applicationsdatabaseandfileshare,elsethiswouldcompromisesecurityoftheother system. FormoreinformationonisolatingWebsitesandapplicationspleaserefertothe followingMicrosoftWindowsServer2003MSDNarticle: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/60e3 8cf55ba94b30a4d40da5976b83f3.mspx?mfr=true
172
8.5 AppendixE
8.5.1 SANInformation
TheSANusedinthetestenvironmentconsistof15RAIDdiskseachhaving146GBofspace. TheSANsupportsdifferentRAIDlevelsincludingRAID0,RAID1,RAID5,RAID10and RAID50etc. InourtestenvironmentwehaveconfiguredSQLServerDBengineandSQLServerAnalysis servicesDataandLogdirectoriesonSAN. SANconsistsoftotal15physicaldisksasfollows a. b. c. d. e. f. g. h. i. j. k. l. m. n. o. PhysicalDisk1:0:0 PhysicalDisk1:0:1 PhysicalDisk1:0:2 PhysicalDisk1:0:3 PhysicalDisk1:0:4 PhysicalDisk1:0:5 PhysicalDisk1:0:6 PhysicalDisk1:0:7 PhysicalDisk1:0:8 PhysicalDisk1:0:9 PhysicalDisk1:0:10 PhysicalDisk1:0:11 PhysicalDisk1:0:12 PhysicalDisk1:0:13 PhysicalDisk1:0:14
WehaveconfigureddifferentDatadirectoriestousedifferentphysicaldisksontheSANand thediskallocationforthedirectoriesisasfollows SQLServerAnalysisServicesDATAdirectory a. b. c. d. PhysicalDisk1:0:0 PhysicalDisk1:0:1 PhysicalDisk1:0:2 PhysicalDisk1:0:3
SQLServerAnalysisServicesLOGdirectory a. PhysicalDisk1:0:4 b. PhysicalDisk1:0:5 SQLServerDBEngineDatadirectory a. PhysicalDisk1:0:6
173
b. c. d. e. f.
PhysicalDisk1:0:7 PhysicalDisk1:0:8 PhysicalDisk1:0:9 PhysicalDisk1:0:10 PhysicalDisk1:0:11
SQLServerDBEngineLOGdirectory a. PhysicalDisk1:0:12 b. PhysicalDisk1:0:13
8.5.2
SANConfigurationforSQLServerDATADirectory
HerearethedetailedstepsforconfiguringSQLServerDATAdirectoryontheSAN.Wewill allocatethephysicaldisksforDatadirectoryasmentionedintheprevioussection. 1. FromDellclickOpen,thenclickManageApplications,andthennavigateto ServerAdministratorandclickServerAdministratortolaunchDellOpenManage ServerAdministratorpage. ClickStorageontheleftpaneandclickVirtualDiskstoviewallthevirtualDisks availableontheserver. ClickGoToCreateVirtualDiskWizardtoaddanewVirtualDisktotheserver. ClickGoToAdvancedWizardandselectRAID10andtypeSSDATAasanamefor theVirtualDisk. OntheselectphysicaldiskspageselectdesiredphysicaldisksselectPhysicalDisk 1:0:6toPhysicalDisk1:0:11. OntheSelecttheVirtualDiskAttributesforRAID10PagetypeSSDATAinthe Namefield. ClickFinishonthenextpagetofinishcreatingVirtualDiskontheserver.Your screenshouldlooksimilartothebelowscreen.
2. 3. 4. 5. 6. 7.
174
Figure130. VirtualDiskFinishPage 8. IfyouclickVirtualDiskslinkontheleftpanerightpaneshouldlistyournewly createdVirtualDisk. 9. ToinitializeyournewlycreatedvirtualdiskselectFastInitializefromtasksand clickExecute. 10. Inthenextpage,itmaygiveyouawarningsayingFastInitializedestroysalldataon thedisk.IgnorethewarningandclickFastInitializebuttontocompletethe initialization. 11. Yourfinalscreenshouldlooklikethefollowingimage.
175
Figure131. AddingVirtualDisktotheServer 12. ToviewtheaddedvirtualdiskontheservergotoAdministrativeToolsandclick ComputerManagement. 13. InComputerManagement,clickDiskManagementintheleftpanetoviewthe newlyaddedVirtualDiskanditwillbeshownasunallocateddiskspace. 14. UsingInitializeandConvertDiskWizardcompletetheInitializationandConversion ofDisk. 15. RightclicktheunallocateddiskspaceandselectNewVolumetoallocateadrive lettertotheVirtualdiskandstartusingit.
176
8.6 AppendixF
8.6.1 Tempdb
Tempdbisasystemdatabasewhichisusedduringalotofactivitieslikecreating temporarytables,cursors,andindexes.InSQLServer2005,tempdbrequiresmoredisk spacethanearlierversionsofSQLServer. Foroptimalperformanceoftempdbyoumightwanttoconsider: Movingtempdbtoafasterdrive. SettherecoverymodeloftempdbtoSIMPLE.Thismodelautomaticallyreclaims logspacetokeepspacerequirementssmall. Settheinitialsizeoftempdbfilestoalargevaluebasedonthetypicalworkloadin yourenvironment.Thisavoidsfrequentgrowthofthetempdbfiles. Therearecaseswhenthereismoreworkloadandtempdbneedstogrow.Forsuch casesyouneedtosetthetempdbfilestogrowautomatically. Ensurethatthefilegrowthincrementissetreasonably.Averysmallvaluecould meanthattempdbmighthavetoconstantlykeepexpandingwhichisanexpensive process. Createmanytempdbfilestoreducecontention.Itsageneralpracticetocreate onefileforeachlogicalCPUontheserver.Ensurethateachtempdbfileisthe samesize,thisallowsforoptimalproportionalfillperformance. FormoredetailedinformationonOptimizingTempDBrefertothefollowingMSDNarticle: http://msdn2.microsoft.com/enus/library/ms175527.aspx
8.6.1.1
ToMoveTempDB
InSQLServer2005,itispossibletomovesystemdatabasesfromonelocationto another.Movingsystemdatabasesmaybeusefulinthefollowingsituations:
Failurerecovery.Forexample,thedatabaseisinSuspectmodeorhasshut downbecauseofahardwarefailure.
Plannedrelocation. Relocationforscheduleddiskmaintenance.
ThissectiondescribesthestepsinvolvedtomoveTempdbtoanewlocation. 1.
177
OpenSQLServerManagementStudio.

2. OpenanewquerywindowbyclickingonFile,clickingNew,andthen clickingDatabaseEngineQuery.IntheConnecttoDatabaseEngine window,typetheservername.IntheAuthenticationdropdownlistchoose WindowsAuthentication.IfyouchooseSQLServerAuthentication, specifythecredentialsofaSQLServerloginwithadministrativerightsonthe SQLServer.ClickConnect. 3. RunthefollowingcommandtoidentifythepathwheretheTempdbfilesare located:

SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(N<database_name>);
Example:
SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(Ntempdb);
Figure132. TempDBPath 4. Foreachfiletobemoved,runthefollowingstatement:

ALTER DATABASE database_name MODIFY FILE ( NAME = logical_name , FILENAME = new_path/os_file_name )
Example:
ALTER DATABASE tempdb MODIFY FILE ( NAME = tempdev , FILENAME = E:\Tempdev.mdf ) ALTER DATABASE temodb MODIFY FILE ( NAME = templog , FILENAME = E:\Templog.ldf )
5. Tocompletethemoveprocess,restartSQLServerDatabaseEngine.Once SQLServerstarts,itusestheTempdbfilesfromthenewlocation. 6. Verifythefilechangebyrunningthefollowingquery:

SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(N<database_name>);
Example:
SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(Ntempdb);
178
Pleaserefertothefollowingproductdocumentationarticlefordetailed informationonmovingsystemdatabasesinSQLserver2005 http://msdn2.microsoft.com/enus/library/ms345408.aspx
8.6.1.2
1.
ToAddtempdbFilesandSetAutogrowth
OpenSQLServerManagementStudio. clicktempdbandclickProperties.
Toaddadditionalfilestotempdb:
2. InObjectExplorerexpandDatabases.ExpandSystemDatabases.Right 3. ClickFiles. 4. ClickAddtoaddanewfiletotempdb.Typeanameforeachfileyouadd. 5. Ensurethatthepathforthetempdbfilesissettothefolderwhereyouwantto placethem. 6. Foreachofthedatafilesensurethatinitialsizeissettothesamevalue. 7. Chooseanappropriateautogrowthoption. THISWHITEPAPERISFORINFORMATIONALPURPOSESONLY,ANDMAYCONTAIN TYPOGRAPHICALERRORSANDTECHNICALINACCURACIES.THECONTENTIS PROVIDEDASIS,WITHOUTEXPRESSORIMPLIEDWARRANTIESOFANYKIND. 2008DellInc. ReproductioninanymannerwhatsoeverwithoutthewrittenpermissionofDellInc.is strictlyforbidden. Trademarksusedinthistext:AMD,andOpteronareregisteredtrademarksofAMD Corporation;Microsoft,Windows,andWindowsServerareregisteredtrademarksof MicrosoftCorporation.
179

Microsoft BI - 2005 Kerberos Setup

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Microsoft BI - 2005 Kerberos Setup

Transféré par

Droits d'auteur :

Formats disponibles

InstallingandConfiguringthe MicrosoftBusinessIntelligence Platform

5.3.2 5.3.3 5.3.4 5.3.5 5.4

Note: ReportingServiceswillbedeployedinnativemode.SharePointintegrationmodewithSP2is notcoveredinthisdocument. Aftertheindividualcomponentsareinstalledandconfiguredweshallwalkthroughthe stepsrequiredtoimplementKerberosConstrainedDelegation.

1. ActiveDirectorydirectoryservicesanduseraccountpreparationforKerberos 2. KerberosDelegationsettingsinthevariouscomponents. 3. Useraccesssettingsandconfiguration.

ServerConfiguration 4x73GB15KSASInternal Disks PowerEdge2970

32GBRAM 2xdualcoreAMDOpteron CPUs 4x73GB,10KSASInternal Disks PowerEdge2970

PrerequisiteSoftware WindowsServer2003 Enterprisex86EditionR2SP2 InternetInformationServices (IIS6.0)

Applicationtobe installed ProClarityAnalytics Server6.3 [ReferNoteBelow]

Figure2. OnceImpersonationisenabled,theWebapplicationsaccessthelocalresourcesusingthe credentialsoftheclient. SingleServerImpersonationenabled

Note: Apartfromthe<identityimpersonate="true"/>,therearesomeadditionalsettingsthat arerequiredtoensurethatthecredentialsarebeingpassedfromSharePointtoPPSandonto SQLServerorAnalysisServices.Thesesettingswillbediscussedindetailinlatersections.

Figure6. ProClarityReportembeddedinaSharePointsitegivingerror TheCubecouldnotbefound

Figure7. Reportingservicesreportbasedonarelationaldatabasegiving errorCannotcreateaconnectiontoDatasource AdventureWorksOLTP

Figure8. Reportingservicesreportbasedonananalysisservicesdatabase givingerrorCannotcreateaconnectiontoDatasource AdventureWorksOLAP

Figure9. Excelservicesreportbasedonananalysisservicesdatabase givingerrorThedatasourcemaybeunreachable,maynotbe respondingormayhavedeniedyouaccess

4. EndUserAccounts:MSDELLBI\User1&MSDELLBI\User2:Theseaccountsare usedtosimulateenduseraccess.Theseaccountsdonothaveanyadministrative privilegesontheserversordomaincontroller.Optionally,theseaccountscanhave elevatedpermissionsontheendusermachinesfromwheretheyaccesstheBI applications.

4.2 InstallSQLServer2005DatabaseEngineand IntegrationServices

PleaserefertothefollowingBooksOnlinearticlefordetailedinformationonSQL ServerHardwareandSoftwarerequirements: http://technet.microsoft.com/enus/library/ms143506.aspx

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

Internetrequirementsforboththe32bitand64bitversionsofSQLServer2005arethe same.ThefollowingtableliststheInternetrequirementsforSQLServer2005. Component

ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager. PerformancetoolslikeSQLServerProfilerandTuningAdvisor. BusinessIntelligenceDevelopmentStudio. SQLServerDocumentation.

Figure12. SQLServerSetupServiceAccountpage 12. OntheAuthenticationModepageyoucanchooseMixedMode.Specifyapasswordfor theSAlogininSQLServer.ItallowsforbothWindowsauthenticationandSQLLogins. ClickNext. Note

4.3.2 SQLServerAnalysisServicesRequirementsand Prerequisites

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

SQLServerSetuprequiresMicrosoftWindowsInstaller3.1orlaterandMicrosoftData AccessComponents(MDAC)2.8SP1orlater.YoucandownloadMDAC2.8SP1from thisMicrosoft Web site. SQLServerSetupinstallsthefollowingsoftwarecomponentsrequiredbytheproduct:

.NETFramework2.0 SQLServerNativeClient SQLServerSetupsupportfiles

Internetrequirementsforboththe32bitand64bitversionsofSQLServer2005arethe same.ThefollowingtableliststheInternetrequirementsforSQLServer2005. Component

Internet Information Services(IIS)

:InternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio,Business IntelligenceDevelopmentStudio,andtheReportDesignercomponentofReportingServices. :ForReportingServices(64bit)installationson64bitservers,the64bitversionof ASP.NETmustbeinstalled.

Note TheserveronwhichweareinstallingAnalysisServices(MSDELLAS)doesnothaveIIS installedaswearenotinstallinganyWebservicecomponentslikeReportingServicesor SharePointonthatserver.

ThesecomponentsarenotrequiredforSQLServerAnalysisServicestorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely.

Figure14. AnalysisServicesSetupServiceAccountpage 12. OntheCollationSettingspage,choosethecollationsettingsappropriateforyour environment..

4.4.2 SQLServerReportingServicesRequirementsand Prerequisites

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

WOW641 Yes WOW641 Yes WOW641 Yes

Internetrequirementsforboththe32bitand64bitversionsofSQLServer2005arethe same.ThefollowingtableliststheInternetrequirementsforSQLServer2005. Component

Internet Information Services(IIS)

:MicrosoftInternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio, BusinessIntelligenceDevelopmentStudio,andtheReportDesignercomponentofReporting Services. :ForReportingServices(64bit)installationson64bitservers,the64bitversionof ASP.NETmustbeinstalled.

4. OntheWelcometoMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 5. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheck Parameters for the System

IfyouclickDetailsontheReportServerInstallationpage,youseethefollowingscreen whichstatesthereasonwhysetupchosetheInstallbutdonotconfiguretheserver option.

Figure18. ReportingServicesSetupInstallationInformation 1. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting.

Figure19. ConnecttoReportServerInstance 6. TheServerStatusindicatesthattheReportServerisstarted.Ifnot,clickStart.Oncethe ServerstatusturnsgreenandServiceStatusshowsRunning,clickReportServerVirtual Directory.

Figure20. CheckReportServerStatus 7. TocreateanewvirtualdirectoryforReportServer,clickNew.

Figure21. ReportServerVirtualDirectoryNotConfigured 8. ChoosetheIISWebsitewhereyouwanttocreatetheReportServerVirtualDirectoryand typethenameforthevirtualdirectory.TheIISWebsitedefaultstoDefaultWebSiteand virtualdirectorynamedefaultstoReportServer.CreatetheReportServervirtualdirectory.

Figure22. NewVirtualDirectory 9. OncethevirtualdirectorynameandWebsitenameappearintherespectivetextboxes clickApply.

Figure23. ReportServerVirtualDirectoryConfigured 10. TocreateanewvirtualdirectoryforReportManager,clickReportManagerVirtual Directory.ClickNew.

Figure24. ReportManagerVirtualDirectoryNotConfigured 11. ChoosetheIISWebsitewhereyouwanttocreatetheReportManagervirtualdirectory andtypethenameforthevirtualdirectory.TheIISWebsitedefaultstoDefaultWebSite andvirtualdirectorynamedefaultstoReports.ClickOktocreatetheReportManager virtualdirectory.

Figure25. NewVirtualDirectory 12. OncethevirtualdirectorynameandWebsitenameappearintherespectivetextboxes clickApply.

Figure26. ReportManagerVirtualDirectoryConfigured 13. ClickWindowsServiceIdentity.Thissettingwasconfiguredduringsetupwherewe specifiedthedomainuseraccounttousetoruntheReportServer.Verifythatthe ReportingServiceswindowsserviceisrunningundertheserviceaccountspecified (MSDELLBI\WebServiceAccount).

Figure27. WindowsServiceIdentity 14. ClickWebServiceIdentity.Hereyouneedtoconfiguretheapplicationpoolusedbythe twovirtualdirectoriesandtheidentityaccounttheapplicationpoolrunsunder. FormoreinformationonApplicationPoolsandApplicationPoolIdentityAccountsplease refertoAppendix D.

Figure28. WebServiceIdentityNotConfigured 15. ClickNewnexttoReportServer.TypetheApplicationPoolnameandspecifyaWindows accountfortheapplicationpoolsecurity.

Figure29. NewApplicationPool 16. YoucouldusetheapplicationpoolthatwascreatedforReportServervirtualdirectoryto runReportManagervirtualdirectorytoo.Ifyouchoosetocreateanewapplicationpool clickNewnexttoReportManager.TypetheApplicationPoolnameandspecifya Windowsaccountfortheapplicationpoolidentity.

Figure30. WebServiceIdentityCreatebutnotApplied 17. OncethenewapplicationpoolshavebeencreatedclickApplytoconfigurethevirtual directoriestousethenewapplicationpools.

4.5 InstallMicrosoftOfficeSharePointServer2007 andExcelServices

PleaserefertothefollowingMicrosoftTechNetarticlefordetailedMicrosoftOffice SharePointServer2007hardwareandsoftwarerequirements. http://technet2.microsoft.com/Office/enus/library/4d88c40224f2449b86a6 6e7afcfec0cd1033.mspx?mfr=true

OfficeSharePointServer2007runsonWindowsServer2003withSP1orlater.We recommendthatyouapplyallcriticalupdates.YoucanusethefollowingWindows Server2003editions: WindowsServer2003,StandardEdition WindowsServer2003,EnterpriseEdition WindowsServer2003,DatacenterEdition

YoumustconfiguretheservertouseIIS6.0workerprocessisolationmode.Thisisthe defaultsettinginnewinstallations.However,ifyouhaveupgradedfromIIS5.0on WindowsServer2000,RunWWWinIIS5.0isolationmodeisenabled,andyoumust changethissettingtouseIIS6.0workerprocessisolationmode.

SharePoint Configuration Wizard warning.