Information, tips, news and announcements about SQL Server Analysis Services and PowerPivot directly from the product team.
Kerberos Configuration Manager for SQL Server (KerberosConfigMgr) was released on May 15th 2013, and is available for download at the Microsoft Download Center at http://www.microsoft.com/en-us/download/details.aspx?id=39046.
This diagnostic tool can help to troubleshoot Kerberos-related configuration issues with SQL Server, which is very exciting for us because Kerberos authentication plays a critical role in many BI-related authentication and delegation scenarios, such as to enable multi-tier BI solutions to access external data sources securely on behalf of the user. To enable end-to-end delegation all the way from the client through the middle-tier components to the external data sources, a Service Principal Name (SPN) must be registered within Active Directory Domain Services (AD DS) for each SharePoint service account, and then Kerberos Constrained Delegation (KCD) must be configured, which can be quite challenging in enterprise environments with complex AD topologies.
Even though SharePoint shared services, such as Excel Services, Performance Point Services, and SQL Server Reporting Services, can use the EffectiveUserName connection string property of Analysis Services for per-user authentication and eliminate in this way the need to configure KCD between SharePoint shared services and Analysis Services, KCD is still a requirement if Analysis Services is supposed to access further data sources, such as SQL Server databases on behalf of the user. One example is Analysis Services running in PowerPivot mode performing data refresh for an interactive user. Another example is Analysis Services running in Tabular mode hosting a data model with DirectQuery enabled.
KerberosConfigMgr can perform the following functions:
For more information about KerberosConfigMgr, visit the Microsoft Download Center.
I can see the constrained delegation configured for my SharePoint service account to the MSOLPSvc.3 service on my SQL 2012 SSAS server, however, this tool does not show any evidence of the Kerberos configuration. I am assuming the tool is correct since I am having issues connecting over the double hop, but I can see the SPN records when running setspn -l from the command line. There is no option to fix the Kerberos configuration. What is the tool checking for, and what could I be missing? Thanks!
The tool does not seem to be aware of AlwaysOn availability groups and the required Kerberos configuration thereof. When can we expect an updated version that is AlwaysOn cluster aware?
Kay - It was great meeting you at TechEd.
This is awesome news. Looking forward to downloading and testing this tool. Will report back with any issues or comments.
I little half-heartd I am afraid given it was originally developed in 1999! Great idea, certainly well overdue, but not really that helpful. SPN generator is useful though, too bad it only does it for database engine, not the analysis services.
is there any way this could be open sourced so the community can contribute to the development or created as a command line tool, so that it can be used in large environments
great Blog entry. But it is missing the most important and simple point: HOW TO START THE TOOL. It doesn't create start menu icon. And maybe how to use it.
if you used the default installation path, then go to the following folder:
C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server\
double click the KerberosConfigMgr.exe to launch the application.
see blog: blogs.msdn.com/.../new-tool-quot-microsoft-kerberos-configuration-manager-for-sql-server-quot-is-ready-to-resolve-your-kerberos-connectivity-issues.aspx
For the record @John D , it already works as a command line tool. You can try it by running it from command prompt with the -h flag. If no flags are used, it's launched with a gui.
So people know - if you're using an alias on a client to point to a default instance, you need to register a SPN for
This tool won't suggest it, but connections through the alias will make requests with the 1433 port, and it will fail. You could blow almost two weeks troubleshooting this... ask me how I know.