It’s been quite sometime since I’ve written blog articles.  This post talks about setting farm account for PerformancePoint Service Application in SharePoint 2010 farm.  A new PerformancePoint Service Application was created in the UI specifying the Application Pool Identity account and the configuration went well without any issues. Then when a hot fix was installed and SharePoint configuration wizard was re-run, it failed with an error in the upgrade log stating access denied for the farm account in the PerformancePoint Database.  When checked in the SQL, it turned out to be true.  When the farm account was added manually and granted it a dbo rights, the wizard worked perfectly fine.  Shouldn’t the farm account be granted the rights to this Database by default? 

We actually need to create an Unattended Service Account for PPS.  After creating PerformancePoint service application, we need to add farm account in the service account settings as an unattended service. The unattended service account is a set of domain credentials that are impersonated when connecting to a data source. The server uses the unattended service account rather than the managed account for data source queries to prevent the PerformancePoint Services process from accessing the content database during query execution The unattended service account must be set for PerformancePoint Services to connect to data sources except as the currently authenticated user. The Unattended Service account is set after you configure the PerformancePoint Service application.

Once a new Performance Service Application is created, you will get a window that details additional configuration steps that needs to be done.

clip_image001[13]

Configuring the unattended service account for PerformancePoint Services: 

Before using the Unattended Service Account, make sure that the Secure Store Service is running.  Go to Central Administration --> System Settings --> Manage Services on Server--> Secured Store Service.

To configure the secure store for PerformancePoint Services, follow these steps:

  • Go to the Central Admin home page
  • Under "Application Management" click "Manage Service Applications"
  • Click on the Secure Store Service Proxy
  • Click "Manage" in the ribbon
  • You should get a message to generate a new key. Click "Edit" on the ribbon, then click "Generate New Key". You will be required to enter a pass phrase.
  • When this completes, click "Edit" on the ribbon, then click "Refresh Key". Enter the same pass phrase you used in the previous step.

clip_image001[15]

Configure the Unattended Service Account (necessary for using "Unattended Service Account" option on Data Sources)

  • Go to the Central Admin home page
  • Under "Application Management" click "Manage Service Applications"
  • Click on the PerformancePoint Service Application
  • Click the "Manage" button in the ribbon
  • Click the first link: PerformancePoint Service Settings
  • In the "Unattended Service Account" section, enter the user name and password to be used for querying data sources.

clip_image001[17]

This should then store the new credentials in the target application of the secure store. The username is stored in the SharePoint configuration database.  When you re-enter the PPS settings page, you will see the secure store service name and the user representing the unattended service account.

clip_image001[19]

Go back to Manage Service Applications and you should see the target application mapped.

clip_image001[21]

Reference Articles:

Set up and configure PerformancePoint Services

Plan for PerformancePoint Services security