MicroStrategy ONE

Active Directory Account Configuration

To configure your Active Directory account you will need to set up a service account to associate with Intelligence server as well as create a Service Principal Name (SPN) and enable delegation for your Intelligence server.

Service Account Setup

For the Active Directory user account that you will associate with the SPN:

  1. Go to User Properties > Account.
  2. In the Account options section, clear the check box next to Account is sensitive and cannot be delegated.

The Do not require Kerberos preauthentication option is unchecked by default and should be kept that way for MicroStrategy service accounts used for Kerberos Constrained Delegation.

Create the Intelligence Server Service Principal Name (SPN)

Once the user has been created, a Service Principal Name for the Intelligence server must be attached to the user using the setspn command.

  1. Execute the setspn.exe -L <your_service_account> command to ensure no other SPN is associated with your service account.

    Copy 
    C:\Windows\system32>
    C:\Windows\system32setspn.exe -L mstrsvr_acct
    Registered ServicePrincipalNames for CN=MicroStrategy Server Account,CN=Users,DC=vmnet-esx-mstr,DC=net:

  2. Add the SPN using the setspn.exe -A <your_service_account> command.

    MicroStrategy software expects that the service name will be MSTRSVRSvc, and that the Intelligence server port number will be added to the end of the hostname. The SPN should be formated as: MSTRSVRSvc/<hostname>:<port>@<realm>. The realm does not need to be specified in the setspn command. It will automatically use the default realm of the Active Directory machine.

    Copy 
    C:\Windows\system32>
    C:\Windows\system32>setspn -A MSTRSVRSvc/exampleserver.example.com:34952 your_service_account
    Registering ServicePrincipalNames for CN=your_service_acount,CN=Users,DC=example,DC=com
    MSTRSVRSvc/exampleserver.example.com:34952
    Updated object

    If you encounter any errors, contact your Active Directory administrator before continuing.

Enabling Unconstrained Delegation for the Intelligence Server Service

If single-sign on authentication to a warehouse database is required, an additional configuration step must be performed on the Active Directory machine. Kerberos delegation will be required for the Intelligence server to authenticate the end user to the database server.

  1. After creating the SPN, open the associated service user account.
  2. On the Delegation tab select Trust this user for delegation to any service (Kerberos only).
  3. Click Apply, then OK.

Enabling Constrained Delegation for the Intelligence Server Service

  1. After creating the SPN, open the associated service user account.
  2. On the Delegation tab select Trust this user for delegation to specified services only.
  3. Click Add.
  4. Provide the service account for the destination services then select a registered service from the list.
  5. Repeat steps 3 and 4 until each service requiring delegated access have been added.

    ASP versions of servers hosted on IIS will be use extra protocols to make Kerberos Constrained Delegation work, and the Use any authentication protocol option needs to be enabled for their service accounts.

  6. Click Apply, then OK.

Enabling Constrained Delegation for Intelligence Server to a Data Source

For Intelligence server to delegate to a data source:

  • Select the Use any authentication protocol option.
  • Add the Intelligence server to the list of services that accept delegated credentials.
  • Add the data source services to the list of services that accept delegated credentials.

    If the data source is an MDX provider, instead of allowing delegation to database services:

    • Add the MDX provider service.
    • On the service account of MDX provider allow delegation to the database services.