MicroStrategy ONE

Enable Integrated Authentication for IIS

Integrated authentication in MicroStrategy requires communication between your Kerberos security system, IIS, and your database.

You must configure IIS to enable integrated authentication to the MicroStrategy virtual directory to support integrated authentication to MicroStrategy Web, or MicroStrategy Web Services to support MicroStrategy Office.

If you are using Microsoft Analysis Services, to support report subscriptions, you must use connection mapping to pass users' credentials to Analysis Services. For steps to enable connection mapping, see Connection Maps: Standard Authentication, Connection Maps, and Partitioned Fact Tables.

Enable Integrated Authentication to the MicroStrategy Virtual Directory

  1. On the MicroStrategy Web server machine, access the IIS Internet Service Manager.
  2. Browse to and right-click the MicroStrategy virtual folder and select Properties.
  3. Select the Directory Security tab, and then under Anonymous access and authentication control, click Edit.
  4. Clear the Enable anonymous access check box.
  5. Select the Integrated Windows authentication check box.
  6. Click OK.
  7. If you want to enable integrated authentication for MicroStrategy Mobile, repeat the above procedure for the MicroStrategyMobile virtual folder.
  8. If you want to enable integrated authentication for MicroStrategy Web Services, repeat the above procedure for the MicroStrategyWS virtual folder.
  9. Restart IIS for the changes to take effect.

Configure Web/Mobile Server for Constrained Delegation

Currently ASP Web can only delegate users from the same domain

Using Kerberos constrained delegation requires the following additional configuration to your Web/Mobile Server:

  • ASP impersonation needs to be disabled
  • Kerberos mode in sys_default.xml needs to be set to DELEGATION
  • ASP application pool (if running on system account): AppPoolIdentity doesn't work. use LocalSystem
  • For IIS version 7 and older: If ASP runs on domain account, the account needs to be an administrator or be enabled to act as part of the operating system.

Create a Service Principal Name for IIS

It is recommended that you create a Service Principal Name (SPN) for IIS, and map it to the domain user that the application server runs as. The SPN identifies your application server as a service that uses Kerberos. For instructions on creating an SPN, refer to the Kerberos documentation.

The SPN should be in the following format:

HTTP/ASMachineName

The format is described below:

  • HTTP: This is the service class for the application server.
  • ASMachineName: This is the fully qualified host name of the server where the application server is running. It is of the form machine-name.example.com.

Enable Session Keys for Kerberos Security

To enable single sign-on authentication to MicroStrategy Web from a Microsoft Windows machine, you must modify a Windows registry setting on the machine hosting IIS.

Modification of the allowtgtsessionkey registry setting is required by Microsoft to work with Kerberos security. For information on the implications of modifying the registry setting and steps to modify the registry setting, see Kerberos protocol registry entries and KDC configuration keys in Windows on the Microsoft site.

Configure the krb5.ini File

If you configure Kerberos on IIS to host the web server, you must configure the krb5.ini file. This file is included with an installation of MicroStrategy Web, and can be found in the following directory:

C:\Program Files (x86)\Common Files\MicroStrategy\

The path listed above assumes you have installed MicroStrategy in the C:\Program Files (x86) directory.

Kerberos only supports US-ASCII characters. Do not use any special characters when installing or configuring Kerberos.

Once you locate the krb5.ini file, open it in a text editor. The content within the file is shown below:

Copy
[libdefaults]
default_realm = <DOMAIN NAME>
default_keytab_name = <path to keytab file>
forwardable = true
no_addresses = true

[realms]
<REALM_NAME> = {
    kdc = <IP address of KDC>:88
    admin_server = <IP address of KDC admin>:749
}

[domain_realm]
.domain.com = <DOMAIN NAME>
domain.com = <DOMAIN NAME>
.subdomain.domain.com = <DOMAIN NAME>
subdomain.domain.com = <DOMAIN NAME>

You must configure the krb5.ini file to support your environment by replacing the entries enclosed in <>, which are described below:

  • <DOMAIN NAME> and <REALM_NAME>: The domain realm used for authentication purposes. A domain realm is commonly of the form EXAMPLE.COM, and must be entered in uppercase.
  • <IP address of KDC>: The IP address or host name of the Windows machine that hosts your Active Directory domain controller. This can be the same address as <IP address of KDC admin>.
  • <IP address of KDC admin>: The host name or IP address of the Windows machine that hosts your Active Directory domain controller administration server. This can be the same address as <IP address of KDC>.
  • domain.com and subdomain.domain.com: Use this for all domains and subdomains whose users must be authenticated using the default Kerberos realm.