MicroStrategy ONE

Intelligence Server Configuration for Integrated Authentication

Configuring Intelligence Server on Windows

For users with Intelligence server deployed on a Windows platform do not need to perform any additional configuration. Authentication is passed between libraries so a Kerberos configuration file and keytab are not needed. If Intelligence server is running on domain account, the account needs to be an administrator or be enabled to act as part of the operating system.

Continue to Developer Configuration for Integrated Authentication to complete setup.

Configuring Intelligence Server on Linux for Integrated Authentication

The configurations listed below are required to configure Intelligence server with your Windows domain controller and Kerberos security.

Kerberos only supports US-ASCII characters. Do not use any special characters when installing or configuring Kerberos.

You have performed the steps described in Active Directory Account Configuration.

Install Kerberos 5

You must have Kerberos 5 installed on your Linux machine that hosts Intelligence server. Your Linux operating system may come with Kerberos 5 installed. If Kerberos 5 is not installed on your Linux machine, refer to the Kerberos documentation for steps to install it.

Ensure that the Environment Variables are Set

Once you have installed Kerberos 5, you must ensure that the following environment variables have been created:

The variables must be set when the Intelligence server starts in order to take effect.

Variable

Description

Default

Required/Optional

${KRB5_HOME}

Location of all Kerberos configuration files

/etc/krb5

Optional

${KRB5_CONFIG}

Location of the default Kerberos configuration file

/etc/krb5/krb5.conf

Required

${KRB5CCNAME}

Location of the Kerberos credential cache

/etc/krb5/krb5_ccache

Optional

${KRB5_KTNAME}

Location of the Kerberos keytab file

/etc/krb5/krb5.keytab

Required

For Keberos Constrained Delegation: The environment variable ${KRB5_CLIENT_KTNAME} needs to be set to point to the keytab file used by Intelligence server.

Configure the krb5.Keytab File for the Intelligence Server

You must create and configure the krb5.keytab file. The steps to configure this file on your Linux machine are provided in the procedure below.

The procedure below requires a few variables to be entered for various commands. This includes information you can gather before you begin the procedure. The required variables in the following procedure are described below:

  • ISMachineName: The name of the Intelligence server machine.
  • ISPort: The port number for Intelligence server.
  • KeyVersionNumber: The key version number, retrieved as part of this procedure.
  • EncryptionType: The encryption type used.

    We recommend that you use rc4-hmac as the encryption type. Other encryption types may cause compatibility issues with the Windows Active Directory.

  • DOMAIN_REALM: The domain realm for your Intelligence server, which must be entered in uppercase.

To Create a krb5.keytab File

  1. Log in to your Linux machine.
  2. Retrieve the key version number for your Intelligence server service principal name, using the following command:

    kvno MSTRSVRSvc/ISMachineName:ISPort@DOMAIN_REALM

    The key version number is displayed on the command line.

  3. In the command line, type the following commands:

    Copy 
    ktutil
    addent -password -p MSTRSVRSvc/ISMachineName:ISPort@DOMAIN_REALM -k KeyVersionNumber -e EncryptionType
    wkt /etc/krb5/krb5.keytab
    exit

  4. To verify the keytab file, type the following command:

    Copy 
    kinit -k -t /etc/krb5/krb5.keytab MSTRSVRSvc/ISMachineName:ISPort@DOMAIN_REALM

    The command should run without prompting you for a username and password.

Configure the krb5.conf File for the Intelligence Server

You must create and configure a file named krb5.conf. This file is stored in the /etc/krb5/ directory by default.

If you create a krb5.conf file in a directory other than the default, you must update the KRB5_CONFIG environment variable with the new location. Refer to your Kerberos documentation for steps to modify the KRB5_CONFIG environment variable.

The contents of the krb5.conf should be as shown below:

Copy 
[libdefaults]
default_realm = DOMAIN_REALM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
forwardable = true
no_addresses = true

[realms]
DOMAIN_REALM = {
kdc = DC_Address:88
admin_server = DC_Admin_Address:749
}

[domain_realm]
.domain.com = DOMAIN_REALM
domain.com = DOMAIN_REALM
.subdomain.domain.com = DOMAIN_REALM
subdomain.domain.com = DOMAIN_REALM

The variables in the syntax above are described below:

  • DOMAIN_REALM: The domain realm used for authentication purposes. A domain realm is commonly of the form EXAMPLE.COM, and must be entered in uppercase.
  • domain.com and subdomain.domain.com: Use this for all domains and subdomains whose users must be authenticated using the default Kerberos realm.
  • DC_Address: The host name or IP address of the Windows machine that hosts your Active Directory domain controller. This can be the same address as DC_Admin_Address.
  • DC_Admin_Address: The host name or IP address of the Windows machine that hosts your Active Directory domain controller administration server. This can be the same address as DC_Address.