Enable Integrated Authentication

Integrated authentication enables a Windows user to log in once to their Windows machine. The user does not need to log in again separately to Developer or MicroStrategy Web. This type of authentication uses Kerberos delegation to validate a user's credentials. Kerberos delegation occurs when a service needs to provide the Kerberos user's credentials to access another service. For example, in MicroStrategy when doing integrated authentication in Web, the web server needs to "delegate" the user's credentials to Intelligence server so that the user can log in seamlessly. In addition to authenticating users to Developer and MicroStrategy Web, integrated authentication also passes user credentials down to the database server. This allows each user's credentials to be used to return data from the database.

MicroStrategy also supports an Active Directory configuration that makes use of Kerberos Constrained Delegation to improve overall security associated with service communications. Kerberos Constrained Delegation is a new way to delegate Kerberos user's credentials with improved security. Implementing Kerberos Constrained Delegation involves specifying the services that are allowed in terms of Intelligence server Kerberos Delegation, in essence creating a "white list" of allowed services.

For single sign-on with integrated authentication to work, users must have user names and passwords that are printable, US-ASCII characters. This limitation is expected behavior in Kerberos. This limitation is important to keep in mind when creating a multilingual environment in MicroStrategy.