Pyramid Analytics

Installation Guide

Version 4.6

Copyright Pyramid Analytics 2010-2012

A Quick Guide and Overview for Installing Pyramid Analytics

Start By checking that your server has all the prerequisite operating system and software requirements Assemble all the credentials and system information needed to install the application o SQL Server details and login credentials o Active Directory and Domain detail and a domain account with enhanced privileges o SQL Server Analysis Services details o Web URL details Install the main application from the media as an Administrator Run the configuration wizard to complete the installation o Pyramid Application License Key Launch the administrative console and run the quick start wizard o Enter initial client licensing key, users and roles

Minimum Server Hardware Requirements

Recommended Minimum 32-bit 64-bit Server 2008 Server 2008 R2 / 2012 4 4 4 8 150 150

Windows OS Windows Cores Memory (GB) Disk (MB)

Pyramid Analytics| Version 4.6 Installation Guide

Contents 1.
A. B. C. D.
i. ii. iii.

Installation ............................................................................................................................................ 4
Server & System Prerequisites ............................................................................................................................................................... 4 Basic Install ............................................................................................................................................................................................. 5 Configuration Wizard.............................................................................................................................................................................. 6 Post Configuration Steps ........................................................................................................................................................................ 7
Firewalls ........................................................................................................................................................................................................ 7 Security Setup ................................................................................................................................................................................................ 7 Testing Communications: Diagnostics ........................................................................................................................................................... 7

2.
A.

Administration ...................................................................................................................................... 8
Setting-up Licenses, Users and Roles...................................................................................................................................................... 8

3. 4. 5.
A. B. C.

Client .................................................................................................................................................... 9 Troubleshooting Guide ........................................................................................................................ 10 Appendix............................................................................................................................................. 11

SQL Server Settings ............................................................................................................................................................................... 11 Distributed Transaction Coordinator Settings ...................................................................................................................................... 11 Web Application Settings and Customizations ..................................................................................................................................... 12
i. ii. Web Site Deployment Options..................................................................................................................................................................... 12 Using an SSL certificate and HTTPS ............................................................................................................................................................. 13

D.
i. ii. iii.

Web Authentication Models................................................................................................................................................................. 14

Basic Authentication Models ....................................................................................................................................................................... 14 Windows Authentication Models ................................................................................................................................................................ 14 Forms Authentication Models ..................................................................................................................................................................... 14

E.
i. ii.

Log-on-Locally Impersonation Setup ................................................................................................................................................. 15

Local OS setup: ............................................................................................................................................................................................ 15 Active Directory setup: ................................................................................................................................................................................ 15

F.
i. ii. iii. iv. v. vi. vii.

Kerberos Delegation Setup ................................................................................................................................................................... 16

Introduction ................................................................................................................................................................................................. 16 Other Documentation & Tools ..................................................................................................................................................................... 16 Overview ..................................................................................................................................................................................................... 17 Prerequisites ................................................................................................................................................................................................ 17 Configuration Steps: Delegation and SPNs .................................................................................................................................................. 17 Client Configuration .................................................................................................................................................................................... 19 Testing Your Configuration .......................................................................................................................................................................... 20 Troubleshooting .......................................................................................................................................................................................... 20 Constrained Vs. Full: Overview .................................................................................................................................................................... 25 Pyramid Multi Servers Architecture ............................................................................................................................................................. 25 Configurations from Domain Controller ...................................................................................................................................................... 26 Summary ..................................................................................................................................................................................................... 27

viii.

G.
i. ii. iii. iv.

Constrained Delegation: ....................................................................................................................................................................... 25

H. I.

Windows 8 & Windows Server 2012 .................................................................................................................................................... 28 Performance Load Balancing Options .................................................................................................................................................. 29

Pyramid Analytics| Version 4.6 Installation Guide

1.

Installation
1. The Pyramid application is comprised of 3 installed application components: the web client application, the router server and the application server. Each can be installed on a single machine or on separate machines with these operating systems: i. Web Server: windows 2003, 2008, 2008 R2 or 2012 (32 or 64 bit) ii. Router Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit) iii. Application Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit) For each OS type ensure that: o User Account Control is turned off and that the installing user has FULL, TRUSTED ADMINISTRATIVE RIGHTS on the server(s). o IIS 7 is installed (with windows and basic authentication) Only the web client application is supported on Windows 2003 R2 x86. The router and application servers MUST be installed on a Windows 2008/2012 server. For Windows 2003 ensure: o The installing user should install the software as an Administrator with FULL, TRUSTED ADMINISTRATIVE RIGHTS on the server(s). o IIS 6 is installed (with windows and basic authentication) On all Operating Systems: Microsoft Distributed Transaction Coordinator is installed and running Multi-server deployments must be within an Active Directory Framework (2003/ 2008 / 2012). In this scenario, ensure the server is ALREADY part of the domain. Kerberos and Service Principal Names (SPNs) need to be enabled and established in a multi-server deployment except for Basic and Forms Authentication deployments where administrators choose to give end users log-on-locally rights. SQL Server 2008/2012 is installed and running on the machine hosting the Content Store Database You will need the SQL Server authentication credentials with full ADMIN rights (see appendix of this document for more details)

A. Server & System Prerequisites

2.

3.

Pyramid Analytics| Version 4.6 Installation Guide

B. Basic Install
1. 2. 3. 4. 5. Launch the ISO on the target server as an ADMINISTRATOR. Before installing ensure that the installation user has full administrative access to the server and that the User Account Control has been turned completely off. The Pyramid BIO application requires the Microsoft.Net 4.0 Framework. The installer will automatically install this component before continuing. It will may require a server reboot once installed before the application installation can continue. Provide a domain user name and password if the application is going to be installed in an Active Directory framework. Provide the database details for the content store. Install the package: a. Choose COMPLETE to install all 3 components (web, router and application) to a single server (2008/2012 only) b. Choose CUSTOM to install one or more components on separate servers. After installation, run the Configuration Wizard from the last step in the installer. This is a CRUCIAL process that must be completed before launching the application (see next section). Once configured, users launch the administrative console and complete the QUICK START wizard to set up licenses and users.

6. 7.

Note: Before users can log into a cube, ensure that either: a. b. SPNs have been setup correctly for a multi-server deployment i. See the Kerberos set-up step in the appendix of this document. Or, the log-on-locally access rights have been granted for the alternative Basic and Forms Authentication deployments i. See the Impersonation set-up step in the appendix of this document.

Pyramid Analytics| Version 4.6 Installation Guide

C. Configuration Wizard
NOTE: Some steps may not be presented depending on which components have been installed on a particular server. 1. 2. 3. 4. Data base confirmation: enter in all the details of the database into this panel. You cannot continue unless all of the information is correct. The user ID must be a SQL Server user ID. This step is skipped if SQL authentication was used during installation. Application License: enter the application license provided by Pyramid. Also mark off whether you will allow the system to autosubmit errors to Pyramids central database. The auto-error logging feature does NOT capture user details, data or queries. Master Account Setup: Enter a username and password for the application master account. These credentials will provide access to the administrative console for configuring the application. Active Directory: Provide the details of the operating system security framework being deployed. Using an Active Directory (2003 / 2008 / 2012) is highly recommended (and required for multi-server deployments). Please see the appendix on Local OS and Active Directory Impersonation Setup required for the application. a. For Active Directories: i. Provide the LDAP address for the root node of the AD in the form: LDAP://dc=xx,dc=yy,dc=zz where the AD root node is xx.yy.zz. Click the RESET button to auto-generate this address b. For Local OS Security: i. Provide the WINNT address for the machine in the form: WinNT:// machine -name (note that WinNT is case sensitive). Click the RESET button to auto-generate this address c. For both security frameworks provide the domain name. i. If this application is using local OS security, the domain is typically the machine name. ii. If the application is using AD security, this is the first part of the AD root node: xx in xx.yy.zz. d. Installers must indicate whether the installation is a multi-server installation. e. When the installation does NOT detect an installed web component, you are also prompted to indicate what type of web authentication model will be used: Basic, Forms or Windows Authentication. If Basic or Forms are chosen, administrators can elect whether Kerberos or Log-on-Locally rights will be given to end users. Datasources: The configuration wizard allows you to provide up to 3 different OLAP data-sources (you can add more in the administrative console). Enter the name of the OLAP servers and their IP addresses. Instance names are optional. a. These OLAP servers must be within the SAME security framework as entered in step 3 above. (i.e. They should all belong to the same Active Directory as the server hosting the application). It is strongly recommended that you enter at least one SSAS/OLAP server at this point. Application Server: Provide the name, IP address and port number1 of the server hosting the application server. The default is the current machines registered name and its first IP4 address. a. Provide the SPN if using a multi-server deployment (see instructions for SPNs). Router Server: Provide the name, IP address and port number2 of the server hosting the router server. The default is the current machines registered name and its first IP4 address. a. Provide the SPN if using a multi-server deployment (see instructions for SPNs).

5.

6.

7.

8.

Web Server: Provide the name and IP address of the server hosting the web application. The default is the current machines registered name and its first IP4 IP address. You must also provide the web site name that will be hosting the application. This will match the web URL you provided during the installation process. a. Indicate whether you are going to use an SSL certificate for the web application. (See instructions in the appendix for deploying the site under HTTPS). b. Indicate whether you want the configuration wizard to make entries in your local HOSTS file to temporarily enable browsing of the site URL while your permanent DNS settings are configured. c. For forms authentication, indicate if you are using direct forms or federated forms. For federated forms, you must provide the web domain name for the overall site and the default login page address for redirects when auto-login fails. 9. ProClarity Analytics Server: Provide the details for the PAS 6.3 SQL Database content store for legacy content support. This includes the SQL Server machine name, database name and a SQL Server user ID with the credentials to read from that database. 10. Click FINISH to commit your changes.
1 2

Port numbers should reflect ports that are open and available BETWEEN servers when in a multi-server deployment. Ibid 6 Pyramid Analytics| Version 4.6 Installation Guide

Where installed, the configuration wizard will then start up the Pyramid Application and Router Services. To check that the application and router servers have been launched successfully: Open up the Windows Event Viewer, under Administrative Tools. Open the Applications and Services Logs, and click on the Pyramid Catalog. Logged events should show both the application and router servers have started successfully

See the troubleshooting guide if services do not start.

D. Post Configuration Steps

Before attempting to login and start administering the application, administrators may need to complete the following steps.

i.

Firewalls

In a multi-server deployment for both basic and windows authentication systems, administrators MUST ensure that the ports between the different servers are OPEN for both the Router and Application Servers described in C6.a and C7.a above. In Windows 2008 Server, the Domain firewall is typically the only Windows Firewall type that needs to have these ports opened. However, administrators may need to tailor this to their own environments and conditions.

ii.

Security Setup

Service Principal Names (SPNs)

In a multi-server deployment the configurator will ATTEMPT to create and add SPNs on the relevant servers. Administrators should manually check that this process completed successfully and setup all the server delegations for Kerberos and the SPNs if not. Details on this can be found in the appendix.

Log-on-Locally Access
For deployments where administrators have elected to grant log-on-locally rights and use basic or forms authentication, administrators MUST allow end users the right to Log-on-Locally to the host servers through the Active Directory GPO settings, to ensure users can be authenticated for secure access. Details can be found in the appendix.

iii.

Testing Communications: Diagnostics

An optional system tester is provided to ensure that the communication layer of the application is operating as expected. Administrators can use this tool if they have trouble logging into the application. This can be found at the URL "http://pyramidBIO.mysite.com/admin/diagnostics.aspx Where pyramidBIO.mysite.com is the host URL name you provided during installation.

The ping test will show if the application can open a basic communication channel from the web application, through the router and on to the application server. The separate Kerberos test is useful for Kerberos delegation and SPN testing.

Pyramid Analytics| Version 4.6 Installation Guide

2. Administration
A. Setting-up Licenses, Users and Roles
Open up a browser and browse to the administrative console on the web server through the URL http://pyramidBIO.mysite.com/admin/ where pyramidBIO.mysite.com is the host URL name you provided during installation. Login with the master account credentials entered during with the configuration wizard as per above. Once logged into the administrative console, you need to launch the Quick Start Wizard by clicking on the large RED button on the settings tab in the console or the following manual steps before attempting to access the client.

This manual process involves the administrator entering user licenses; creating users and roles; and applying access roles to data-source servers. 1. 2. Client Licenses: Go to the Client Licenses tab and add new client license packs provided by Pyramid. Users: Go to the Users tab and Add a New User a. Provide the users domain (this may be different to the default domain used for the application itself). b. Type in a search key to lookup users from the security framework (Local OS or Active Directory). Select the desired user and click next. c. Select which license type this user will be deployed under. Roles: Go to the Roles tab and Add a New Role a. Provide a role name b. Next, optionally attach existing application users to this role. i. Users listed are those already added to the application in the previous step above. c. Next, optionally attach security groups to this role. i. Security groups are read from the Active Directory. d. Click Finish. (Note that the finish button is disabled UNLESS there are at least users; groups; or both users and groups selected). Servers: Go to the Servers tab. Click the ROLES button next to each Data-Sources Server listed to assign role access to each data source server. a. Lookup existing roles in the system (from the previous step) and assign or un-assign to the data source as needed. (Note that this is an application layer functional access control. The user must still have data access rights to the SSAS OLAP server, underlying databases and cubes. These are typically set in the Analysis Services instance itself).

3.

4.

Pyramid Analytics| Version 4.6 Installation Guide

3. Client
Open up a browser and browse to the URL http://pyramidBIO.mysite.com/ Log into the application using credentials for users licensed in the system as per the previous step above. You can log in as the professional/administrative user added in the above steps. As a professional user type, open a cube from the data-sources content section. If you cannot see a data-source (cube server) check the troubleshooting guide.

Client Browsers Supported

With SilverLight 5, there number and type of browsers supported has changed: Browser Internet Explorer 7 FireFox 3.6 Safari 4 Chrome Recommended Browser Windows Yes Yes * Yes IE 9 Mac NA Yes Yes ** Safari 5.x

*Safari has not been certified by Microsoft to work reliably on Windows. **Chrome has not been certified by Microsoft to work reliably on Mac OS X.

If deploying a Windows Authentication web application, note that the Safari and Chrome browsers do NOT support Integrated Windows Authentication (see Client Configurations for more)

SilverLight Isolated Storage - FireFox

All browsers support the isolated storage functionality of SilverLight required for the application. However, FireFox needs to have certain settings changed before supporting this feature. From the FireFox browser, go to Tools; Options; Privacy Tab. The user should choose Remember History. Without this isolated storage will NOT work.

Figure 1

Pyramid Analytics| Version 4.6 Installation Guide

4. Troubleshooting Guide
Issue
The cube server is not available in the client

Resolution
Server Address: the data-sources are addressed through their Server names and then their IP addresses. In a volatile DNS and DHCP environment (with virtual machines for example), these IP addresses can get mixed up. Ensure that the servers IP address in the admin console ACCURATELY reflects the machines actual IP address. Data Security: Access to the cube server is driven through 2 gateways: the first is the Pyramid administrative layer; while the second is cube access as determined via SSAS cube role security. See administrative help for the former issue. Check the SSAS security roles for the latter. If both of these are correct, ensure that the server entry on the Pyramid administrative page reflects the correct IP address for that server. If these dont work: check that the domain account on the application service has access to the cube servers; check that the application server can see the cube server (DNS resolution); check access using a third party tool like SQL Server Management Studio. Kerberos: If these dont remedy the issue, the authentication of the user may be failing. See the appendix on Kerberos authentication for more detail here. Log-on-Locally: Ensure that the users have log-on-locally rights on all servers. Often, the GPO settings are not replicated to the server in a timely fashion and need to be updated by force

User tries to login and gets Access Denied message. No Datasources/Cube Servers found

Ensure that the user has been given the right to log on locally to the server if the basic authentication and log-on-locally rights model has been deployed (as described here). Even if this has been setup correctly, it often takes time for the GPO settings to be distributed to all the servers in the network. If this problem persists, use a tool to force the GPO rules to replicate across the network on demand. This is typically an oversight with the data security on the SSAS cube server. Ensure that the user has rights to see a cube via the Analysis Services Roles functionality. Separately, ensure that users belong to a role in the Pyramid Application that has been given rights to view the data source servers (see the Pyramid Administrative Guide for more)

401.1 web error for LOCALHOST installations

This problem of a 401.1 no-access error when logging into the client application can occur on LOCALHOST installations when trying to login from the same machine hosting the application. In this scenario, one suggestion is to disable the loopback function in Windows. See this article for more information: http://support.microsoft.com/kb/896861

Error 500

This problem is potentially related to a communications issue. See sections Di, ii, iii above for more information. Also, ensure that the services have been started up on their respective servers and there are no port conflicts on each machine.

10

Pyramid Analytics| Version 4.6 Installation Guide

5. Appendix
A. SQL Server Settings
The server housing the SQL Server database should have these capabilities enabled: Mixed Authentication (the application uses SQL Authentication for all its activities) o The user account provided by administrators to access the SQL Server should have FULL administrative rights to the Pyramid Content Store Database. Full Text Search

B. Distributed Transaction Coordinator Settings

The application uses MSDTC to handle the many different transactions between it and the SQL Server Content Store. As such, MSDTC needs to be running on ALL servers that are hosting aspects of the application including the server hosting SQL SERVER itself. Further, the MSDTC must be set to Allow Remote Clients.

11

Pyramid Analytics| Version 4.6 Installation Guide

C. Web Application Settings and Customizations

i. Web Site Deployment Options

The web application installation creates a new standalone web site the web server. This is named pyramidBIO.mysite.com by default, but can be changed during the installation process. Administrators can elect to manually create the pyramid site as a Virtual Application within an existing web site by replicating the settings as per below. If the site is to be secured via SSL, the web application needs to be configured to handle the change in HTTPS protocol (see below).

Using a Stand-Alone Site Internally

Note: some of these steps are completed for you with the configuration tool using the URL provided during installation. To test the stand-alone web application without creating extranet DNS entries, edit the HOSTS file on the client workstation as follows: Open c:\windows\system32\drivers\etc\hosts (note there is no file extension on this system file) Add an entry to the bottom of the HOSTS file recording the IP address of the web application server and its decorated DNS name. o For example wed add the following entry to enable the URL pyramidBIO.mysite.com to work on the local machine: 127.0.0.1 pyramidBIO.mysite.com

Ensure you save the HOSTS file as is, without an extension. On certain operating systems (mainly Windows 2008 and Windows 7) the user must disable the loopback check option. (see http://support.microsoft.com/kb/896861 for more): o In the registry, go to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa o Add a new DWORD value DisableLoopbackCheck and sets its value to 1.

To Create the Virtual Application:

Basic Authentication Note: You should NOT attempt to change the authentication model used for the application after installation. 1. Create a web application node (e.g. pyramid) under an existing website. a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\ b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to BASIC AUTHENTICATION (anonymous authentication and WINDOWS authentication must be disabled). c. Set its application pool to paBIO Under the application node from the step 1 above, add a virtual application called Admin. a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\ b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication (BASIC and WINDOWS authentication must be disabled because it uses FORMS authentication) c. Set its application pool to paBIOadmin

2.

Forms Authentication Note: You should NOT attempt to change the authentication model used for the application after installation. 1. Create a web application node (e.g. pyramid) under an existing website. a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\ b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to ANONYMOUS AUTHENTICATION (BASIC authentication and WINDOWS authentication must be disabled). c. Set the authentication on the Services Directory to BASIC authentication d. Set its application pool to paBIO e. Change the FormsLogon application setting in the web.config to true and set the WebDomain value. Under the application node from the step 1 above, add a virtual application called Admin. a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\

2.

12

Pyramid Analytics| Version 4.6 Installation Guide

b. c. d.

Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication (BASIC and WINDOWS authentication must be disabled because it uses FORMS authentication) Set the authentication on the ExtServices Directory to BASIC authentication Set its application pool to paBIOadmin

For more information on forms authentication, see the appendix on forms authentication. Windows Authentication Note: You should NOT attempt to change the authentication model used for the application after installation. 1. Create a web application node (e.g. pyramid) under an existing website. a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\ b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to WINDOWS AUTHENTICATION (anonymous authentication and BASIC authentication must be disabled). c. Set its application pool to paBIO Under the application node from the step 1 above, add a virtual application called Admin. a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\ b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication (BASIC and WINDOWS authentication must be disabled because it uses FORMS authentication). c. Set its application pool to paBIOadmin

2.

ii.

Using an SSL certificate and HTTPS

The site SSL certificate is installed into IIS as normal.
Steps to deploy the Pyramid Application with an SSL certificate in IIS7: 1. 2. 3. Obtain and install the SSL certificate into IIS 7 as generally directed. Follow this by binding the certificate as normal to the website that is hosting the application. Open a command prompt by clicking the start menu and typing cmd and hitting enter. Then navigate to C:\Windows\System32\Inetsrv\ by typing cd C:\Windows\System32\Inetsrv\ on the command line. Run the following command for each of the websites on the IP address that need to use the certificate
appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>' ]

Before using the application with SSL, administrators must ensure that:

4.

Replace <IISSiteName> with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

For IIS7, check the host header (site URL) has been bound to the SSL certificate using the APPCMD command line facility (as described in the steps above) The IsHttps flag in the sites web.config file has been set to true. This option is set from the Installation Configuration Wizard. However, it can be set manually as well: 1. Go to the web installation folder for services (typically c:\inetpub\wwwroot\pyramid analytics\paBio\) and open the web.config file with Notepad. 2. Locate the string <add key="IsHttps" value="false" /> and set its value to true. 3. Save the web.config file.

Offloaded SSL Processing

If you are using other devices to offload SSL processing from IIS web server (like F5s SSL Acceleration), then the above I sHttps flag should be set to false.

13

Pyramid Analytics| Version 4.6 Installation Guide

D. Web Authentication Models

The following briefly explains the different web authentication models available with the Pyramid Application.

i.

Basic Authentication Models

The user is prompted to enter credentials when they browse to the Pyramid URL address. The credential prompt is supplied by Windows IIS and is credentialed against the local OS security or the Active Directory. The resulting security token can be used directly against cube data sources without any further translation. The user name and password are passed from the client browser to the server in clear text so Basic Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network. Basic Authentication works through firewalls and universally works on all browsers on both PCs and MACs. Its a mature, eff icient and incredibly fast authentication method and is highly recommended for extranet deployments.

ii.

Windows Authentication Models

Windows Authentication provides a single sign on model for users of PCs connecting to the Pyramid application. The user is N OT prompted when they browse to the Pyramid URL address; instead their workstation credentials are used to authenticate against the website. The authentication is handled by Windows IIS and is credentialed against the local OS security or the Active Directory. The resulting security token can be used directly against cube data sources without any further translation. Windows Authentication generally does NOT work through firewalls and only works on Internet Explorer and FireFox browsers on PCs only. Because of these limitations, it is used in limited circumstances. Its a mature, efficient and incredibly fast authentication method and is only recommended for intranet deployments.

iii.

Forms Authentication Models

The user is forwarded to a login page where they are prompted to enter credentials. The credential prompt is supplied by application itself and is authenticated inside client defined code. The authentication can be against any type of credentialing engine including against an Active Directory or SQL Server data store. The resulting security token cannot be used directly against cube data sources and therefore usually requires some type of translation. The user name and password are passed from the client browser to the server in clear text so Forms Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network. Forms Authentication works through firewalls and universally works on all browsers on both PCs and MACs. Because it provide s for customized authentication frameworks, it is often used when an Active Directory cannot be used directly (or at all). Pyramid supports forms authentication in 2 modes: Direct Forms and Federated Forms Direct Forms if deployed, users are redirected to a Pyramid provided login page where users can enter their details. The authentication is applied against the Active Directory itself. Federated Forms is an automated mechanism for clients to redirect users from an alternative login framework to the Pyramid Suite. In doing so, clients provide the impersonated Windows account that will be used for the given user. Pyramid in turn provides a framework for the end user to auto-login into its application, delivering a virtual single-sign-on facility. Use of federated forms requires clients to add new code to their custom forms login process. The code provides a conduit for Pyramid to issue a session based cookie with encrypted tokens that will allow the users browser session to use the application without further prompt.

For more details on Federated Forms and its implementation, please contact Pyramid Support.

14

Pyramid Analytics| Version 4.6 Installation Guide

E. Log-on-Locally Impersonation Setup

If administrators wish to AVOID the complexities of Kerberos and SPNs, they can choose to deploy the application using Basic or Forms Authentication with Log-on-Locally rights. Before the local OS and/or Active Directory can be used for the application in these deployments, administrators MUST ensure that the server hosting the application has provided local log on rights to all users planning to access the system. This feature is used to ensure that the end-users authentication is passed directly to the cube server as intended.

i.

Local OS setup:
On the host server, go to Administrative Tools, Local Security Policy In the pop-up, under Security Settings choose Local Policies, then User Rights Assignment In the right hand panel, select Allow Log on locally In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally

ii.

Active Directory setup:

On the Active Directory Domain Controller, go to Administrative Tools, Group Policy Management In the pop-up, open up the forest node, then domains, and then the domain node. o For existing GPOs, right click and choose Edit o For new GPOs, first create a new GPO and assign it to the computer in the AD, then right click and choose Edit Under Computer Configuration, Policies, Window Settings, Security Settings, Local Policies, choose User Rights Assignment In the right hand panel, select Allow Log on locally In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally o Ensure that the local Administrators group is ALSO added during this process

15

Pyramid Analytics| Version 4.6 Installation Guide

F. Kerberos Delegation Setup

Adapted from Microsoft ProClarity and Kerberos Delegation by Microsoft Product Support, 12 -4-2008

i.

Introduction

When the server side applications and/or SSAS are deployed on separate machines administrators must configure Kerberos delegation on the Active Directory for user authentication to succeed. The Active Directory provides an option through Kerberos delegation to pass the users credentials from the client, to the web server, and then to other servers and finally to SSAS. This process is referred to as Kerberos delegation. Kerberos authentication can produce critical issues when there is a multi-leg or double-hop between multiple servers. The double-hop problem is an intentional security restriction to discourage Active Directory objects from acting on behalf of other security accounts. In the Pyramid Application, a double-hop is created when there is one hop from the SilverLight client to the web server (IIS) and one or more other hops from the web server to one or more application servers (or the cube data server).

Application
The following matrix outlines the possible deployment scenarios currently available with the Pyramid Application Suite and when Kerberos delegation is required.
Security Framework Deployment Model Component User Authentication Basic/Forms Authentication Windows Authentication Local Operating System Single Machine Server Client Single Machine Server Client Active Directory Multi Machine Server Client

NA NA

IE, FF, Safari, Chrome IE, FF, Safari, Chrome

NA NA

IE, FF, Safari, Chrome IE, FF, Safari, Chrome

Log-on-locally

Kerberos + Delegation

Kerberos + Delegation

IE, FF, Safari, Chrome IE & FF only + Trusted Site

Figure 2

From the above, it is clear that Kerberos delegation setup is only required in multi-server deployment model, when users are authenticating through Windows Authentication or Basic (and Forms) Authentication (without log-on-locally rights) on IIS. It can however also be used for single server deployments as well. All major client browsers are compatible with the application (SilverLight). However, only Internet Explorer and FireFox su pport Integrated Windows Authentication on a PC. Other PC browsers and all Mac deployments require manual user logins even in Windows Authentication mode. See client setups for more.

NOTE: Multi-Server includes the data/cube server. So the deployment is multi-server if the cube server is on a separate machine, irrespective of whether the entire Pyramid application is installed on a single machine or not.

ii.

Other Documentation & Tools

Review the section Infrastructure Requirements in Microsofts Troubleshooting Kerberos Delegation Review the following Microsoft document - How to configure SQL Server 2005 Analysis Services to use Kerberos authentication. There are two common tools for editing SPN entries in Active Directory: AdsiEdit.msc and setSPN.exe. Installed with the Pyramid Application is the Kerberos Tester. It can be found under o the servers default website http://defaultwebsite/pyramid/admin/diagnostics.aspx or o the URL http://pyramidBIO.mysite.com/admin/diagnostics.aspx where pyramidBIO.mysite.com is the host URL name you provided during installation.
16 Pyramid Analytics| Version 4.6 Installation Guide

iii.

Overview

The steps below will outline the steps for solving the double hop problem of cross server trust-delegation and will outline the configuration in the case of separate Pyramid and data cube servers.

iv.

Prerequisites

Prior to these configuration steps, your environment should have the following prerequisites met. If any of these items are not configured, delegation will not function correctly. Check your Active Directory Forest and Domain functional levels. They should be set to Native or 2003/2008/2012. o Windows 2008 or Windows Vista machines should have the Microsoft hotfix KB969083 applied to correct the Kerberos issues with SQL Server SSAS 2005/2008/2012. This does not need to be applied to Windows 2008 R2 / 2012 or Windows 7/8. Kerberos delegation can function between trusted forests and domains. o The resource forest or domain must trust the user forest or domain. For Windows Authentication deployments, the site hosting the application must be in the clients TRUSTED SITE list inside the browser. o Alternatively, administrators can add the site as a trusted site using GPOs on the Active Directory for all users.

Note that SPNs must be registered by a domain administrator with permissions.

v.

Configuration Steps: Delegation and SPNs

Delegation on the Active Directory

All servers hosting parts of the application must be able to delegate including the Web Servers and servers hosting the router and application services. You can use Full or Constrained Delegation. To set Full Delegation: Open the Active Directory Users and Computers panel in the Administrative tools on the active directory server (as per below). From the tabs, choose Delegation and set it to Trust Computer for delegation to any Service.

Figure 3 Delegation Panel (Win 2008)

Figure 4 Delegation Panel (Win 2003)

17

Pyramid Analytics| Version 4.6 Installation Guide

Setting Service Principal Names (SPNs)

Verify which account is running the IIS application pool which contains the application. It should be NETWORK SERVICE and it is likely this account will already have SPN entries. From the command prompt type:
SetSPN L MachineName

You will likely see SPN entries for this local service account in one of the following forms:
HOST/<MachineName> HOST/<MachineName>.<domainName>

Adding an IIS SPN

When the site is running under the default web site (localhost) no SPNs need to be added. However, if the site is running under a different host header name / URL (for example www.mycompany.com), the configurator tool will add an SPN for this host header name / URL. If this did not complete successfully, you should add the SPN using the following syntax:
setspn -s HTTP/MachineName MachineName setspn -s HTTP/www.mycompany.com MachineName

Where the MachineName is the name of the hosting IIS server machine. Duplicate SPNs break Kerberos Authentication. As such, once completed, run the following to ensure there are no duplicate SPN entries:
setspn x

SPNs on Windows 2003

To use the SetSPN application on Windows 2003, you may need to download and install the Windows 2003 support tools first (S p1 and Sp2). Then browse to the support tools folder and run the setspn command application from there. When using Windows 2003, swap the setspn commands from setspn s to setspn a since the s command is not available.

SQL Server Analysis Services Configuration

SSAS should already have its SPNs preset as part of its own installation. This section allows administrators to ensure it is correct in the event of impersonation and connection issues. Before starting, ensure that the end user(s) is a part of the SSAS role for viewing cube data.

Using a local computer account for the SSAS service

Check the SQL Server Analysis Services (MSSQLSERVER) service to find out what account is being used to start the service. If your SSAS service is running under a local computer account, such as LocalSystem, it is likely this account will already have SPN entries.
MSOLAPSvc.3/MachineName MachineName MSOLAPSvc.3/MachineName.Company.com MachineName

Adding SPNs for SSAS

If you do not see the correct SPNs, you can add them. If the SSAS service is using LocalSystem and not a domain user account, you must set the computer account for the data server in Active Directory to be trusted for delegation.
setspn -s MSOLAPSvc.3/MachineName MachineName setspn -s MSOLAPSvc.3/MachineName.Company.com MachineName

If the SSAS service is running under domain accounts register these SPNs.
setspn -s MSOLAPSvc.3/MachineName domainAccount setspn -s MSOLAPSvc.3/MachineName.Company.com domainAccount

If you are using a named instance for SQL Server SSAS the following SPN formats apply with domain account or machine name as required.
setspn s MSOLAPSvc.3/ MachineName:instanceName domainAccount setspn s MSOLAPSvc.3/ MachineName.Fully_Qualified_domainName:instanceName domainAccount

You may have to force or wait for replication of the information to other domain controllers in the network.

18

Pyramid Analytics| Version 4.6 Installation Guide

vi.

Client Configuration

User Accounts
User accounts on the Active Directory, by default, should not need additional configuration. You may want verify that the Account is sensitive and cannot be delegated box is NOT checked in the Active Directory account properties. If checked, the account will be inoperable. Have the users log out and back in to their client machine after changing any properties and before running Kerberos Delegation tests. This will clear cached Kerberos tickets. You may also use the Kerbtray utility to clear Kerberos tickets without logging out and back in.

Client Computers
All major client browsers are compatible with the applications framework (SilverLight). However, only Internet Explorer and FireFox support Integrated Windows Authentication. All previously mentioned browsers support Basic Authentication with or without SSL certificates.

Enabling Integrated Windows Authentication in Internet Explorer 7.x, 8.x

From the client machine (browser) make sure Internet Explorer is set to use Integrated Authentication as shown below and that the web site has been added to the list of TRUSTED SITES in the browser (or INTRANET sites for internal site addresses). This can also be enacted through GPOs on the Active Directory. Have the end user log off and log on or use kerbtray.exe to clear cached security tickets.

Figure 5 Checking Client Browser Properties

Enabling Integrated Windows Authentication in FireFox

Launch FireFox and go to about:config (figure below) . Add the URL of the web site to the following preferences:
network.automatic-ntlm-auth.trusted-uris network.negotiate-auth.trusted-uris network.negotiate-auth.delegation-uris

Figure 6 FireFox Configuration

19

Pyramid Analytics| Version 4.6 Installation Guide

vii.

Testing Your Configuration

Once you have completed these steps, ensure your SSAS security is set correctly, and test the delegation by attempting to access a data view in Pyramid Application. Do not test from the web server, application server or data server as this would only be a single hop test. If you see an error in the client, please continue reading the following troubleshooting section.

viii.

Troubleshooting

Confirm a Kerberos Delegation Issue

It is important to first be sure that Kerberos delegation failure is indeed the cause of the error you are receiving in the client. Many of the other possible causes of this error can be eliminated from consideration using the following steps: 1. 2. 3. Restart all machines involved in the Kerberos Delegation setup. This will force services to be restarted, which is required after SPN changes, and Kerberos ticket caches to be cleared. Attempt to access the client by using a browser on the web server itself. This will eliminate one of the credential hops and you should be able to login. If you cannot see data, Kerberos delegation may not be the issue. Check the Event Viewer Security logs on the web and data servers. The logs will report successes and failures and can identify if Kerberos or NTLM is being used. a. 4. Looking at the audit logs in the Pyramid database will also highlight what type of authentication the user was using in trying to log into the application.

Check to be sure cube security is set correctly and the test user is a member of a role that has access to the cube. It is recommended that you temporarily grant your test user membership to the server Administrator role to help eliminate cube security as a cause of any connection problems. Check that the web server can communicate with the data server and that firewall ports are open. It is recommended that you temporarily disable firewalls to help eliminate them as possible causes of any connection problems. If there are firewalls between the client, web server and data server, be sure that they have the correct ports open.

5.

Troubleshooting Kerberos authentication to SSAS service:

If you're confident that the problem appears only when attempting to use Kerberos delegation, there are a few things to confirm: 1. 2. 3. Review the setup steps above to be sure your SPN entries are correct and that the data server, web server and client machines have been properly configured for delegation. You can check your SPNs and test for duplicates using a tool called DHCheck. You can use the Kerberos Delegation Tester on the installed website, found at: a. b. 4. the servers default website http://defaultwebsite/pyramid/admin/diagnostics.aspx or the URL http://pyramidBIO.mysite.com/admin/diagnostics.aspx where pyramidBIO.mysite.com is the host URL name you provided during installation.

Use the MDX Sample Application from Analysis Services 2000 on the web server to test a Kerberos connection to Analysis Services. If the tool connects successfully when forced to use Kerberos, then you likely have configured SPN entries for the SSAS service correctly. To test a Kerberos connection, modify the Provider field when connecting to a server, as shown in this example:

20

Pyramid Analytics| Version 4.6 Installation Guide

Figure 7 Testing Kerberos with the MDX Sample Application

5.

Review the section Diagnosing delegation Problems: Four Checklists in Microsofts Troubleshooting Kerberos Errors: http://download.microsoft.com/download/1/e/e/1ee86ce4-8234-4aa1-94f4a37039837729/Troubleshooting_Kerberos_Delegation.DOC

Troubleshooting Kerberos on the web server:

Once you have confirmed that you are able to authenticate to the SSAS service using Kerberos, test the application again from a client machine. If you continue to have login issues, there may be some additional configuration steps necessary on the web server.

IIS 7.x on Windows 7/8 or Windows 2008/2012 Server

The following steps can be set directly in the IIS 7.x console found in the Administrative Tools on the server. You will need to install the administrative tools for IIS7.x (which can be downloaded from the web or found under the tools menu on the Pyramid install CD) Open up the IIS 7.x console and select the website from the tree on the left. Click on Configuration Editor.

Figure 8

21

Pyramid Analytics| Version 4.6 Installation Guide

In the panel, click on windows authentication. In the panel, click on providers and then click on the ellipsis at the far right of the screen.

Figure 10

Figure 9

Providers: Make sure there are 2 providers listed - Negotiate and NTLM

Figure 11

Advanced settings: In the authentication panel, make sure Extended protection is set to "off" in the drop down and make sure the Enable kernel-mode authentication is checked

Figure 12

22

Pyramid Analytics| Version 4.6 Installation Guide

IIS 6 on Windows 2003 Server

An IIS metabase entry specifying the authentication headers available for the web site needs to be checked to ensure Kerberos is the default security protocol option. You may check this with any IIS metabase browser, or from the IIS metabase xml file directly. Metabase Explorer from the IIS 6 Resource Kit may be the easiest to use. For the IIS service where the PAS virtual directory is located (in this case the default website) be sure the NTAuthenticationProviders property is set to Negotiate,NTLM click apply, and reset IIS.

Figure 13 Web Service Properties via Metabase Explorer

The Negotiate authentication header will use Kerberos in most cases (for exceptions please refer to the following article: http://support.microsoft.com/kb/215383). Therefore, if the website hosting PAS is configured to utilize the Negotiate header (as specified above), the authentication protocol will generally be Kerberos without the need for further configuration. However, if everything appears to be in place, but PAS will not authenticate to Analysis Services, it may be necessary to force the authentication protocol to Kerberos on the OLE DB connection string. This can be done by following these steps: Add a registry key called Properties to the existing Microsoft ProClarity Server registry key - the final path with look like this: HKLM\SOFTWARE\Microsoft ProClarity Corporation\Server\Properties Add a new string value -create a new string value by right clicking on the new Properties key and selecting New String value the string value will be "SSPI" without the quotes -the value will be "Kerberos" without the quotes. Reset IIS

23

Pyramid Analytics| Version 4.6 Installation Guide

Other Troubleshooting Tips

1. You may also turn on verbose logging to capture security traffic on your web server and data server. http://support.microsoft.com/kb/262177

Figure 14 Log Level Setting in the Registry

If you are using Constrained Delegation, temporarily disable the constraint and retest. 2. Are you using a split domain where machines can resolve with two different FQDNs? For example, when you ping the same server from two different machines and it returns different FQDNs such as MyDataServer.Company.com as well as MyDataServer.AD.Company.com? If so, this may defeat the SPNs needed for Kerberos delegation. Please see your network administrators and verify that the DNS names being requested by the browser to the web server match the SPNs on the server. Also be sure that the DNS names requested by the web server to the data server match the SPNs registered on the data server. Troubleshooting with Network Monitor or Wireshark? Two easy ways to pick Kerberos from NTLM in an HTTP capture. Analysis Services should be installed, preferably from a fresh install that has not been imaged. It is also preferable that you use a machine that has not been renamed.

3.

4.

24

Pyramid Analytics| Version 4.6 Installation Guide