bioxl guide.pdf

Pyramid Analytics

Installation Guide

Version 4.6

Copyright Pyramid Analytics 2010-2012

2 Pyramid Analytics| Version 4.6 Installation Guide

A Quick Guide and Overview for Installing Pyramid Analytics Start By checking that your server has all the prerequisite operating system and software

requirements

Assemble all the credentials and system information needed to install the application o SQL Server details and login credentials o Active Directory and Domain detail and a domain account with enhanced privileges o SQL Server Analysis Services details o Web URL details

Install the main application from the media as an Administrator

Run the configuration wizard to complete the installation o Pyramid Application License Key

Launch the administrative console and run the quick start wizard o Enter initial client licensing key, users and roles

Minimum Server Hardware Requirements

Recommended Minimum

Windows OS 32-bit 64-bit

Windows Server 2008 Server 2008 R2 / 2012

Cores 4 4

Memory (GB) 4 8

Disk (MB) 150 150


Contents

1. Installation ............................................................................................................................................ 4

A. Server & System Prerequisites ............................................................................................................................................................... 4 B. Basic Install ............................................................................................................................................................................................. 5 C. Configuration Wizard .............................................................................................................................................................................. 6 D. Post Configuration Steps ........................................................................................................................................................................ 7

i. Firewalls ........................................................................................................................................................................................................ 7

ii. Security Setup ................................................................................................................................................................................................ 7 iii. Testing Communications: Diagnostics ........................................................................................................................................................... 7

2. Administration ...................................................................................................................................... 8

A. Setting-up Licenses, Users and Roles ...................................................................................................................................................... 8

3. Client .................................................................................................................................................... 9

4. Troubleshooting Guide ........................................................................................................................ 10

5. Appendix ............................................................................................................................................. 11

A. SQL Server Settings ............................................................................................................................................................................... 11 B. Distributed Transaction Coordinator Settings ...................................................................................................................................... 11 C. Web Application Settings and Customizations ..................................................................................................................................... 12

i. Web Site Deployment Options ..................................................................................................................................................................... 12 ii. Using an SSL certificate and HTTPS ............................................................................................................................................................. 13

D. Web Authentication Models................................................................................................................................................................. 14 i. Basic Authentication Models ....................................................................................................................................................................... 14 ii. Windows Authentication Models ................................................................................................................................................................ 14 iii. Forms Authentication Models ..................................................................................................................................................................... 14

E. “Log-on-Locally” Impersonation Setup ................................................................................................................................................. 15 i. Local OS setup: ............................................................................................................................................................................................ 15 ii. Active Directory setup: ................................................................................................................................................................................ 15

F. Kerberos Delegation Setup ................................................................................................................................................................... 16 i. Introduction ................................................................................................................................................................................................. 16 ii. Other Documentation & Tools ..................................................................................................................................................................... 16 iii. Overview ..................................................................................................................................................................................................... 17 iv. Prerequisites ................................................................................................................................................................................................ 17 v. Configuration Steps: Delegation and SPNs .................................................................................................................................................. 17 vi. Client Configuration .................................................................................................................................................................................... 19 vii. Testing Your Configuration .......................................................................................................................................................................... 20 viii. Troubleshooting .......................................................................................................................................................................................... 20

G. Constrained Delegation: ....................................................................................................................................................................... 25 i. Constrained Vs. Full: Overview .................................................................................................................................................................... 25 ii. Pyramid Multi Servers Architecture ............................................................................................................................................................. 25 iii. Configurations from Domain Controller ...................................................................................................................................................... 26 iv. Summary ..................................................................................................................................................................................................... 27

H. Windows 8 & Windows Server 2012 .................................................................................................................................................... 28 I. Performance Load Balancing Options .................................................................................................................................................. 29


1. Installation

A. Server & System Prerequisites 1. The Pyramid application is comprised of 3 installed application components: the web client application, the router server and the

application server. Each can be installed on a single machine or on separate machines with these operating systems:

i. Web Server: windows 2003, 2008, 2008 R2 or 2012 (32 or 64 bit)

ii. Router Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit)

iii. Application Server: windows 2008, 2008 R2 or 2012 (32 or 64 bit)

For each OS type ensure that:

o User Account Control is turned off and that the installing user has FULL, TRUSTED ADMINISTRATIVE RIGHTS on the

server(s).

o IIS 7 is installed (with windows and basic authentication)

Only the web client application is supported on Windows 2003 R2 x86. The router and application servers MUST be

installed on a Windows 2008/2012 server. For Windows 2003 ensure:

o The installing user should install the software as an Administrator with FULL, TRUSTED ADMINISTRATIVE RIGHTS on

the server(s).

o IIS 6 is installed (with windows and basic authentication)

2. On all Operating Systems:

Microsoft Distributed Transaction Coordinator is installed and running

Multi-server deployments must be within an Active Directory Framework (2003/ 2008 / 2012). In this scenario, ensure

the server is ALREADY part of the domain.

Kerberos and Service Principal Names (SPNs) need to be enabled and established in a multi-server deployment except

for Basic and Forms Authentication deployments where administrators choose to give end users “log-on-locally” rights.

3. SQL Server 2008/2012 is installed and running on the machine hosting the Content Store Database

You will need the SQL Server authentication credentials with full ADMIN rights (see appendix of this document for more

details)


B. Basic Install 1. Launch the ISO on the target server as an ADMINISTRATOR. Before installing ensure that the installation user has full

administrative access to the server and that the User Account Control has been turned completely off.

2. The Pyramid BIO application requires the Microsoft.Net 4.0 Framework. The installer will automatically install this component

before continuing. It will may require a server reboot once installed before the application installation can continue.

3. Provide a domain user name and password if the application is going to be installed in an Active Directory framework.

4. Provide the database details for the content store.

5. Install the package:

a. Choose COMPLETE to install all 3 components (‘web’, ‘router’ and ‘application’) to a single server (2008/2012 only)

b. Choose CUSTOM to install one or more components on separate servers.

6. After installation, run the Configuration Wizard from the last step in the installer. This is a CRUCIAL process that must be

completed before launching the application (see next section).

7. Once configured, users launch the administrative console and complete the QUICK START wizard to set up licenses and users.

Note: Before users can log into a cube, ensure that either:

a. SPNs have been setup correctly for a multi-server deployment

i. See the Kerberos set-up step in the appendix of this document.

b. Or, the “log-on-locally” access rights have been granted for the alternative Basic and Forms Authentication deployments

i. See the Impersonation set-up step in the appendix of this document.


C. Configuration Wizard NOTE: Some steps may not be presented depending on which components have been installed on a particular server.

1. Data base confirmation: enter in all the details of the database into this panel. You cannot continue unless all of the information

is correct. The user ID must be a SQL Server user ID. This step is skipped if SQL authentication was used during installation.

2. Application License: enter the application license provided by Pyramid. Also mark off whether you will allow the system to auto-

submit errors to Pyramid’s central database. The auto-error logging feature does NOT capture user details, data or queries.

3. Master Account Setup: Enter a username and password for the application “master” account. These credentials will provide

access to the administrative console for configuring the application.

4. Active Directory: Provide the details of the operating system security framework being deployed. Using an Active Directory (2003

/ 2008 / 2012) is highly recommended (and required for multi-server deployments). Please see the appendix on Local OS and

Active Directory Impersonation Setup required for the application.

a. For Active Directories:

i. Provide the LDAP address for the root node of the AD in the form: “LDAP://dc=xx,dc=yy,dc=zz” where the AD

root node is xx.yy.zz. Click the “RESET” button to auto-generate this address

b. For Local OS Security:

i. Provide the WINNT address for the machine in the form: “WinNT:// machine -name” (note that “WinNT” is case

sensitive). Click the “RESET” button to auto-generate this address

c. For both security frameworks provide the domain name.

i. If this application is using local OS security, the domain is typically the machine name.

ii. If the application is using AD security, this is the first part of the AD root node: “xx” in “xx.yy.zz”.

d. Installers must indicate whether the installation is a multi-server installation.

e. When the installation does NOT detect an installed web component, you are also prompted to indicate what type of web

authentication model will be used: Basic, Forms or Windows Authentication. If Basic or Forms are chosen, administrators

can elect whether “Kerberos” or “Log-on-Locally” rights will be given to end users.

5. Datasources: The configuration wizard allows you to provide up to 3 different OLAP data-sources (you can add more in the

administrative console). Enter the name of the OLAP servers and their IP addresses. Instance names are optional.

a. These OLAP servers must be within the SAME security framework as entered in step 3 above. (i.e. They should all belong

to the same Active Directory as the server hosting the application). It is strongly recommended that you enter at least

one SSAS/OLAP server at this point.

6. Application Server: Provide the name, IP address and port number1 of the server hosting the application server. The default is the

current machine’s registered name and its first IP4 address.

a. Provide the SPN if using a multi-server deployment (see instructions for SPNs).

7. Router Server: Provide the name, IP address and port number2 of the server hosting the router server. The default is the current

machine’s registered name and its first IP4 address.

a. Provide the SPN if using a multi-server deployment (see instructions for SPNs).

8. Web Server: Provide the name and IP address of the server hosting the web application. The default is the current machine’s registered name and its first IP4 IP address. You must also provide the web site name that will be hosting the application. This will match the web URL you provided during the installation process.

a. Indicate whether you are going to use an SSL certificate for the web application. (See instructions in the appendix for deploying the site under HTTPS).

b. Indicate whether you want the configuration wizard to make entries in your local HOSTS file to temporarily enable browsing of the site URL while your permanent DNS settings are configured.

c. For forms authentication, indicate if you are using direct forms or federated forms. For federated forms, you must provide the web domain name for the overall site and the default login page address for redirects when auto-login fails.

9. ProClarity Analytics Server: Provide the details for the PAS 6.3 SQL Database content store for legacy content support. This

includes the SQL Server machine name, database name and a SQL Server user ID with the credentials to read from that database.

10. Click FINISH to commit your changes.

1 Port numbers should reflect ports that are open and available BETWEEN servers when in a multi-server deployment. 2 Ibid


Where installed, the configuration wizard will then start up the Pyramid Application and Router Services.

To check that the application and router servers have been launched successfully:

Open up the Windows Event Viewer, under Administrative Tools.

Open the Applications and Services Logs, and click on the “Pyramid” Catalog.

Logged events should show both the application and router servers have started successfully

See the troubleshooting guide if services do not start.

D. Post Configuration Steps Before attempting to login and start administering the application, administrators may need to complete the following steps.

i. Firewalls

In a multi-server deployment for both basic and windows authentication systems, administrators MUST ensure that the ports between the

different servers are OPEN for both the Router and Application Servers described in C6.a and C7.a above. In Windows 2008 Server, the

“Domain” firewall is typically the only Windows Firewall type that needs to have these ports opened. However, administrators may need to

tailor this to their own environments and conditions.

ii. Security Setup

Service Principal Names (SPNs) In a multi-server deployment the configurator will ATTEMPT to create and add SPNs on the relevant servers.

Administrators should manually check that this process completed successfully and setup all the server delegations for Kerberos and the

SPN’s if not. Details on this can be found in the appendix.

Log-on-Locally Access For deployments where administrators have elected to grant “log-on-locally” rights and use basic or forms authentication, administrators

MUST allow end users the right to “Log-on-Locally” to the host servers through the Active Directory GPO settings, to ensure users can be

authenticated for secure access. Details can be found in the appendix.

iii. Testing Communications: Diagnostics

An optional system tester is provided to ensure that the communication layer of the application is operating as expected. Administrators

can use this tool if they have trouble logging into the application. This can be found at the URL

"http://pyramidBIO.mysite.com/admin/diagnostics.aspx“

Where pyramidBIO.mysite.com is the host URL name you provided during installation.

The “ping” test will show if the application can open a basic communication channel from the web application, through the router and on

to the application server.

The separate “Kerberos” test is useful for Kerberos delegation and SPN testing.


2. Administration

A. Setting-up Licenses, Users and Roles Open up a browser and browse to the administrative console on the web server through the URL “http://pyramidBIO.mysite.com/admin/“

where pyramidBIO.mysite.com is the host URL name you provided during installation.

Login with the master account credentials entered during with the configuration wizard as per above.

Once logged into the administrative console, you need to launch the Quick Start Wizard by clicking on the large RED button on the settings

tab in the console or the following manual steps before attempting to access the client.

This manual process involves the administrator entering user licenses; creating users and roles; and applying access roles to data-source

servers.

1. Client Licenses: Go to the Client Licenses tab and add new client license packs provided by Pyramid.

2. Users: Go to the Users tab and Add a New User

a. Provide the user’s domain (this may be different to the default domain used for the application itself).

b. Type in a search key to lookup users from the security framework (Local OS or Active Directory). Select the desired user

and click next.

c. Select which license type this user will be deployed under.

3. Roles: Go to the Roles tab and Add a New Role

a. Provide a role name

b. Next, optionally attach existing application users to this role.

i. Users listed are those already added to the application in the previous step above.

c. Next, optionally attach security groups to this role.

i. Security groups are read from the Active Directory.

d. Click Finish. (Note that the finish button is disabled UNLESS there are at least users; groups; or both users and groups

selected).

4. Servers: Go to the Servers tab. Click the ROLES button next to each Data-Sources Server listed to assign role access to each data

source server.

a. Lookup existing roles in the system (from the previous step) and assign or un-assign to the data source as needed. (Note

that this is an application layer functional access control. The user must still have data access rights to the SSAS OLAP

server, underlying databases and cubes. These are typically set in the Analysis Services instance itself).


3. Client Open up a browser and browse to the URL http://pyramidBIO.mysite.com/

Log into the application using credentials for users licensed in the system as per the previous step above.

You can log in as the professional/administrative user added in the above steps.

As a professional user type, open a cube from the data-sources content section. If you cannot see a data-source (cube server)

check the troubleshooting guide.

Client Browsers Supported With SilverLight 5, there number and type of browsers supported has changed:

Browser Windows Mac

Internet Explorer 7 - Yes NA

FireFox 3.6 - Yes Yes

Safari 4 - * Yes

Chrome Yes **

Recommended Browser IE 9 Safari 5.x

*Safari has not been certified by Microsoft to work reliably on Windows.

**Chrome has not been certified by Microsoft to work reliably on Mac OS X.

If deploying a Windows Authentication web application, note that the Safari and Chrome browsers do NOT support Integrated Windows

Authentication (see Client Configurations for more)

SilverLight Isolated Storage - FireFox

All browsers support the isolated storage functionality of SilverLight – required for the application. However, FireFox needs to have certain

settings changed before supporting this feature.

From the FireFox browser, go to Tools; Options; Privacy Tab. The user should choose ‘Remember History’. Without this isolated storage will

NOT work.

Figure 1


4. Troubleshooting Guide

Issue Resolution

The cube server is not available in the client

Server Address: the data-sources are addressed through their Server names and then their IP addresses. In a volatile DNS and DHCP environment (with virtual machines for example), these IP addresses can get mixed up. Ensure that the server’s IP address in the admin console ACCURATELY reflects the machine’s actual IP address.

Data Security: Access to the cube server is driven through 2 “gateways”: the first is the Pyramid administrative layer; while the second is cube access as determined via SSAS cube role security. See administrative help for the former issue. Check the SSAS security roles for the latter. If both of these are correct, ensure that the server entry on the Pyramid administrative page reflects the correct IP address for that server. If these don’t work: check that the domain account on the application service has access to the cube servers; check that the application server can see the cube server (DNS resolution); check access using a third party tool like SQL Server Management Studio.

Kerberos: If these don’t remedy the issue, the authentication of the user may be failing. See the appendix on Kerberos authentication for more detail here.

Log-on-Locally: Ensure that the users have log-on-locally rights on all servers. Often, the GPO settings are not replicated to the server in a timely fashion and need to be updated by “force”

User tries to login and gets “Access Denied” message.

Ensure that the user has been given the right to “log on locally” to the server if the basic authentication and log-on-locally rights model has been deployed (as described here). Even if this has been setup correctly, it often takes time for the GPO settings to be distributed to all the servers in the network. If this problem persists, use a tool to force the GPO rules to replicate across the network on demand.

No Datasources/Cube Servers found

This is typically an oversight with the data security on the SSAS cube server. Ensure that the user has rights to see a cube via the Analysis Services Roles functionality.

Separately, ensure that users belong to a role in the Pyramid Application that has been given rights to view the data source servers (see the Pyramid Administrative Guide for more)

401.1 web error for LOCALHOST installations

This problem of a 401.1 no-access error when logging into the client application can occur on LOCALHOST installations when trying to login from the same machine hosting the application. In this scenario, one suggestion is to disable the “loopback” function in Windows.

See this article for more information: http://support.microsoft.com/kb/896861

“Error 500” This problem is potentially related to a communications issue. See sections Di, ii, iii above for more information. Also, ensure that the services have been started up on their respective servers and there are no port conflicts on each machine.

http://support.microsoft.com/kb/896861


5. Appendix

A. SQL Server Settings The server housing the SQL Server database should have these capabilities enabled:

Mixed Authentication (the application uses SQL Authentication for all its activities)

o The user account provided by administrators to access the SQL Server should have FULL administrative rights to the

Pyramid Content Store Database.

Full Text Search

B. Distributed Transaction Coordinator Settings The application uses MSDTC to handle the many different transactions between it and the SQL Server Content Store. As such, MSDTC needs

to be running on ALL servers that are hosting aspects of the application – including the server hosting SQL SERVER itself.

Further, the MSDTC must be set to Allow Remote Clients.


C. Web Application Settings and Customizations

i. Web Site Deployment Options

The web application installation creates a new standalone web site the web server. This is named “pyramidBIO.mysite.com” by default, but

can be changed during the installation process. Administrators can elect to manually create the pyramid site as a Virtual Application within

an existing web site by replicating the settings as per below. If the site is to be secured via SSL, the web application needs to be configured

to handle the change in HTTPS protocol (see below).

Using a Stand-Alone Site Internally Note: some of these steps are completed for you with the configuration tool using the URL provided during installation.

To test the stand-alone web application without creating extranet DNS entries, edit the HOSTS file on the client workstation as follows:

Open c:\windows\system32\drivers\etc\hosts (note there is no file extension on this system file)

Add an entry to the bottom of the HOSTS file recording the IP address of the web application server and its decorated DNS name.

o For example we’d add the following entry to enable the URL “pyramidBIO.mysite.com” to work on the local machine:

127.0.0.1 pyramidBIO.mysite.com

Ensure you save the HOSTS file as is, without an extension.

On certain operating systems (mainly Windows 2008 and Windows 7) the user must disable the “loopback” check option. (see

http://support.microsoft.com/kb/896861 for more):

o In the registry, go to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

o Add a new DWORD value “DisableLoopbackCheck” and sets its value to 1.

To Create the Virtual Application:

Basic Authentication

Note: You should NOT attempt to change the authentication model used for the application after installation.

1. Create a web application node (e.g. “pyramid”) under an existing website.

a. Make sure it is pointed to the paBIO directory under c:\wwwroot\inetpub\Pyramid Analytics\

b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to BASIC AUTHENTICATION

(anonymous authentication and WINDOWS authentication must be disabled).

c. Set its application pool to paBIO

2. Under the application node from the step 1 above, add a “virtual application” called “Admin”.

a. Make sure it is pointed to the paBIOadmin directory under c:\wwwroot\inetpub\Pyramid Analytics\

b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to Anonymous authentication

(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication)

c. Set its application pool to paBIOadmin

Forms Authentication




b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to ANONYMOUS AUTHENTICATION

(BASIC authentication and WINDOWS authentication must be disabled).

c. Set the authentication on the Services Directory to BASIC authentication

d. Set its application pool to paBIO

e. Change the “FormsLogon” application setting in the web.config to “true” and set the “WebDomain” value.






(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication)

c. Set the authentication on the ExtServices Directory to BASIC authentication

d. Set its application pool to paBIOadmin

For more information on forms authentication, see the appendix on forms authentication.

Windows Authentication




b. Set: the ASP.Net version to 4.0; the default page to default.aspx; and authentication to WINDOWS AUTHENTICATION

(anonymous authentication and BASIC authentication must be disabled).

c. Set its application pool to paBIO




(BASIC and WINDOWS authentication must be disabled – because it uses FORMS authentication).

c. Set its application pool to paBIOadmin

ii. Using an SSL certificate and HTTPS

Before using the application with SSL, administrators must ensure that:

The site SSL certificate is installed into IIS as normal.

Steps to deploy the Pyramid Application with an SSL certificate in IIS7:

1. Obtain and install the SSL certificate into IIS 7 as generally directed. Follow this by binding the certificate as normal to the website that is hosting the application.

2. Open a command prompt by clicking the start menu and typing “cmd” and hitting enter. Then navigate to C:\Windows\System32\Inetsrv\ by typing “cd C:\Windows\System32\Inetsrv\” on the command line.

3. Run the following command for each of the websites on the IP address that need to use the certificate

appcmd set site /site.name:"<IISSiteName>" /+bindings.[protocol='https',bindingInformation='*:443:<hostHeaderValue>']

4. Replace <IISSiteName> with the name of the IIS site and <hostHeaderValue> with the host header for that site (site1.mydomain.com)

For IIS7, check the host header (site URL) has been bound to the SSL certificate using the “APPCMD” command line facility (as

described in the steps above)

The “IsHttps” flag in the site’s web.config file has been set to true. This option is set from the Installation Configuration Wizard.

However, it can be set manually as well:

1. Go to the web installation folder for “services” (typically c:\inetpub\wwwroot\pyramid analytics\paBio\) and open the

web.config file with Notepad.

2. Locate the string “<add key="IsHttps" value="false" />” and set its value to “true”.

3. Save the web.config file.

Offloaded SSL Processing If you are using other devices to offload SSL processing from IIS web server (like F5’s “SSL Acceleration”), then the above IsHttps flag

should be set to false.


D. Web Authentication Models The following briefly explains the different web authentication models available with the Pyramid Application.

i. Basic Authentication Models

The user is prompted to enter credentials when they browse to the Pyramid URL address. The credential prompt is supplied by Windows IIS

and is credentialed against the local OS security or the Active Directory. The resulting security token can be used directly against cube data

sources without any further translation. The user name and password are passed from the client browser to the server in clear text so Basic

Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network.

Basic Authentication works through firewalls and universally works on all browsers on both PC’s and MAC’s. It’s a mature, efficient and

incredibly fast authentication method and is highly recommended for extranet deployments.

ii. Windows Authentication Models

Windows Authentication provides a single sign on model for users of PC’s connecting to the Pyramid application. The user is NOT prompted

when they browse to the Pyramid URL address; instead their workstation credentials are used to authenticate against the website. The

authentication is handled by Windows IIS and is credentialed against the local OS security or the Active Directory. The resulting security

token can be used directly against cube data sources without any further translation.

Windows Authentication generally does NOT work through firewalls and only works on Internet Explorer and FireFox browsers on PC’s only.

Because of these limitations, it is used in limited circumstances. It’s a mature, efficient and incredibly fast authentication method and is

only recommended for intranet deployments.

iii. Forms Authentication Models

The user is forwarded to a login page where they are prompted to enter credentials. The credential prompt is supplied by application itself

and is authenticated inside client defined code. The authentication can be against any type of credentialing engine including against an

Active Directory or SQL Server data store. The resulting security token cannot be used directly against cube data sources and therefore

usually requires some type of translation. The user name and password are passed from the client browser to the server in clear text so

Forms Authentication models are typically deployed with SSL certificates (recommended) to encrypt the data packets across the network.

Forms Authentication works through firewalls and universally works on all browsers on both PC’s and MAC’s. Because it provides for

customized authentication frameworks, it is often used when an Active Directory cannot be used directly (or at all).

Pyramid supports forms authentication in 2 modes: “Direct Forms” and “Federated Forms”

Direct Forms – if deployed, users are redirected to a Pyramid provided login page where users can enter their details. The

authentication is applied against the Active Directory itself.

Federated Forms – is an automated mechanism for clients to redirect users from an alternative login framework to the Pyramid

Suite. In doing so, clients provide the impersonated Windows account that will be used for the given user. Pyramid in turn

provides a framework for the end user to auto-login into its application, delivering a virtual single-sign-on facility. Use of federated

forms requires clients to add new code to their custom forms login process. The code provides a conduit for Pyramid to issue a

session based cookie with encrypted tokens that will allow the user’s browser session to use the application without further

prompt.

For more details on Federated Forms and its implementation, please contact Pyramid Support.


E. “Log-on-Locally” Impersonation Setup If administrators wish to AVOID the complexities of Kerberos and SPNs, they can choose to deploy the application using Basic or Forms

Authentication with “Log-on-Locally” rights. Before the local OS and/or Active Directory can be used for the application in these

deployments, administrators MUST ensure that the server hosting the application has provided “local log on” rights to all users planning to

access the system. This feature is used to ensure that the end-user’s authentication is passed directly to the cube server as intended.

i. Local OS setup:

On the host server, go to Administrative Tools, Local Security Policy

In the pop-up, under Security Settings choose Local Policies, then User Rights Assignment

In the right hand panel, select “Allow Log on locally”

In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally

ii. Active Directory setup:

On the Active Directory Domain Controller, go to Administrative Tools, Group Policy Management

In the pop-up, open up the forest node, then domains, and then the domain node.

o For existing GPO’s, right click and choose Edit

o For new GPO’s, first create a new GPO and assign it to the computer in the AD, then right click and choose Edit

Under Computer Configuration, Policies, Window Settings, Security Settings, Local Policies, choose User Rights Assignment

In the right hand panel, select “Allow Log on locally”

In the pop-up dialog, ensure that the appropriate users and/or user groups are in the listing of those users that can log on locally

o Ensure that the local Administrators group is ALSO added during this process


F. Kerberos Delegation Setup Adapted from “Microsoft ProClarity and Kerberos Delegation” by Microsoft Product Support, 12-4-2008

i. Introduction

When the server side applications and/or SSAS are deployed on separate machines administrators must configure Kerberos delegation on

the Active Directory for user authentication to succeed. The Active Directory provides an option through Kerberos delegation to pass the

user’s credentials from the client, to the web server, and then to other servers and finally to SSAS. This process is referred to as Kerberos

delegation.

Kerberos authentication can produce critical issues when there is a multi-leg or “double-hop” between multiple servers. The double-hop

problem is an intentional security restriction to discourage Active Directory objects from acting on behalf of other security accounts.

In the Pyramid Application, a double-hop is created when there is one hop from the SilverLight client to the web server (IIS) and one or

more other hops from the web server to one or more application servers (or the cube data server).

Application The following matrix outlines the possible deployment scenarios currently available with the Pyramid Application Suite and when Kerberos

delegation is required.

Figure 2

From the above, it is clear that Kerberos delegation setup is only required in multi-server deployment model, when users are authenticating

through Windows Authentication or Basic (and Forms) Authentication (without log-on-locally rights) on IIS. It can however also be used for

single server deployments as well.

All major client browsers are compatible with the application (“SilverLight”). However, only Internet Explorer and FireFox support Integrated

Windows Authentication on a PC. Other PC browsers and all Mac deployments require manual user logins even in Windows Authentication

mode. See client setups for more.

NOTE: Multi-Server includes the data/cube server. So the deployment is ‘multi-server’ if the cube server is on a separate machine,

irrespective of whether the entire Pyramid application is installed on a single machine or not.

ii. Other Documentation & Tools

Review the section “Infrastructure Requirements” in Microsoft’s Troubleshooting Kerberos Delegation

Review the following Microsoft document - How to configure SQL Server 2005 Analysis Services to use Kerberos authentication.

There are two common tools for editing SPN entries in Active Directory: AdsiEdit.msc and setSPN.exe.

Installed with the Pyramid Application is the Kerberos Tester. It can be found under

o the server’s default website “http://defaultwebsite/pyramid/admin/diagnostics.aspx” or

o the URL “http://pyramidBIO.mysite.com/admin/diagnostics.aspx“ where pyramidBIO.mysite.com is the host URL name

you provided during installation.

Security

Framework

Deployment

Model

Component Server Client Server Client Client

User

Authentication

Basic/Forms

AuthenticationNA

IE, FF, Safari,

ChromeNA

IE, FF, Safari,

ChromeLog-on-locally

Kerberos +

Delegation

IE, FF, Safari,

Chrome

Windows

AuthenticationNA

IE, FF, Safari,

ChromeNA

IE, FF, Safari,

Chrome

IE & FF only +

Trusted SiteKerberos + Delegation

Active Directory

Single Machine Single Machine Multi Machine

Local Operating System

Server

http://www.microsoft.com/downloads/details.aspx?familyid=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&displaylang=en


http://technet2.microsoft.com/WindowsServer/en/Library/ebca3324-5427-471a-bc19-9aa1decd3d401033.mspx

http://technet2.microsoft.com/windowsserver/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true


iii. Overview

The steps below will outline the steps for solving the “double hop” problem of cross server trust-delegation and will outline the

configuration in the case of separate Pyramid and data cube servers.

iv. Prerequisites

Prior to these configuration steps, your environment should have the following prerequisites met. If any of these items are not configured,

delegation will not function correctly.

Check your Active Directory Forest and Domain functional levels. They should be set to Native or 2003/2008/2012.

o Windows 2008 or Windows Vista machines should have the Microsoft hotfix KB969083 applied to correct the Kerberos issues

with SQL Server SSAS 2005/2008/2012. This does not need to be applied to Windows 2008 R2 / 2012 or Windows 7/8.

Kerberos delegation can function between trusted forests and domains.

o The resource forest or domain must trust the user forest or domain.

For Windows Authentication deployments, the site hosting the application must be in the client’s TRUSTED SITE list inside the browser.

o Alternatively, administrators can add the site as a trusted site using GPO’s on the Active Directory for all users.

Note that SPNs must be registered by a domain administrator with permissions.

v. Configuration Steps: Delegation and SPNs

Delegation on the Active Directory All servers hosting parts of the application must be able to delegate – including the Web Servers and servers hosting the router and

application services. You can use Full or Constrained Delegation.

To set Full Delegation:

Open the Active Directory “Users and Computers” panel in the Administrative tools on the active directory server (as per below).

From the tabs, choose “Delegation” and set it to “Trust Computer for delegation to any Service”.

Figure 3 Delegation Panel (Win 2008)

Figure 4 Delegation Panel (Win 2003)



Setting Service Principal Names (SPNs) Verify which account is running the IIS application pool which contains the application. It should be NETWORK SERVICE and it is likely this

account will already have SPN entries. From the command prompt type:

SetSPN –L MachineName

You will likely see SPN entries for this local service account in one of the following forms:

HOST/<MachineName>

HOST/<MachineName>.<domainName>

Adding an IIS SPN

When the site is running under the default web site (“localhost”) – no SPNs need to be added. However, if the site is running under a

different host header name / URL (for example “www.mycompany.com”), the configurator tool will add an SPN for this host header name /

URL. If this did not complete successfully, you should add the SPN using the following syntax:

setspn -s HTTP/MachineName MachineName

setspn -s HTTP/www.mycompany.com MachineName

Where the “MachineName” is the name of the hosting IIS server machine.

Duplicate SPNs break Kerberos Authentication. As such, once completed, run the following to ensure there are no duplicate SPN entries:

setspn –x

SPNs on Windows 2003

To use the “SetSPN” application on Windows 2003, you may need to download and install the Windows 2003 support tools first (Sp1 and

Sp2). Then browse to the support tools folder and run the setspn command application from there.

When using Windows 2003, swap the setspn commands from “setspn –s” to “setspn –a” since the “s” command is not available.

SQL Server Analysis Services Configuration SSAS should already have its SPNs preset as part of its own installation. This section allows administrators to ensure it is correct in the event

of impersonation and connection issues.

Before starting, ensure that the end user(s) is a part of the SSAS role for viewing cube data.

Using a local computer account for the SSAS service

Check the SQL Server Analysis Services (MSSQLSERVER) service to find out what account is being used to start the service.

If your SSAS service is running under a local computer account, such as LocalSystem, it is likely this account will already have SPN entries.

MSOLAPSvc.3/MachineName MachineName

MSOLAPSvc.3/MachineName.Company.com MachineName

Adding SPNs for SSAS

If you do not see the correct SPNs, you can add them. If the SSAS service is using LocalSystem and not a domain user account, you must set

the computer account for the data server in Active Directory to be trusted for delegation.

setspn -s MSOLAPSvc.3/MachineName MachineName

setspn -s MSOLAPSvc.3/MachineName.Company.com MachineName

If the SSAS service is running under domain accounts register these SPNs.

setspn -s MSOLAPSvc.3/MachineName domainAccount

setspn -s MSOLAPSvc.3/MachineName.Company.com domainAccount

If you are using a named instance for SQL Server SSAS the following SPN formats apply with domain account or machine name as required.

setspn –s MSOLAPSvc.3/ MachineName:instanceName domainAccount

setspn –s MSOLAPSvc.3/ MachineName.Fully_Qualified_domainName:instanceName domainAccount

You may have to force or wait for replication of the information to other domain controllers in the network.


vi. Client Configuration

User Accounts User accounts on the Active Directory, by default, should not need additional configuration. You may want verify that the “Account is

sensitive and cannot be delegated” box is NOT checked in the Active Directory account properties. If checked, the account will be

inoperable.

Have the users log out and back in to their client machine after changing any properties and before running Kerberos Delegation tests. This

will clear cached Kerberos tickets. You may also use the Kerbtray utility to clear Kerberos tickets without logging out and back in.

Client Computers All major client browsers are compatible with the application’s framework (“SilverLight”). However, only Internet Explorer and FireFox

support Integrated Windows Authentication. All previously mentioned browsers support Basic Authentication with or without SSL

certificates.

Enabling Integrated Windows Authentication in Internet Explorer 7.x, 8.x

From the client machine (browser) make sure Internet Explorer is set to use Integrated Authentication as shown below and that the web

site has been added to the list of TRUSTED SITES in the browser (or INTRANET sites for internal site addresses). This can also be enacted

through GPO’s on the Active Directory.

Have the end user log off and log on or use kerbtray.exe to clear cached security tickets.

Figure 5 Checking Client Browser Properties

Enabling Integrated Windows Authentication in FireFox

Launch FireFox and go to ‘about:config’ (figure below) . Add the URL of the web site to the following preferences:

network.automatic-ntlm-auth.trusted-uris

network.negotiate-auth.trusted-uris

network.negotiate-auth.delegation-uris

Figure 6 FireFox Configuration


vii. Testing Your Configuration

Once you have completed these steps, ensure your SSAS security is set correctly, and test the delegation by attempting to access a data

view in Pyramid Application. Do not test from the web server, application server or data server as this would only be a single hop test.

If you see an error in the client, please continue reading the following troubleshooting section.

viii. Troubleshooting

Confirm a Kerberos Delegation Issue It is important to first be sure that Kerberos delegation failure is indeed the cause of the error you are receiving in the client. Many of the

other possible causes of this error can be eliminated from consideration using the following steps:

1. Restart all machines involved in the Kerberos Delegation setup. This will force services to be restarted, which is required after SPN

changes, and Kerberos ticket caches to be cleared.

2. Attempt to access the client by using a browser on the web server itself. This will eliminate one of the credential hops and you should

be able to login. If you cannot see data, Kerberos delegation may not be the issue.

3. Check the Event Viewer Security logs on the web and data servers. The logs will report successes and failures and can identify if

Kerberos or NTLM is being used.

a. Looking at the audit logs in the Pyramid database will also highlight what type of authentication the user was using in

trying to log into the application.

4. Check to be sure cube security is set correctly and the test user is a member of a role that has access to the cube. It is recommended

that you temporarily grant your test user membership to the server Administrator role to help eliminate cube security as a cause of

any connection problems.

5. Check that the web server can communicate with the data server and that firewall ports are open. It is recommended that you

temporarily disable firewalls to help eliminate them as possible causes of any connection problems. If there are firewalls between the

client, web server and data server, be sure that they have the correct ports open.

Troubleshooting Kerberos authentication to SSAS service: If you're confident that the problem appears only when attempting to use Kerberos delegation, there are a few things to confirm:

1. Review the setup steps above to be sure your SPN entries are correct and that the data server, web server and client machines have

been properly configured for delegation.

2. You can check your SPNs and test for duplicates using a tool called DHCheck.

3. You can use the “Kerberos Delegation Tester” on the installed website, found at:

a. the server’s default website “http://defaultwebsite/pyramid/admin/diagnostics.aspx” or

b. the URL “http://pyramidBIO.mysite.com/admin/diagnostics.aspx“ where pyramidBIO.mysite.com is the host URL name

you provided during installation.

4. Use the MDX Sample Application from Analysis Services 2000 on the web server to test a Kerberos connection to Analysis Services. If

the tool connects successfully when forced to use Kerberos, then you likely have configured SPN entries for the SSAS service correctly.

To test a Kerberos connection, modify the “Provider” field when connecting to a server, as shown in this example:

http://blogs.technet.com/proclarity/archive/2008/12/04/troubleshooting-kerberos-delegation-with-dhcheck.aspx


Figure 7 Testing Kerberos with the MDX Sample Application

5. Review the section “Diagnosing delegation Problems: Four Checklists” in Microsoft’s Troubleshooting Kerberos Errors:

http://download.microsoft.com/download/1/e/e/1ee86ce4-8234-4aa1-94f4-

a37039837729/Troubleshooting_Kerberos_Delegation.DOC

Troubleshooting Kerberos on the web server: Once you have confirmed that you are able to authenticate to the SSAS service using Kerberos, test the application again from a client

machine. If you continue to have login issues, there may be some additional configuration steps necessary on the web server.

IIS 7.x on Windows 7/8 or Windows 2008/2012 Server

The following steps can be set directly in the IIS 7.x console found in the Administrative Tools on the server. You will need to install the

administrative tools for IIS7.x (which can be downloaded from the web or found under the tools menu on the Pyramid install CD)

Open up the IIS 7.x console and select the website from the tree on the left. Click on Configuration Editor.

Figure 8

http://download.microsoft.com/download/1/e/e/1ee86ce4-8234-4aa1-94f4-a37039837729/Troubleshooting_Kerberos_Delegation.DOC

http://download.microsoft.com/download/1/e/e/1ee86ce4-8234-4aa1-94f4-a37039837729/Troubleshooting_Kerberos_Delegation.DOC


In the panel, click on windows authentication. In the panel, click on providers and then click on the ellipsis at the far right of the screen.

Figure 9

Figure 10

Providers: Make sure there are 2 providers listed - Negotiate and NTLM

Figure 11

Advanced settings: In the authentication panel, make sure Extended protection is set to "off" in the drop down and make sure the Enable

kernel-mode authentication is checked

Figure 12


IIS 6 on Windows 2003 Server

An IIS metabase entry specifying the authentication headers available for the web site needs to be checked to ensure Kerberos is the

default security protocol option. You may check this with any IIS metabase browser, or from the IIS metabase xml file directly. Metabase

Explorer from the IIS 6 Resource Kit may be the easiest to use.

For the IIS service where the PAS virtual directory is located (in this case the default website) be sure the NTAuthenticationProviders

property is set to “Negotiate,NTLM” click apply, and reset IIS.

Figure 13 Web Service Properties via Metabase Explorer

The Negotiate authentication header will use Kerberos in most cases (for exceptions please refer to the following article:

http://support.microsoft.com/kb/215383). Therefore, if the website hosting PAS is configured to utilize the Negotiate header (as

specified above), the authentication protocol will generally be Kerberos without the need for further configuration. However, if

everything appears to be in place, but PAS will not authenticate to Analysis Services, it may be necessary to force the authentication

protocol to Kerberos on the OLE DB connection string. This can be done by following these steps:

Add a registry key called “Properties” to the existing Microsoft ProClarity Server registry key - the final path with look like this:

HKLM\SOFTWARE\Microsoft ProClarity Corporation\Server\Properties

Add a new string value -create a new string value by right clicking on the new Properties key and selecting New String value -

the string value will be "SSPI" without the quotes -the value will be "Kerberos" without the quotes.

Reset IIS

http://www.microsoft.com/downloads/details.aspx?familyid=56FC92EE-A71A-4C73-B628-ADE629C89499&displaylang=en



Other Troubleshooting Tips 1. You may also turn on verbose logging to capture security traffic on your web server and data server.


Figure 14 Log Level Setting in the Registry

If you are using Constrained Delegation, temporarily disable the constraint and retest.

2. Are you using a split domain where machines can resolve with two different FQDNs? For example, when you ping the same server

from two different machines and it returns different FQDNs – such as MyDataServer.Company.com as well as

MyDataServer.AD.Company.com? If so, this may defeat the SPNs needed for Kerberos delegation. Please see your network

administrators and verify that the DNS names being requested by the browser to the web server match the SPNs on the server. Also

be sure that the DNS names requested by the web server to the data server match the SPNs registered on the data server.

3. Troubleshooting with Network Monitor or Wireshark? Two easy ways to pick Kerberos from NTLM in an HTTP capture.

4. Analysis Services should be installed, preferably from a fresh install that has not been imaged. It is also preferable that you use a

machine that has not been renamed.


http://blogs.technet.com/tristank/archive/2006/08/02/Negotiate_This.aspx


G. Constrained Delegation:

i. Constrained Vs. Full: Overview

When you set a server to allow full trust delegation any Kerberos token from any service could be transferred to any other service on the

target server. Constrained delegation is more secure because you define exactly which service on which machine we will allow the Kerberos

token to be transferred to.

ii. Pyramid Multi Servers Architecture

Basically the flow is Client IIS Pyramid Router Pyramid Application server SSAS

The rule of thumb is that every machine should trust the machine\service that follows it in the queue. For example the router machine

should trust both app server SPNs (machines PyramidApp1 and PyramidApp2 above).


iii. Configurations from Domain Controller

1. From Active Directory Users and Computers, right click on the server you wish to configure; right click and choose properties. Go

to the Delegation tab:

Select the third option: ‘Trust this computer for delegation to specific services only’ and ‘Use Kerberos only’.

2. Press the Add button (in the dialog press the Users or Computers button)

Select the servers you wish to trust (e.g. the application servers).


3. In the Add Service dialog you’ll see all the available SPNs (services). Select the SPN you gave to this machine (in our case the

service type is HOST and the User or computer would be PyramidSrv or srv1).

We need to do that for each machine in the flow, again using the rule of thumb: each machine should trust the service in the

machine that follows.

iv. Summary

The web server should trust the HOST/<routerSPN> on the router machine.

The router server should trust All the HOST/<appSPN> (for each server machine).

Each application server should trust the MSOLAPSvc.3 service on the SSAS machine


H. Windows 8 & Windows Server 2012 Installing the application on servers running either Windows 8 or Windows Server 2012 may require that certain features be installed that

are not by default (unlike previous versions of the Windows operating system).

Most notably, the WCF Services need to be explicitly installed (see the images below).

Figure 15 Windows 8

Figure 16 Windows Server 2012


I. Performance Load Balancing Options The following settings can be activated to turn the performance based load balancing options on. These options are only available with the Enterprise License. To make changes, administrators need to locate the configuration file for the router application. Typically, this can be found at C:\Program Files\Pyramid Analytics\BI Office 4.0\Pyramid.Server.Router.exe.config. Values can be found under “appSettings” section in the config file.

Performance Routing

<add key="PerformanceRouting" value="false"/> When set to true, the Router Service prioritizes all registered Pyramid Application Services and diverts requests from clients to the highest

performing server as measured at that time. Priority gets calculated according to the CPU usage levels and Available Memory on the

targeted machine.

Server Check Interval

<add key="ServersCheckInterval" value="5000"/> This value marks the amount of time (in milliseconds) to wait between checking registered Pyramid Application Services and their host servers for performance values. In the process of checking an Application Service, the Router can start or restart an unresponsive Application Service. NOTE: If the Application Service has been stopped from the administrative console, it will not be restarted. However, if the service has been stopped from the server, the Router will attempt to restart it.

bioxl guide.pdf

Documents

inetpub pyramid analytics

resulting security token

windows system32 inetsrv

local os security

ad root node

mdx sample application

user account control

current machines registered