Professional Documents
Culture Documents
A Guide for security and deployment options in a distributed Dell PowerEdge multi-core Opteron based server environment
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
TableofContents
1 Overview....................................................................................................................................6
1.1 Objectives ............................................................................................................................................. . 6 1.2 Audience ..........................................................................................................................................7 .
HardwareandSoftwareConfigurationforTestEnvironments.............................................8
2.1 2.2 2.3 Hardware.......................................................................................................................................... 8 Software............................................................................................................................................ 9 HighAvailabilityDeployment......................................................................................................10
DeploymentOptionsSecurityConsiderations.....................................................................11
3.1 3.2 3.3 3.3.1 3.3.2 3.3.3 3.4 3.4.1 3.4.2 3.4.3 3.4.4 SingleServerDeployment..............................................................................................................11 MultiServerDeployment.............................................................................................................. 3 . 1 DelegatingCredentials.................................................................................................................. 0 2 BasicAuthentication................................................................................................................. 0 2 ExplicitlySpecifyingCredentials.............................................................................................. 0 2 KerberosDelegation................................................................................................................... 1 2 WhyKerberos?...............................................................................................................................22 FasterAuthentication ...............................................................................................................22 . MutualAuthentication.............................................................................................................23 . SupportforDelegation..............................................................................................................23 SupportfortheSmartCardLogonFeature.............................................................................23
InstallMicrosoftBusinessIntelligenceTechnologyPlatform .............................................24 .
4.1 4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.2.5 4.3 4.3.1 4.3.2 4.3.3 4.3.4 DomainControllerPreparation....................................................................................................24 InstallSQLServer2005DatabaseEngineandIntegrationServices .......................................... 6 . 2 ServerDetails............................................................................................................................. 6 2 RequirementsandPrerequisites .............................................................................................. 6 . 2 SecurityConsiderations............................................................................................................ 8 2 SQLServerSetup....................................................................................................................... 8 2 DataandLogFilesChangeDefaultPath..............................................................................32 InstallSQLServer2005AnalysisServices....................................................................................34 ServerDetails.............................................................................................................................34 SQLServerAnalysisServicesRequirementsandPrerequisites .............................................34 . SecurityConsiderations............................................................................................................35 SQLServerAnalysisServicesSetup .........................................................................................36 .
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentOverview
4.3.5 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.5 4.5.1 4.5.2 4.5.3 4.5.4 4.6 4.6.1 4.6.2 4.6.3 4.6.4 4.7 4.7.1 4.7.2 4.7.3 4.8 4.8.1 4.8.2 4.8.3 4.8.4
InstallMicrosoftOfficeSharePointServer2007andExcelServices.........................................64 ServerDetails............................................................................................................................64 MOSSRequirementsandPrerequisites..................................................................................64 SecurityConsiderations............................................................................................................ 5 6 MOSSSetup............................................................................................................................... 5 6 InstallPerformancePointMonitoringServer...............................................................................81 ServerDetails.............................................................................................................................81 MonitoringServerRequirementsandPrerequisites...............................................................81 SecurityConsiderations............................................................................................................ 2 8 MonitoringServerSetup........................................................................................................... 2 8
KerberosDelegation:SetupandConfiguration.....................................................................95
5.1 5.1.1 5.1.2 5.1.3 5.2 5.2.1 5.2.2 5.3 ActiveDirectorySettingsandConfigurations............................................................................. 5 9 DomainFunctionalLevel.......................................................................................................... 5 9 ServiceAccountSettings..........................................................................................................96 ServerComputerSettings.......................................................................................................108 BackendServerSettings...............................................................................................................116 SQLServerConfigurations......................................................................................................116 AnalysisServicesConfigurations.............................................................................................117 WebApplicationSettings ............................................................................................................117 .
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
UserAccessandSecurityConfigurations..............................................................................131
6.1 6.2 6.3 6.3.1 6.4 6.4.1 6.5 6.5.1 6.6 6.6.1 SQLServer2005DatabaseEngine...............................................................................................131 SQLServer2005AnalysisServices..............................................................................................133 . SQLServer2005ReportingServices............................................................................................ 38 1 UserPermissions...................................................................................................................... 39 1 MicrosoftOfficePerformancePointServer2007.......................................................................144 UserPermissions...................................................................................................................... 45 1 MicrosoftOfficeSharePointServer2007....................................................................................153 UserPermissions......................................................................................................................153 ProClarityAnalyticsServer..........................................................................................................157 UserPermissions......................................................................................................................157
Troubleshooting.....................................................................................................................164
7.1 7.2 7.3 7.4 SQLServerReportingServices ...................................................................................................164 . MicrosoftOfficeSharePointServer2007...................................................................................165 PerformancePointServer2007 ...................................................................................................165 . ProClarityAnalyticsServer.........................................................................................................166
Appendix.................................................................................................................................167
8.1 8.2 8.3 8.3.1 8.4 8.4.1 8.4.2 8.5 8.5.1 8.5.2 8.6 8.6.1 AppendixA...................................................................................................................................167 AppendixB...................................................................................................................................168 AppendixC...................................................................................................................................169 Running32bitApplicationson64bitWindows(IIS6.0)...................................................169 AppendixD..................................................................................................................................170 ServiceAccounts .....................................................................................................................170 . ApplicationPools .....................................................................................................................171 .
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentOverview
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
1 Overview
BusinessIntelligencesolutionsarebecominganintegralpartofeveryenterprise. Thesesolutionshavegrownasnewhardwareandsoftwaretechnologieshave loweredcostandsimplifiedimplementation.Microsofthasdevelopedauniqueset oftoolsandprocessestomeetthedemandsforthistypeofinformation management.Inaddition,companieslikeDellandAMDprovideReference Configurationstoassistcustomersindeployinganoptimalhardwareinfrastructure tosupportthesesolutions. TheseBusinessIntelligencetoolsarenormallydeployedinadistributed environmenttoscaleuptothegrowingneedsofthesolution.Thisaddstothe complexityofthesystemsuserauthenticationandsecurity. Oneofthesecuritychallengesfacedtodaybyalotofcustomersinamultiserver environmentisthedoublehopordelegationscenario.AWebfrontendorWeb serviceisnotabletodelegateorpasstheclientuserscredentialstoauthenticate andaccessaresourceonadifferentserver. Inthisdocumentweshalldescribethestepstoinstallandconfigurethevarious applicationsintheMicrosoftBusinessIntelligenceTechnologyPlatformina distributedenvironmentfollowedbysettingupKerberosConstrainedDelegation.
1.1 Objectives
Thisdocumentcoverstheinstallationandconfigurationofthefollowingcomponentsof theMicrosoftBusinessIntelligenceTechnologyPlatforminamultiserverenvironment. MicrosoftSQLServer2005: a. SQLServer2005DatabaseEngine b. SQLServer2005IntegrationServices c. SQLServer2005AnalysisServices d. SQLServer2005ReportingServices 2. MicrosoftOfficeSharePointServer2007 3. MicrosoftOfficePerformancePointServer2007MonitoringServer 4. MicrosoftProClarityAnalyticsServer
Note: PerformancePointServer2007PlanningandBudgetingcomponentwillnotbecoveredinthis document.
1.
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentOverview
1.2 Audience
Thisdocumentprovidesthenecessaryinformationandstepstoplananddeploya MicrosoftBusinessIntelligencePlatforminamultiserverenvironment.Deployingthe variousMicrosoftBIcomponentsinadistributedenvironmentrequiressomeadditional planningandsecurityconsiderationswhencomparedtoasinglemachinestandalone installation. Thisdocumentprovidesguidanceonhowtoinstallandconfigurethevariousindividual componentsandsetuptheenvironmentwithKerberosConstrainedDelegation. Whoshouldreadthisdocument? ArchitectswhoareplanningamultiserverdeploymentoftheMicrosoft BusinessIntelligenceTechnologyPlatform. InfrastructurePersonnelwhoareresponsibleforsettingupthehardware. NetworkAdministratorswhomanagetheActiveDirectorydirectoryservices, userroles,andpermissions. ServerandDatabaseAdministratorswhoareresponsibleforinstallation, configuration,andmaintenanceoftheindividualcomponents.
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
2 HardwareandSoftwareConfigurationfor TestEnvironments
Inthissectionweshalldiscussthehardware,software,andtheinitialconfiguration requiredforaBusinessIntelligence(BI)solutionusingDELLServersforourtest environment.
2.1 Hardware
Regardlessofthemethodofbuildingandreportingonadatawarehouse,theamount andtypeofhardwareisextremelyimportant.Adatawarehouseistypicallyverylarge, oftenexceedingmultiterabytes.BIcanbeveryCPU,memory,andI/Ointensiveona databasesystem.Inaddition,thelargerthedatawarehouse,themoreimportantitisto properlysizeandconfigureit.Notonlyisitimportanttoproperlysizethedatabase server,butthereportingandanalysisserversaswell.Asaresult,theseapplicationscan beveryhardwareintensive. DellPowerEdgeserversaredesignedtodeliverthehighestperformanceformission criticalenterpriseapplicationsfordatabase,businessintelligence,anddata warehousing.Todaysproprietarysystemsareincreasinglyexpensivetomaintainboth inmanpowerandmaintenancecosts.EffortstoreduceITcostsandleveragetechnical skillsetshavepushedtheindustrytomovetoastandardsbasedhardwareandsoftware architecture.CustomerslookingforeaseofimplementationchoosetodeployDell PowerEdgeserversbecausetheyarestandardsbasedsystemswhichareeasytomanage, simpletodeployandupgrade,andscalableastheenterprisemovestoconsolidateand virtualizecomputingresources. ThefollowingtableliststheDELLhardwareusedinthetestenvironment: ServerName MSDELLSQL ServerConfiguration DellPowerEdge6950 4xdualcoreAMDOpteron CPUs 64GBRAM 4x73GB15KSASInternal Disks DellPowerEdge6950 4xdualcoreAMDOpteron CPUs 64GBRAM DiskConfiguration FiveexternalSASDisk Controllers FiveDell PowerVaultMD1000 StorageArrays 75x73GB10KSAS Drives FiveexternalSASDisk Controllers FiveDellPowerVault MD1000StorageArrays 75x73GB10KSAS
MSDELLAS
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentHardwareandSoftwareConfigurationforTestEnvironments
ServerName
DiskConfiguration Drives
MSDELLWEBSRV1
MSDELLWEBSRV2
Note: ForadditionalinformationonSANConfigurationpleaserefertoAppendixE
2.2 Software
Thefollowingtableliststhesoftwareforeachoftheservers. ServerName MSDELLSQL PrerequisiteSoftware MicrosoftWindowsServer 2003Enterprisex64Edition R2SP2 WindowsServer2003 Enterprisex64EditionR2SP2 WindowsServer2003 Enterprisex64EditionR2SP2 InternetInformationServices (IIS6.0) Applicationtobe installed SQLServer2005 EnterpriseEditionx64 SP2(DatabaseEngine, IntegrationServices) SQLServer2005 EnterpriseEditionx64 SP2(AnalysisServices) SQLServer2005 EnterpriseEditionx64 SP2(Reporting Services) PerformancePoint Server2007Monitoring Serverx64 SharePointServer2007 x64SP1
MSDELLAS
MSDELLWEBSRV1
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
ServerName MSDELLWEBSRV2
2.3 HighAvailabilityDeployment
SQLServer2005DatabaseEngineandAnalysisServicesareclusterawareapplications andcanbedeployedinafailoverclustertoensurehighavailability. WebapplicationslikeReportingServices,SharePoint,andProClarityAnalyticsServer canbeusedinanetworkloadbalancedmodeinascaleoutdeploymenttoensure betterperformanceandscalability. ImplementingKerberosDelegationforafailoverinstanceofSQLServerandAnalysis ServicesandnetworkloadbalancedinstancesofWebapplicationsinvolvesafew additionalstepsandisnotcoveredinthisdocument.
10
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
3 DeploymentOptionsSecurity Considerations
AllthecomponentsoftheMicrosoftBITechnologyPlatformcanbeinstalledonone serveroracrossmultipleservers.Basedonvariousfactorslikeserverconsolidation, performancerequirements,andsecurity,organizationsmightchoosevarious deploymentoptions. Inthissectionweshalldiscusstwodifferentdeploymentoptionsandtherelated securityconsiderations.
3.1 SingleServerDeployment
InasingleserverdeploymentalltheSQLServercomponentsMOSS,PerformancePoint, andProClarityAnalyticsServerresideonthesameserver.Inotherwords,theWebserver andtheresourcesrequiredbytheWebapplicationareonthelocalmachine. Insuchascenario,whenaclienttriestobrowseaWebapplicationlikeaSharePointsiteor ReportingServicespage,IISAuthenticatestheclientuserwithActiveDirectorydirectory serviceandpassesanauthenticationtokentoASP.Net.ThentheWebapplicationhasto accessotherresourceslikeSQLServerorAnalysisServiceswhicharelocatedonthesame machine.
Figure1. SingleServerImpersonationnotenabled
11
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
12
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
Figure3. APerformancePointdashboardonasingleserverdeployment
3.2 MultiServerDeployment
Inadistributedenvironment,theWebserversandtheresourcesrequiredbytheWeb applicationareondifferentmachines.EnablingImpersonationontheWebapplicationis notsufficienttopasstheusercredentialsacrossthenetwork.Impersonationacrossa networkorDelegationoftheusercredentialsfromtheWebapplicationstotheremote resourcesrequiresadditionalsettings.
13
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
14
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
Figure5. PerformancePointdashboardshowingerrormessage
15
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
16
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
17
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
18
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
19
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
3.3 DelegatingCredentials
Thereismorethanonewayyoucanbypassthedelegationscenario.Someapproaches aremoresecurethanothers.Basedontheapplicationssecurityrequirementsyoucan evaluateandchooseeitheroftheseoptions. InsomeenvironmentsitisnotrequiredthattheWebapplicationsaccesstheremote resourceslikedatabasesandfilesharesbydelegatingthecredentialsoftheenduser. ThedatatheWebapplicationaccessesfromremotesourcesmightnotbetiedtoausers credentialsormightnotbeimportantenoughtosecure.InsomecasestheWeb applicationalonecontrolsthesecurityofthesystem.
3.3.1
BasicAuthentication
3.3.2
ExplicitlySpecifyingCredentials
20
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
Figure10. MultiServerExplicitlySpecifyCredentials Inthismethodofauthentication,theenduserisnotvalidatedbySQLServer.Hencethe developerneedstoimplementsecurityandaccessrightsintheapplication. Ifthecredentialsusedtoaccessthedatasourcechange,alltheconnectionstrings wheretheuserIDandpasswordwereusedwillhavetobeupdatedwiththenew password.Insomecases,thecredentialsthatarestoredintheconnectionstringare storedinplaintext.Measureshavetobetakentoencryptthatpieceofinformation. Additionally,keyfunctionalitieslikerolebaseddatasecurityinAnalysisServiceswill notbeuseddirectly.ItwillhavetobeimplementedusingfunctionslikeCustomData() intheconnectionstring.
3.3.3
KerberosDelegation
21
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure11. MultiServerWithKerberosDelegation
3.4 WhyKerberos?
Kerberoshasmanybenefitsoverbasicauthenticationandexplicitlyspecifying credentials.InthissectionweshallbrieflydiscussafewofthesecuritybenefitsKerberos offers.
3.4.1
FasterAuthentication
TheKerberosprotocolusesauniqueticketingsystemthatprovides fasterauthentication. Everyauthenticateddomainentitycanrequestticketsfromitslocal KerberosKDCtoaccessotherdomainresources. Theticketcanbeusedmorethanonceandcanbecachedontheclient side.
22
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentDeploymentOptionsSecurityConsiderations
3.4.2
MutualAuthentication
3.4.3
SupportforDelegation
InadistributedenvironmentKerberosenablesservicestoimpersonatetheclientusers credentialswhileaccessingresourcesacrossmultipleserverhopsonthenetwork.
3.4.4
SupportfortheSmartCardLogonFeature
23
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4 InstallMicrosoftBusinessIntelligence TechnologyPlatform
SQLServer2005providesmultiplecomponentsthatareusedinaBusinessIntelligence solutionincludingrelationaldatabase,ETLcomponent,OLAPdatabases,reporting, analyticsandmanagementtools.AdditionaltoolslikeOfficePerformancePointServer 2007andOfficeSharePointServerareusedforadvancedanalytics,performance managementincludingdashboards,planningbudgeting,forecastingandconsolidation. Inthissectionwewillwalkthroughinstallationandconfigurationofthevarious MicrosofttechnologiesforBusinessIntelligenceinadistributedenvironment.
4.1 DomainControllerPreparation
Forthepurposeofdemonstratingthedelegationscenariousingthehardware mentionedintheTestEnvironment,theDomainControllerwascreatedonavirtual machinehostedonMSDELLWEBSRV2.AlltheserverswerethenjoinedtotheDomain Controller.
Important: Whenyouareimplementingthissolutioninyourenvironmentyoushouldusetheexisting ActiveDirectoryinstanceinyourenterprise . Note: Addingaccountsandperformingnecessaryconfigurationsonadomaincontrollerneedtobe donebyaNetworkAdministratorwhomanagesthedomaincontroller. Theremightbesecuritypoliciesthatareenforcedwhichhavetobetakenintoconsideration whileperformingtheseconfigurations.
24
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
1.
DomainFunctionalLevel:ToshowcasetheimplementationofKerberos ConstrainedDelegation,wewillconsideranActiveDirectorysettoWindows2003 DomainFunctionalLevel.RefertoFunctionalLevelsBackgroundInformationin AppendixAformoreinformation.Jointheserverstothedomainiftheyhavenot alreadybeenadded. 2. AdministrativePrivilegesAccount:MSDELLBI\DomainAdmin.Thisaccountis usedinthetestenvironmenttoresembleanaccountthathasadministrative privilegesontheDomainControllerandalltheotherserversbeingusedinthetest environment.Alltheapplicationinstallations,configurationsandKerberos ConstrainedDelegationconfigurationswillbedonebythisuser. Toinstallandconfiguretheapplicationsinyourenvironment,youcanuseasingle accountthathasadministrativeprivilegesonalltheserversormultipledifferent accountsthathaveadministrativeprivilegesonindividualservers. 3. ServiceStartupandApplicationPoolIdentityAccounts:Createthefollowing domainuseraccountswhichwouldserveasservicestartupaccountsforWindows servicesandapplicationpoolidentityaccountsforWebservices. a. MSDELLBI\SQLServiceAccount:ThisaccountwillbeusedrunSQLServer Windowsservice.TheServicePrincipalNameforSQLServerwillbecreated usingthisaccount. b. MSDELLBI\ASServiceAccount:ThisaccountwillbeusedrunAnalysis ServicesWindowsservice.TheServicePrincipalNameforAnalysisServices willbecreatedusingthisaccount. c. MSDELLBI\WebServiceAccount:Thisaccountwillbeusedastheservice startupaccountandastheidentityaccountfortheapplicationpoolsusedby thevariousWebservicesdeployedonMSDELLWEBSRV1. Note:
Whenyoucreatetheuseraccounts(whicharetobeusedasservicestartup accountsorapplicationpoolidentityaccounts),ensurethattheydonot haveanyadministrativeprivilegesonanyoftheserversorActiveDirectory. Duringthecourseofinstallationandconfigurationwhenyouspecifythese accountstobeusedbytheapplication,theapplicationsetupor configurationutilitywillprovidetheseaccountswiththenecessary privilegesonlocalserverresourceslikefilesystempermissionsforrelevant foldersandspecificgroupmemberships.
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.2.2
RequirementsandPrerequisites
4.2.2.1
OperatingSystemRequirements
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
26
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
SQLServer x64EnterpriseEditionSP1
1
Enterprise Edition
Developer Edition
Standard Edition
:TheseeditionsofSQLServer2005canbeinstalledtotheWindowsonWindows (WOW64)32bitsubsystemofa64bitserver.
4.2.2.2
SoftwareRequirements
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately. OnlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.2.2.3
InternetRequirements
Requirement
MicrosoftInternetExplorer6.0SP1orlaterisrequiredforall installationsofSQLServer2005,asitisrequiredforMicrosoft ManagementConsole(MMC)andHTMLHelp.Aminimalinstallation ofInternetExplorerissufficient,andInternetExplorerisnotrequired tobethedefaultbrowser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
:InternetExplorer6.0SP1orlaterisrequiredforSQLServerManagementStudio,Business IntelligenceDevelopmentStudio,andtheReportDesignercomponentofReportingServices.
27
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.2.3
4.2.3.1
SecurityConsiderations
Userrightsforinstallation
ThepersoninstallingSQLServermustbeamemberoftheAdministratorsgrouponthe
serverwhereSQLServerisbeinginstalled(MSDELLSQL).
4.2.3.2
UserrightsforServiceAccount
TheSQLServerserviceshouldrununderthecredentialsofadomainuseraccountas describedinServiceStartupandApplicationPoolIdentityAccountsunderthe DomainControllerPreparationsection.Wewillbeusing MSDELLBI\SQLServiceAccountastheservicestartupaccountinthisinstallation. FormoreinformationonServiceAccountsandtheirimportancepleasereferto AppendixD. ThefollowingSQLServercomponentscannotbeconfiguredatinstalltime.Theywillbe installedwithdefaultsettings. NotificationServices IntegrationServices FullTextSearch ActiveDirectoryHelper SQLWriter
4.2.4
4.2.4.1
SQLServerSetup
TheSetupProcess
28
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
3. OntheEndUserLicenseAgreementpage,readthelicenseagreement,andthenselect thecheckboxtoacceptthelicensingtermsandconditions.Acceptingthelicense agreementactivatestheNextbutton.Tocontinue,clickNext.ToendSetup,clickCancel. 4. OntheInstallingPrerequisitesscreen,SetupinstallssoftwarerequiredforSQLServer 2005.Tobeginthecomponentupdateprocess,clickInstall.Tocontinueaftertheupdate completes,clickNext. 5. OntheWelcometotheMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 6. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheckParametersfortheSystem ConfigurationChecker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems groupedbyresult,clicktheFilterbuttonandthenselectacategoryfromthedropdown list.ToviewareportofSCCresults,clicktheReportbuttonandthenselectanoption fromthedropdownlist.OptionsincludeViewingthereport,Savingthereporttoa file,CopyingthereporttotheClipboard,andSendingthereportasemail.To proceedwithSetupaftertheSCCscancompletes,clickNext. Note
TheserveronwhichweareinstallingSQLServerDatabaseEngine(MSDELLSQL)does notrequireIIStobeinstalledaswearenotinstallinganyWebservicecomponentslike ReportingServicesorSharePointonthatserver. IfIISisnotinstalledyoumightreceiveawarninglikeIISFeatureRequirement (Warning)MicrosoftInternetInformationServices(IIS)iseithernotinstalledoris disabled.IISisrequiredbysomeSQLServerFeatures..Thiswarningcanbeignored.
29
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
o o o
ThesecomponentsarenotrequiredfortheSQLServerDatabaseEnginetorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely. Toinstallindividualcomponents,clickAdvanced.Otherwise,clickNexttocontinue. 9. IfyouclickedAdvancedonthepreviouspage,theFeatureSelectionpagedisplays.On theFeatureSelectionpage,selecttheprogramfeaturestoinstallusingthedrop downboxes.Toinstallcomponentstoacustomdirectory,selectthefeatureandthen clickBrowse.Formoreinformationaboutthefunctionalityofthispage,clickHelp.To continuewhenyourfeatureselectionsarecomplete,clickNext.ClickNext. 10. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstanceNametopicinSQLServer2005BooksOnline. ClickNext. 11. OntheServiceAccountpage,specifytheusername,password,anddomainnamefor SQLServerserviceaccount.Youcanoptionallychoosetostartothercomponentsat WindowsStartup.ClickNext. Note
WecreatedadomainuseraccountMSDELLBI\SQLServiceAccounttoruntheSQLServer Windowsservice.Incaseifyouhavenotcreatedthisaccount,contactyournetworkor Windowsadministratortodothis.
30
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
13. OntheCollationSettingspage,choosethecollationsettingsappropriateforyour environment.ClickNext. 14. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting. 15. OntheReadytoInstallpage,reviewthesummaryoffeaturesandcomponentsforyour SQLServerinstallation.Toproceed,clickInstall. 16. OntheInstallationProgresspage,youcanmonitorinstallationprogressasSetup proceeds.Toviewthelogfileforacomponentduringinstallation,clicktheproductor
31
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
statusnameontheInstallationProgresspage.OncetheSetupProcesscompletes,click Next. 17. OntheCompletingMicrosoftSQLServer2005Setuppage,youcanviewtheSetup summarylogbyclickingthelinkprovidedonthispage.ToexittheSQLServerInstallation Wizard,clickFinish. 18. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation.
4.2.5
DataandLogFilesChangeDefaultPath
1. FromSQLServer2005launchSQLServerManagementStudio. 2. FromtheObjectExplorer 3. isvisibleonthescreenclickConnectandchooseDatabaseEngine.Ifnot,clickView >ObjectExplorerorhittheF8key. 4. ConnecttoServerwindow,specifythenameoftheserverwhereSQLServeris installed.IfSQLServer2005wasinstalledasanamedinstance,specifythe ServerName/InstanceName. 5. ChooseWindowsAuthentication.IfyouwishtochooseSQLServerAuthentication youneedtouseraSQLServerloginwithAdministrativerightsontheSQLServer. Connecttotheserver.Youwillseetheservernamewithalistoffolders(Databases, Security,ServerObjects,andsoon). 6. TolaunchtheServerPropertieswindowrightclickSQLServerintheObject ExplorerandclickProperties.Thispagecontainsallserverlevelproperties includingpropertiestoconfigureDataandLOGdirectoriesforyourserver. 7. ClickDatabaseSettingsintheSelectapagesectionontheleftsideoftheServer Propertieswindow.UnderDatabasedefaultlocationschangethelocationofData andLogdirectories.Youcanclicktheellipsesnexttoeachofthetextboxesand browsetothenewfolderortypethenewpath.
32
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
33
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.3 InstallSQLServer2005AnalysisServices
4.3.1 ServerDetails
InthetestenvironmentSQLServer2005AnalysisServicesisinstalledonMSDELL AS.
4.3.2.1
OperatingSystemRequirements
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit x64EnterpriseEditionSP1
1
Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
:TheseeditionsofSQLServer2005canbeinstalledtotheWindowsonWindows (WOW64)32bitsubsystemofa64bitserver.
4.3.2.2
SoftwareRequirements
34
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately; onlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.3.2.3
InternetRequirements
Requirement
InternetExplorer6.0SP1orlaterisrequiredforallinstallationsof SQLServer2005,asitisrequiredforMicrosoftManagementConsole (MMC)andHTMLHelp.AminimalinstallationofInternetExplorer issufficient,andInternetExplorerisnotrequiredtobethedefault browser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
ASP.NET2.02
4.3.3
4.3.3.1
SecurityConsiderations
UserRightsforInstallation
ThepersoninstallingSQLServerAnalysisServicesmustbeamemberofthe
AdministratorsgroupontheserverwhereSQLServerAnalysisServicesisbeing installed(MSDELLAS).
35
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.3.3.2
UserrightsforServiceAccount
4.3.4
4.3.4.1
SQLServerAnalysisServicesSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofSQLServerAnalysisServices.
4.3.4.1.1 ProgramFlowforStandardInstallation
1. InstallfromeithertheSQLserver2005DVDoranetworkshare.Ifinstallingfroma networkshare,navigatetothenetworkfolderandlaunchsplash.hta. 2. Fromtheautorundialog,clickRuntheSQLServerInstallationWizard. 3. OntheEndUserLicenseAgreementpage,readthelicenseagreement,andthenselect thecheckboxtoacceptthelicensingtermsandconditions.Acceptingthelicense agreementactivatestheNextbutton.Tocontinue,clickNext.ToendSetup,clickCancel. 4. OntheInstallingPrerequisitespage,SetupinstallssoftwarerequiredforSQLServer 2005. 5. OntheWelcometotheMicrosoftSQLServerInstallationWizardpage,clickNextto continue. 6. OntheSystemConfigurationCheck(SCC)page,theinstallationcomputerisscanned forconditionsthatmayblockSetup.Forinformationaboutconfigurationcheckitems, clickHelpatthebottomofthepageorseeCheckParametersfortheSystem ConfigurationChecker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems groupedbyresult,clicktheFilterbuttonandthenselectacategoryfromthedropdown list.ToviewareportofSCCresults,clicktheReportbuttonandthenselectanoption fromthedropdownlist.OptionsincludeViewingthereport,Savingthereporttoa file,CopyingthereporttotheClipboard,andSendingthereportasemail.To proceedwithSetupaftertheSCCscancompletes,clickNext.
36
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
If IIS is not installed you might receive a warning like IIS Feature Requirement (Warning) Microsoft Internet Information Services (IIS) is either not installed or is disabled. IIS is required by some SQL Server Features.This warning can be ignored.
7. OntheRegistrationInformationpage,enterinformationintheNameandCompany textboxes.Tocontinue,clickNextandFillouttheregistrationinformation. 8. OntheComponentstoInstallpage,selectthefollowing a. b. SQLServerAnalysisServices OptionallyyoucanchooseWorkstationComponents,BooksOnlineand DevelopmentTools.Thisinstalls: o o ClientconnectivitycomponentslikeOLEDBdrivers ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager o o o c. PerformancetoolslikeSQLServerProfiler,TuningAdvisor BusinessIntelligenceDevelopmentStudio SQLServerDocumentation.
9. Toinstallindividualcomponents,clickAdvanced.ThisdisplaystheFeatureSelection page.Selecttheprogramfeaturestoinstallusingthedropdownboxes.Toinstall componentstoacustomdirectory,selectthefeatureandthenclickBrowse.Formore informationaboutthefunctionalityofthispage,clickHelp.Tocontinuewhenyour featureselectionsarecomplete,clickNext. 10. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea
37
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstanceNametopicinSQLServer2005BooksOnline. ClickNext. 11. OntheServiceAccountpage,specifytheusername,passwordanddomainnamefor AnalysisServicesserviceaccount. Note WecreatedadomainuserMSDELLBI\ASServiceAccountwhichisusedtorunthe AnalysisServiceswindowsservice.Thisuserhastohavereaderpermissionsonallthe datasourcesusedbyAnalysisServices.Incaseifyouhavenotcreatedthisaccount contactyournetworkorWindowsadministratortocreateanaccount.
38
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
13. OntheErrorReportingpage,optionallyclearthecheckboxtodisableerrorreporting. 14. OntheReadytoInstallpage,reviewthesummaryoffeaturesandcomponentsforyour SQLServerinstallation.Toproceed,clickInstall. 15. OntheInstallationProgresspage,youcanmonitorinstallationprogressasSetup proceeds.Toviewthelogfileforacomponentduringinstallation,clicktheproductor statusnameontheInstallationProgresspage. 16. OntheCompletingMicrosoftSQLServer2005Setuppage,youcanviewtheSetup summarylogbyclickingthelinkprovidedonthispage. 17. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation.
4.3.5
DataandLogDirectoriesChangeDefaultPath
1. LaunchSQLServerManagementStudiofromSQLServer2005. 2. IftheObjectExplorerisvisibleonthescreenclickConnectandchooseDatabase Engine.Ifnot,clickViewandthenclickObjectExplorerorhittheF8key. 3. IntheConnecttoServerwindow,specifythenameoftheserverwhereSQLServer AnalysisServicesisinstalled.IfAnalysisServiceswasinstalledasanamedinstance, specifytheServerName/InstanceName. 4. Onceitconnects,youseetheservernamewithDatabasesandAssembliesfolders underit. 5. TolaunchtheAnalysisServicesPropertieswindow,rightclicktheAnalysis ServicesinstancenameintheObjectExplorerandclickProperties.Thispage containsallserverlevelpropertiesincludingpropertiestoconfigureDATAandLOG directoriesforAnalysisServices. 6. ClickGeneralintheSelectapagesectionontheleftsideoftheAnalysisServices Propertieswindow.Alistofpropertiesisdisplayedwithvariouscolumns.TheValue columnletsyousetavalueforaproperty.TheCurrentValuecolumndisplaysthe currentvaluethatssetforthatproperty.Similarlythereareothercolumnslike Default,Restart,Type,Units,andCategory.IftheRestartcolumnshowsavalue
39
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
7. 8. 9.
10.
yesforanyproperty,changingthatpropertywillrequireyoutorestartAnalysis Servicesbeforethenewvaluetakeseffect. ChangethevalueofDataDirtopointtothenewfolderwhereAnalysisServicesData fileswillbestored. ChangethevalueofLogDirtopointtothenewfolderwhereAnalysisServicesLog fileswillbestored. OptionallyyoucanalsochangethedefaultpathfortheBackupDirandTempDir propertiesofAnalysisServices.TodisplayTempDirinthepropertieslistcheckthe ShowAdvanced(All)PropertiescheckboxatthebottomoftheAnalysisServices Propertieswindow. .RestartAnalysisServices.OpentheAnalysisServicesPropertieswindowandverify thechangeintheCurrentValuecolumnofthepropertiesyouchanged.
Figure15.
AnalysisServicesServerProperties
FormoreinformationonAnalysisservicesserverpropertiespleaserefertothe followingSQLservertechnicalarticle.
40
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
http://www.microsoft.com/technet/prodtechnol/sql/2005/ssasproperties.mspx
4.4 InstallSQLServer2005ReportingServices
4.4.1 ServerDetails
InthetestenvironmentSQLServer2005ReportingServicesisinstalledon MSDELLWEBSRV1.
4.4.2.1
OperatingSystemRequirements
ThefollowingtableshowstheoperatingsystemandSQLServerversioncompatibility matrix. SQLServer OperatingSystem WindowsServer2003 ServerSP1 WindowsServer2003 EnterpriseEditionSP1 WindowsServer2003 DatacenterEditionSP1 WindowsServer200364Bit x64StandardEditionSP1 WindowsServer200364Bit x64DatacenterEditionSP1 WindowsServer200364Bit x64EnterpriseEditionSP1
1
Enterprise Developer Standard Edition Edition Edition (X86) (X64) (X86) (X64) (X86) (X64) Yes No Yes No Yes No Yes Yes No No Yes Yes No No Yes Yes No No
:TheseeditionsofSQLServer2005canbeinstalledtotheWindowsonWindows (WOW64)32bitsubsystemofa64bitserver.
41
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.4.2.2
SoftwareRequirements
Ifnotalreadyinstalled,SQLServerSetupinstallseachofthesecomponentsseparately; onlytheSQLServerSetupsupportfilesareautomaticallyremovedwhenyouuninstall SQLServer2005.Formoreinformationonuninstallingthisrelease,seeHow to: Uninstall an Existing Instance of SQL Server 2005 (Setup).
4.4.2.3
InternetRequirements
Requirement
InternetExplorer6.0SP1orlaterisrequiredforallinstallationsof SQLServer2005,asitisrequiredforMicrosoftManagementConsole (MMC)andHTMLHelp.AminimalinstallationofInternetExplorer issufficient,andInternetExplorerisnotrequiredtobethedefault browser. However,ifyouareinstallingclientcomponentsonlyandyouwillnot connecttoaserverthatrequiresencryption,InternetExplorer4.01 withServicePack2issufficient.
ASP.NET2.02
42
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
4.4.3
4.4.3.1
SecurityConsiderations
UserRightsforInstallation
ThepersoninstallingSQLServerReportingServicesmustbeamemberofthe
AdministratorsgroupontheserverwhereSQLServerReportingServicesisbeing installed(MSDELLWEBSRV1).
AdministratorrightsforSQLServerThepersoninstallingSQLServerReporting
ServicesmusthaveAdministratorrightsontheSQLServerwheretheReporting Servicesdatabaseiscreated.ThisprivilegeisrequiredsothattheReportingServices ConfigurationWizardcancreatetherequiredReportingServicesdatabasesandgrant therightlevelofpermissionstotheReportingServicesDatabaseAccessAccount.Once ReportingServicesisconfigured,theDatabaseAccessAccountspecifiedduringthe configurationwillbeusedtoconnecttotheReportingServicesdatabases.
4.4.3.2
UserrightsforServiceAccount
4.4.4
4.4.4.1
SQLServerReportingServicesSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofSQLServerReportingServices.
4.4.4.1.1 ProgramFlowforStandardInstall
1. InstallfromeithertheSQLserver2005DVDoranetworkshare.Ifinstallingfroma networkshare,navigatetothenetworkfolderandlaunchsplash.hta. 2. RuntheSQLServerInstallationWizard. 3. OntheInstallingPrerequisitespage,SetupinstallssoftwarerequiredforSQLServer 2005.Tobeginthecomponentupdateprocess,clickInstall.Tocontinueaftertheupdate completes,clickNext.
43
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Configuration Checker.Tointerruptthescan,clickStop.Todisplayalistofcheckitems
groupedbyresult,clickFilterandthenselectacategoryfromthedropdownlist.Toview areportofSCCresults,clickReportandthenselectanoptionfromthedropdownlist. OptionsincludeViewingthereport,Savingthereporttoafile,Copyingthereportto theClipboard,andSendingthereportasemail. 6. OntheRegistrationInformationpage,enterinformationintheNameandCompany textboxes. 7. OntheComponentstoInstallpage,selectthefollowing a. ReportingServices b. OptionallyyoucanchooseWorkstationComponents,BooksOnlineand DevelopmentTools.Thisinstalls: o o ClientconnectivitycomponentslikeOLEDBdrivers. ManagementtoolslikeSQLServerManagementStudio,SQLServer ConfigurationManager. o o o PerformancetoolslikeSQLServerProfiler,TuningAdvisor. BusinessIntelligenceDevelopmentStudio. SQLServerDocumentation.
ThesecomponentsarenotrequiredforSQLServerReportingServicestorunonthe server.Itisgoodpracticetohavethesecomponentsinstalledonaworkstationand managetheserverremotely. 8. Toinstallindividualcomponents,clickAdvanced.TheFeatureSelectionpagedisplays. Selecttheprogramfeaturestoinstallusingthedropdownboxes. 9. OntheInstanceNamepage,selectadefaultornamedinstanceforyourinstallation.Ifa defaultornamedinstanceisalreadyinstalled,andyouselecttheexistinginstanceforyour installation,Setupupgradesitandprovidesyoutheoptiontoinstalladditional components.Toinstallanewdefaultinstance,theremustnotbeadefaultinstanceonthe computer.Toinstallanewnamedinstance,clickNamedInstanceandthentypea
44
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
uniqueinstancenameinthespaceprovided.Toinstallanewnamedinstancesidebyside withanexistinginstance,clickNamedInstanceandthentypeauniqueinstancenamein thespaceprovided.Formoreinformationaboutinstancenamingrules,clickHelpatthe bottomofthepage,orseetheInstance NametopicinSQLServer2005BooksOnline. ClickNext. 10. OntheServiceAccountpage,specifytheusername,passwordanddomainnameforSQL Serverserviceaccount. Note WecreatedadomainuserMSDELLBI\WebServiceAccountwhichisusedtorunthe windowsserviceandapplicationpoolidentitiesofalltheWebservicecomponents installedonMSDELLWEBSRV1.
Figure16. ReportingServicesSetupServiceAccountpage
45
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
11. IfaSQLServerDatabaseEngineinstanceexistedonthemachinewhereReporting Servicesisbeinginstalled,thesetupwizardwouldprovideyoutwooptionsontheReport ServerInstallationOptionspage: Installthedefaultconfiguration:ThisoptioncreatestheReportingServices databaseonthelocalsystemandperformstheReportingServicesconfigurationlike creationofvirtualdirectories,configuringstartupaccounts,andothertasksusingthe defaultsettings. Installbutdonotconfiguretheserver:Thisoptionisusedifyouwanttocreate theReportingServicesdatabasesonaremoteinstanceofSQLServerandspecifythe virtualdirectorysettingsandstartupaccountsforReportingServices. Inourcase,wehavenotinstalledaSQLinstanceontheReportingServicesbox,hencewe willbecreatingtheReportingServicescatalogdatabaseonaremoteinstanceofSQL Serverandconfigurethevirtualdirectoriesandstartupaccountsmanually.
Figure17.
ReportingServicesSetupReportServerInstallationOptions page
46
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
47
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
2. Ifyouareinstructedtorestartthecomputer,dosonow.Itisimportanttoreadthe messagefromtheSetupprogramwhenyouaredonewithinstallation.Failuretorestart thecomputermaycausefailureswhenyouruntheSetupprograminthefuture. Note ThisdocumentwascreatedwhenthelatestpatchforSQLServerwasSP2.Itisimportant toupdateSQLServerwiththelatestServicePackstoensureyouhavelatestfeaturepacks andimprovementsintheproduct.RefertotheWhatsnewinSQLServer2005Sp2in AppendixAforadditionalinformation. ReportingServicesSharePointIntegratedMode SQLServer2005ServicePack2addsanadditionalfeaturetoReportingServices. ReportingServicescanbeintegratedwithSharePoint.OnceyouupdateaReporting ServicesinstancewithServicePack2intheReportingServicesConfigurationWizardyou getanadditionaloptioncalledSharePointIntegration.ThishelpsyousetupaReporting ServicesdatabasefornewSharePointintegrationmodeandmakethenecessarysettings. RefertotheDeploymentModesforReportingServicesinAppendixAforadditional information.
4.4.4.1.2 ConfiguretheReportServerandCreatetheRemoteDatabase
1. FromSQLServer2005,pointtoConfigurationTools,clickSQLServerSurfaceArea Configuration. 2. InSurfaceAreaConfigurationforServicesandConnections,verifythattheReportServer Windowsserviceisrunning. 3. InSurfaceAreaConfigurationforFeatures,verifythatScheduledEventsandReport Delivery,HTTPandWebServiceRequests,andWindowsintegratedsecurityareall enabled. 4. OpenReportingServicesConfiguration.ClickStart,pointtoAllPrograms,pointto MicrosoftSQLServer2005,pointtoConfigurationTools,clickReportingServices Configuration.
48
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
5. Selectthelocalreportserverinstanceyoujustinstalled.ClickConnect.
49
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
50
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
51
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
52
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
53
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
54
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
55
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
56
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
57
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure31. Connect.
WebServiceIdentityConfigured
18. ClickDatabaseSetup.HereweneedtospecifytheremoteinstanceofSQLServer.Click
58
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
59
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
60
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure34. SQLServerConnectionDialogBox 21. FromtheCredentialsTypedropdown,selectthetypeofaccountyouwantReportServer tousetoconnecttotheReportServerdatabase.YoucanusetheServiceCredentialsora WindowsdomainuseraccountorSQLServerlogin. Inourcase,letschooseServiceCredentialswhichessentiallymeansthatReporting Serviceswillusetheserviceaccountitrunsundertoconnecttoitscatalogdatabase. IfyouchoseWindowsCredentialsorSQLServerCredentials,typetheusernameand passwordthatthereportserverusestoconnecttothereportserverdatabase.Formore information,seeConfiguringaReportServerDatabaseConnection. 22. ClickApplytosaveyourchanges.
61
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure35. DatabaseSetupConfigured Note TheEncryptionKeyspageisusedtomanagethesymmetrickeythatisusedbythe reportservertoencryptanddecryptthedata.FormoreinformationonEncryptionKeys refertothefollowingarticlehttp://msdn2.microsoft.com/enus/library/ms189422.aspx TheInitializationpageshowsthestatusofthereportserverinascaleoutdeployment orisusedtojoinareportservertoascaleoutdeployment.ItcurrentlyshowsaredX nexttoitbecausethereportserverisnotconfiguredtoencryptordecryptthedatainthe reportserverdatabase.FormoreinformationonInitializationrefertothefollowinglink http://msdn2.microsoft.com/enus/library/ms181357.aspx 23. Openhttp://MSDELL-WEBSRV1/reportserverandhttp://MSDELL-WEBSRV2/reports toverifyyourinstallation.
62
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure36. ReportServerhomepage
Figure37. ReportManagerhomepage
63
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.5.2
MOSSRequirementsandPrerequisites
4.5.2.1
OperatingSystem
4.5.2.1.1 WindowsComponents
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0,including: Commonfiles WWW SimpleMailTransferProtocol(SMTP):Onlyifyouwanttoenableemail notification.
64
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
4.5.2.2
Microsoft.NETFramework3.0
4.5.2.3
InternetRequirements
OfficeSharePointServer2007administrationfunctionsrequireMicrosoftInternet Explorer6.0withthemostrecentservicepacksorInternetExplorer7.0.
4.5.3
4.5.3.1
SecurityConsiderations
UserRightsforInstallation
ThepersoninstallingMOSSmustbeamemberoftheAdministratorsgrouponthe
serverwhereMOSSisbeinginstalled(MSDELLWEBSRV1).
4.5.3.2
AdministratorRightsforSQLServer
ThepersoninstallingMOSSmusthaveAdministratorrightsontheSQLServerInstance wheretheMOSSdatabasesarecreated.
4.5.3.3
UserrightsforServiceAccount
4.5.4
4.5.4.1
MOSSSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallMOSS
4.5.4.1.1 ProgramFlowforStandardInstall
1. OntheMSDELLWEBSRV1server,fromtheproductdisc,runSetup.exe,orfromthe productdownload,runOfficeserver.exe. 2. OntheChoosetheinstallationyouwantpageyouhavetwooptions.
65
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
TheBasicoptioninstallsSharePointinthedefaultlocationwiththedefaultsettings whichincludesalocalinstanceofSQLServerExpressEdition. UsingtheAdvancedoption,youcancustomizethecomponentsofSharePointtobe installedandtheSQLServerinstancewhereSharePointdatabaseswillbecreated.Click Advanced. 3. IntheServerTypepage,chooseComplete.Optionally,youcanchangethedefault installlocation. 4. WhenSetupfinishes,selectRuntheSharePointProductsandTechnologies ConfigurationWizard 5. OntheWelcometoSharePointProductsandTechnologiespage,clickNext. 6. Inthedialogboxthatnotifiesyouthatsomeservicesmightneedtoberestartedorreset duringconfiguration,clickYes.
Figure 38.
66
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure39. SharePointConfigurationDatabaseSettings 9. IntheConfigureSharePointCentralAdministrationWebApplicationpage,specifya portnumber.ChooseNTLMastheauthenticationproviderfortheWebapplication.We shallconfigureSharePointtouseKerberoslater. 10. ReviewthesettingsspecifiedbeforeclickingNext. 11. OnceSharePointcompletestheconfigurationclickFinish. 12. TheSharePointCentralAdministrationWebSitehomepageopensup.
Note Ifyouarepromptedforyourusernameandpassword,youmightneedtoaddtheSharePoint CentralAdministrationsitetothelistoftrustedsitesandconfigureuserauthentication settingsinInternetExplorer.
67
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure40. SharePointCentralAdministrationHomePage 13. BeforeconfiguringSharePoint,youcanrunthelatestupdatesandservicepacks.Atthe timethisdocumentwaspreparedthelatestservicepackwasWSS3.0SP1andMOSS2007 SP1. 14. OntheSharePointCentralAdministrationhomepageyouseeawarningthatthe ServerFarmconfigurationnotcomplete.ClickOperations.ClickServicesonServer. HereyouseealistofservicesthatMicrosoftOfficeSharePointprovides.ClickStartnext toExcelCalculationServices.ThisserviceisrequiredtoprovideExcelServicesandExcel WebAccessontheSharePointsite.ClickStartnexttoOfficeSharePointServerSearch.
Note TosuccessfullycreateanSSPonyourserveryourequireanIndexServer.Youmuststart MicrosoftOfficeSharePointSearchontheservertocreateanIndexServer.
68
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure41. SharePointServicesonServer 15. ClickApplicationManagement.UnderOfficeSharePointServerSharedServices sectionclickCreateorconfigurethisfarmssharedservices. 16. ThisstepisrequiredtocreateanewSharedServiceProviderwhichwouldprovidefeatures likeExcelServicestotheSharePointWebApplication.IntheManagethisFarmsShared ServicespageclickNewSSP. 17. OntheNewSharedServicesProviderPagetypeanamefortheSharedServices Provider.ASSPneedsaWebapplicationtohostitsAdminSite.ClickCreateanewWeb
69
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Application.
Figure42. SharePointNewSharedServicesProvider 18. OntheNewWebApplicationpage,selectCreateanewIISWebsite,typeaWebsite name,specifytheport.LeavetheauthenticationasNTLM;weshallconfiguretheWeb ApplicationtoexecuteunderKerberosDelegationinalatersection. 19. SelectNounderAllowAnonymous. 20. UnderApplicationPool,selectCreateanewApplicationPool.Specifyanameforthe applicationpoolandundertheapplicationpoolsecurityaccountselectConfigurableand specifythedomainuseraccountusedtorunSharePoint (MSDELLBI\WebServiceAccount). 21. YoucanorestartIISmanuallyorautomatically.SpecifytheSQLServerinstancenameas thedatabaseserver.Youcanoptionallychangethedatabasename.UnderDatabase Authentication,selectWindowsAuthentication.
70
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure43. WebApplicationSettings NewApplicationPool,SecurityAccount,DatabaseServer,DatabaseAuthentication 22. IfyouinitiatedtheSearchServiceinMOSS,selectthesearchserverfromthedropdown list,otherwiseleavethedefaultsettingforSearch. 23. ThiscreatesanewWebapplicationandreturnsyoutotheSharedServicesProvider creationpage.TheWebapplicationyoujustcreatedisnowchosenastheWebapplication tohosttheSSPsadminsite.OptionallyyoucancreateanewWebapplicationifyouwish toprovidetheenduserswiththeMySitefeature.Formaintenanceandmanageability reasons,werecommendhavingaseparateWebapplicationtohosttheMySite.
71
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure44. BacktoSharedServicesProvidercreationpage
Note
SharePointconfigurationtasksaredonethroughtheCentralAdministrationWebsite. YoucanopentheCentralAdministrationfromaremoteworkstationtoperformanyof theconfigurationtasks.IfSharePointisnotsetuptouseSecureSocketLayers(SSL)you receiveawarningwhichstatesthattheinformationyouprovideisnotsecuredfor communication. EnablingSSLonSharePointisnotcoveredinthisdocument. 24. UnderSSPServiceCredentials,specifytheserviceaccount (MSDELLBI\WebServiceAccount)forSpecifythesameSQLInstancenameasunderthe DatabaseServerandyoucanoptionallychangethedatabasename.ChooseWindows AuthenticationastheDatabaseAuthenticationmethod.
72
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure45. SharedServicesProviderSettings NewApplicationPool,SecurityAccount,DatabaseServer,DatabaseAuthentication 25. IfyoucreatedaSharePointSearchServiceandIndexingServicesyoucanoptionallycreate aSearchdatabaseandspecifytheIndexingServerdetails,elseleaveitasdefault. 26. OntheSharedServicesProviderCreatedSuccessfullypage,clickOk. 27. IntheCentralAdministrationhomepage,clickApplicationManagement.Under SharePointSiteManagement,clickCreatesitecollection.
73
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
28. Typeatitleforthesitecollection,specifytheURLandchooseatemplate.
74
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure47. SharePointSiteCollectionCreation
75
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure48. NewSharePointSiteCollection 31. OncetheTopLevelsiteiscreatedyouneedtocreatethefollowing: DocumentLibraryforPerformancePointdashboarditems DocumentLibraryforExcelReports DataConnectionLibraryfordatasourceconnectionfiles Tocreatethedocumentlibraries,onthesitecollectionhomepageclickSiteActions ontherightsideofthepage,thenselectCreate. IntheCreatepageunderLibraries,clickDocumentLibrary. Specifyanameforthedocumentlibrary.YoucanselecttheNavigationOptions, DocumentVersionHistorysettingsandaDocumentTemplate.ClickCreate. RepeatthesamestepsagaintocreateanotherdocumentlibraryforExcelReports.
32. Theaccessmodelforthesitewillbeconfiguredinalatersection.
76
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure49. DocumentLibraryCreation 33. OntheCreatepageunderLibraries,selectDataConnectionLibrary.Typethenameof thedataconnectionlibrary.YoucanselecttheNavigationOptionsandDocument VersionHistorysettings.ClickCreate. 34. TocorrectlyconfigureExcelServicesyouneedtoaddthedocumentlibrarycreatedfor ExcelReportstoanExcelServicesTrustedFileLocation.OpentheCentral Administrationhomepage.UndertheSharedServicesAdministrationsection,select theSharedServiceProviderlisted.OntheSSPAdministrationhomepage,select TrustedFileLocationunderExcelServices. 35. IntheAddTrustedFileLocationspagepastetheURLoftheExcelDocumentLibrary. ChangetheAllowExternalDatatoallowdatafromTrusteddataconnectionlibraries only.Theremainingsettingscanbeleftastheirdefaults.
77
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure50. URLfortheDocumentLibrary
78
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure51. AddingthedocumentlibrarytoExcelServicesTrustedFile Location 36. OncetheExcelDocumentLibraryhasbeenaddedtoTrustedFileLocations,weneedto addtheExcelDataConnectionLibrarytotheTrustedDataConnectionLibraries.Onthe SharedServicesAdminhomepage,underExcelServices,clickTrustedData ConnectionLibraries.CopytheURLoftheExcelDataConnectionLibraryandpasteit intheAddressbox. 37. Tocreateanewdataconnectioninthedataconnectionlibrary,openMicrosoftOffice Excel2007.ClicktheDatatab.ClickFromOtherSourcesandselectAnalysisServices. 38. IntheDataConnectionWizard,typethenameoftheAnalysisServicesinstance,choose WindowsAuthentication. 39. IntheSelecttheDatabaseandTablepage,selectthecubeorperspective. 40. Typeafilenameandfriendlynameforthedataconnectionfile.CheckAlwaysattemptto usethisfiletorefreshdata.
79
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure52. CreatinganewExcelDataSourceConnection 41. ClickAuthenticationSettingsandensurethatitssettoWindowsauthentication. ClickOk.ClickFinishtosavethedataconnectionfile. 42. ToaddthisdataconnectionfiletotheExcelDataConnectionlibrary,openthedata connectionlibrary.ClickUploadandclickUploadDocument.Browsetothefolder wherethedatasourcewascreatedanduploadthefiletothedataconnectionlibrary.By defaultthedataconnectionfileisstoredintheMyDocuments/MyDataSourcesfolder. 43. Oncethefilehasbeenadded,SharePointwillpromptyoutoapprovethedocument.Click Oktoapprovethedocument. 44. TocreateanyreportsinExcel,theusershouldusethedataconnectionfilefromtheExcel DataConnectionLibraryontheSharePointServer. 45. OncetheExcelreportiscreated,itcanbepublishedtotheExcelDocumentLibrarythat wascreatedearlier.
80
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
4.6 InstallPerformancePointMonitoringServer
4.6.1 ServerDetails
InthetestenvironmentsetupPPSMonitoringServerisinstalledonMSDELL WEBSRV1.
4.6.2.1
OperatingSystem
4.6.2.1.1 WindowsComponents
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0. YoumustconfiguretheservertouseIIS6.0workerprocessisolationmode.Thisisthe defaultsettinginnewinstallations.However,ifyouhaveupgradedfromIIS5.0on WindowsServer2000,RunWWWinIIS5.0isolationmodeisenabled,andyoumust changethissettingtouseIIS6.0workerprocessisolationmode. YoumusthaveMicrosoft.NETFrameworkversion2.0ontheserverwithMicrosoft ASP.Net2.0enabled.
4.6.2.2 4.6.2.3
81
InternetExplorerRequirements OtherComponents:
SQLServer2005DatabaseEngine.(Thiscanbeonaremoteinstance) SQLServerNativeClient9.0SP2 ADOMD.Net9.0SP2
MicrosoftInternetExplorer6.0or7.0
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
ASP.NET2.0AJAXExtensions1.0 MicrosoftSharePointServices3.0orMicrosoftOfficeSharePointServer2007.
4.6.3
4.6.3.1
SecurityConsiderations
UserRightsforInstallation
4.6.3.2
AdministratorrightsforSQLServer
ThepersoninstallingPerformancePointMonitoringServermusthaveAdministrator rightsontheSQLServerwherethePerformancePointdatabaseiscreated.
4.6.3.3
UserRightsforServiceAccount
4.6.4
4.6.4.1
MonitoringServerSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallanewinstanceofMonitoringServer.
4.6.4.1.1 ProgramFlowforStandardInstallation
1. OntheMSDELLWEBSRV1machine,installPerformancePointServerfromtheCD. 2. Onthestartupscreen,clickInstallMonitoringServer.Ifitdoesnotautomatically launch,doubleclicktheMonitoringServerMSI(PSCSrv.msi). 3. Hardwareandsoftwareprerequisitecheckingisperformedbycallinganexternalpre requisitevalidationenginetoensurethetargetserverissuitableforinstalling MonitoringServer.ThePrerequisitescreenwillnotappearifthemachinemeetsall prerequisiterequirements. 4. OntheDirectorySelectionpage,youcanchoosethelocationtoinstallthebinaries. ClickNext.
82
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
5. OntheInstallpage,clickNext. 6. OncetheMonitoringServerInstallationiscomplete,ensurethattheRunthe MonitoringServerConfigurationManagerWizardcheckboxisselectedbeforeyou clickFinish.ThiswillinvoketheConfigurationManagerWizard.Ifyoudonotwishto runtheConfigurationManagerWizardnow,youhavetorunitbeforeyoubegintouse PerformancePointServer. 7. ThePrerequisitesscreendisplaysthecomponentsthatareneededtobeinstalledpriorto settingupthewebbasedportionofMonitoringServer. 8. TheInstallationOptionspagehastwooptions: StandaloneConfiguration:Thisrequiresallservicestobeinstalledandrunning onthelocalserver.Thisoptioncannotbecustomized. DistributedConfiguration:Thisallowstheabilitytoinstallcomponents independentlyondifferentserversandprovidesmoreflexibility.These componentswillbeavailablebasedontheprerequisiteschecktodeterminewhich componentscanbeinstalledonthemachine.Theavailablecomponentstoinstall areasfollows: a. MonitoringSystemDatabase:TheMonitoringSystemDatabasecanbe createdonaremoteSQLInstance. b. MonitoringServer:Installsthreeservices: MonitoringWebServiceisafrontendWebservicefacilitatesthe communicationbetweenDashboardDesignerandMonitoring Systemdatabase. DashboardWebPreviewisapreviewfeaturethatprovidesthe capabilitytodeployandviewdashboardsasASP.NETWebpages. DashboardDesignerInstallationSiteisaninstallationsitefor userstoinstallDashboardDesignerondemandusingMicrosoft ClickOnceTechnology.Itisacentralpointforuserstodownload theDashboardDesignerclient. c. ScorecardViewerforReportingServices:InstallsSQLServer2005 ReportingServicescustomerdataextensionforaSQLServerReports Server.Thisextensionenablestheautomateddeploymentandrenderingof DashboardsinReportDefinitionLanguage(RDL). d. DashboardViewerforSharePointServices:InstallsMonitoringWeb partsthatenablesdeploymentandviewingofdashboardsinWindows SharePointServices3.0orOfficeSharePointServer2007. e. MonitoringPluginforReportDesigner(VisualStudio2005):Installsa SQLServer2005ReportingServicescustomerdataextensionforMicrosoft VisualStudio2005.ThisextensionenablestheconsumptionofDashboards usingReportDefinitionLanguage(RDL)inVisualStudio. SelectDistributedConfigurationandensurethatthecheckboxesnexttoallthe componentsarechecked.
83
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
84
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure54. PerformancePointServerDatabaseSettings 10. OntheWebsitescreenifyouhaveSSLimplementedonyourWebsite,selectthe RequireSSLconnectionstoMonitoringWebSitebox. 11. OntheApplicationPoolIdentityAccountscreenselectConfigurableandtypeinthe domainname,serviceaccountname,andpassword.ClickNext. Note WecreatedadomainuserMSDELLBI\WebServiceAccountwhichisusedtorunallthe WebservicecomponentsinstalledonMSDELLWEBSRV1(SSRS,MOSS&PPS).
85
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
86
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
12. OntheWebPartspagetypetheURLfortheSharePointsitecollection. 13. TheSQLServerReportingServicesscreenisusedtodefinealocalReportingServer instanceonwhichtodeploytheMonitoringPlugin. 14. TheValidationscreenshowsthecomponentsthatwillbeinstalled. 15. TheReviewOptionsscreenshowsallthechoicesmadethroughouttheConfiguration wizard.ClickConfigure. 16. TheProgressscreenshowseachcomponentthatisbeinginstalledandconfigured. 17. TheSummaryscreenconfirmsthattheinstallationiscomplete. Note PerformancePointMonitoringservercreatesthreeapplicationpools. PPSMonitoringCentral,PPSMonitoringPreview,andPPSMonitoringWebService.Ensure thatalltheseapplicationpoolsarerunningundertheidentityoftheserviceaccount specifiedduringtheconfiguration.Bydefault,thePPSMonitoringCentralapplicationpool executesundertheidentityofNETWORKSERVICE.Thisapplicationpoolisusedbythe DesignerInstallvirtualdirectorythatinstallstheDashboardDesigneronclientmachines. Changetheidentityofthisapplicationpooltotheserviceaccountusedduring configurationofPPS.
4.7 InstallingtheDashboardDesigner
4.7.1 DashboardDesignerRequirementsand Prerequisites
ThissectiondetailsthehardwareandsoftwarerequirementstoinstallDashboard Designer.ItalsoliststhesoftwareprerequisitesforinstallingDashboardDesigner.
4.7.1.1
SoftwareRequirements
WindowsServer2003SP1orlater WindowsXPProfessionalSP2orlater WindowsVista InternetExplorer6.0orlater
ThefollowingaresoftwarerequirementstoinstallDashboardDesigner:
87
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
MicrosoftOfficeVisio2007(forstrategymaps) OfficeExcel2007(touseExcelasadatasource)
4.7.1.2
SoftwarePrerequisites
Microsoft.NETFramework2.0
ThefollowingaresoftwareprerequisitestoinstallDashboardDesigner:
4.7.2
4.7.2.1
SecurityConsiderations
UserRightsforInstallation
4.7.3
4.7.3.1
DashboardDesignerSetup
TheSetup
Inthissection,wediscussthesequenceofuseractionsrequiredtoinstallanew instanceofDashboardDesigneronamachinenotalreadyrunningDashboardDesigner.
4.7.3.1.1 ProgramFlowforaStandardInstallation
1. InstalltheDashboardDesigneronaclientmachinefromhttp://MSDELL WEBSRV1:40000/Central/.Toinstallitontheserver,theDashboardDesigner installsasaClickOnceapplicationfromMicrosoftOfficePerformancePointServer 2007 2. ClickRunnexttoDownloadDashboardDesigner. 3. ASecurityWarningscreenwillappearpromptingtoclickeitherRunorDont RuntoinstallMicrosoftOfficePerformancePointServerDashboardDesigner. 4. ClickRun.TheDashboardDesignerinstallsasaClickOnceapplication.Youcan findthelinktoopenDashboardDesignerbynavigatingtoStart,thenProgram Files,MicrosoftOfficePerformancePointServer2007,andfinallyDashboard Designer.
88
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
Figure56. PerformancePointServerDashboardDesigner
4.8 InstallProClarityAnalyticsServer6.3
4.8.1 ServerDetails
InthetestenvironmentProClarityAnalyticsServerisinstalledonMSDELL WEBSRV2.
4.8.2
PASRequirementsandPrerequisites
89
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
4.8.2.1
OperatingSystem
4.8.2.1.1 WindowsComponents
Afteryouhaveinstalledtheoperatingsystemandappliedallcriticalupdates,youmust configurethecomputertobeaWebserverbyenablingInternetInformationServices (IIS)6.0withActiveServerPagesandServerSideIncludessettoAllowed. YoumusthaveMicrosoft.NetFrameworkversion2.0ontheserverwithMicrosoft ASP.Net2.0enabled.
4.8.2.2 4.8.2.3
InternetExplorerRequirements OtherComponents:
MicrosoftInternetExplorer6.0or7.0
SQLServer2005DatabaseEngine.(Thiscanbeonaremoteinstance)
4.8.3
4.8.3.1
SecurityConsiderations
UserRightsforInstallation
ThepersoninstallingPASmustbeamemberoftheAdministratorsgroupontheserver
wherePASisbeinginstalled(MSDELLWEBSRV2).
4.8.4
4.8.4.1
PASSetup
TheSetupProcess
Inthissection,wediscussthesequenceofuseractionsinfullGUImodeandcode executionrequiredtoinstallPAS.
4.8.4.1.1 StandardInstallation
1. InstallProClarityAnalyticsfromtheproductCD. 2. OntheChooseInstallationTypepage,selectFullProduct.
90
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
3. OntheSetUpWebSitepage,typeinthenameoftheProClarityAnalytics ServerVirtualDirectory:PAS.
91
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
92
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentInstallMicrosoftBusinessIntelligenceTechnologyPlatform
8. Browsetothehttp://MSDELLWEBSRV2/passitetoviewtheProClarity AnalyticsServerhomepage.
Figure60. PASHomepage 9. UpdatetheProClarityAnalyticsServerwiththelatestupdatesandpatches: ProClarityAnalyticsServerCumulativeHotfix2213 ProClarityAnalyticsServerCumulativeHotfix2214 10. ToenableProClarityWebProfessionalasadownloadforusersfromthePASsite, copytheWebProfessionalfolderfromthesetupmediaandplaceitinthePAS VirtualDirectoryfolder.OpentheProClarityAdministrationTool.Rightclick Components,clickNewComponent.
93
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure62. NewComponentinPASAdministrationTool
94
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
5 KerberosDelegation:Setupand Configuration
KerberosDelegationprovidesasecuremeansforclientsandservicesonthenetworkto identifyandcommunicatewitheachother.Itisthemostsecuremeansof authenticationbetweenservices. ToimplementKerberosDelegationtherearevariouslevelsofsettingsthatneedtobe doneatthedomaincontroller,applicationlayer,andclient.Inthissectionweshalltake youthroughthesetupandconfigurationofKerberosConstrainedDelegationinamulti serverenvironment.
Note
5.1 ActiveDirectorySettingsandConfigurations
5.1.1 DomainFunctionalLevel
Windows2000domainfunctionalleveloffersUnconstrainedDelegationinwhicha servicecandelegateusercredentialstoanyotherserviceinthedomain.Thisposesa securityriskifaserviceiscompromisedbyamalicioususer.Amoresecurewayof delegatingcredentialsistouseConstrainedDelegationwhichisnewinWindows2003. WithaWindows2003domainfunctionallevelandusingConstrainedDelegation,we canexplicitlydefinetheresourcesorservicestowhichaservicecandelegateusers credentials. ForthepurposeofthisdocumentwewillconsiderConstrainedDelegation.
95
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
5.1.2
ServiceAccountSettings
Figure63. CredentialDelegation
5.1.2.1
ServicePrincipalNames
AServicePrincipalName(SPN)isamappingintheActiveDirectorydirectoryservices oftheservicetothesecurityprincipalortheaccountunderwhichitisrunning.SPN helpsaclientuniquelyidentifyaninstanceofaserviceandisusedtosupportmutual authenticationbetweenaclientapplicationandaservice. Whenaclientwantstoconnecttoaservice,itlocatesaninstanceoftheservice, composesanSPNforthatinstance,connectstotheservice,andpresentstheSPNfor theservicetoauthenticate. ToenableKerberosAuthenticationweneedtocreateSPNsforthedomainuser accountsunderwhichthevariousservicesrun. TheSETSPNcommandlineutilityisapartoftheWindows2003SupportTools.Itcan alsobedownloadedfromtheMicrosoftDownloadCenter.
96
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
ThegeneralsyntaxoftheSETSPNcommandtolistSPNscreatedforadomainuser accountis:
setspn l useraccount
TolistSPNscreatedforaServerorhost:
setspn l hostname
TocreateSPNsforaservicerunningunderadomainuseraccount:
setspn a serviceclass/hostname:port useraccount setspn a serviceclass/fully_qualified_domain_name:port useraccount
5.1.2.1.1 SQLServerDatabaseEngine
TocreateaSPNforSQLServerDatabaseEngine,logontothedomaincontrollerusing anaccountthathasadministrativeprivilegesontheDomainController. Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefaultlocationof theSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit. Runthefollowingcommands: Syntax:
setspn -a MSSQLsvc/hostname:1433 useraccount setspn a MSSQLsvc/hostname.mydomain.com:1433 useraccount
Example:
setspn -a MSSQLsvc/MSDELL-SQL:1433 SQLServiceAccount setspn a MSSQLsvc/MSDELL-SQL.MSDELLBI.COM:1433 SQLServiceAccount
97
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure64. ServicePrincipleName(SPN)Creation
5.1.2.1.2 SQLServerAnalysisServices
TocreateaSPNforSQLServerAnalysisServices,logontothedomaincontrollerusing anaccountthathasadministrativeprivilegesonthedomaincontroller: 1. Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefault locationoftheSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit. 2. Runthefollowingcommands:
Syntax: setspn -a MSOLAPsvc.3/hostname useraccount setspn a MSOLAPsvc.3/hostname.mydomain.com useraccount Example: setspn -a MSOLAPsvc.3/ MSDELL-AS ASServiceAccount setspn a MSOLAPsvc.3/MSDELL-AS.MSDELLBI.COM ASServiceAccount
98
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure65. SPNCreationforAnalysisServices
Openacommandprompt.BrowsetotheSETSPNinstallation.Thedefault locationoftheSETSPNcommandlineutilityisC:\ProgramFiles\ResourceKit.
IfmorethanoneWebserviceishostedonasingleWebserver,eachWebserviceruns underadifferentport.Forexample:http://servername(defaultport80)and http://servername:8888.BothWebapplicationsaresetuptouseKerberosAuthentication. ClientsaccesstheWebapplicationsthroughInternetExplorerusingtheURL http://servernameandhttp://servername:8888. InternetExplorerhastoobtainaKerberostickettoauthenticatewiththeserver.While passingtheURLtoobtaintheticket,InternetExplorerdoesnotpasstheportnumber. HenceInternetExplorergetsavalidtickettoauthenticatewiththeWebservicerunning underthedefaultport80(http://servername)butisnotabletousetheKerberosProtocol toauthenticatewithanyotherWebapplicationonthesameserverthatsrunningundera differentport. Therearethreewaysyoucanworkaroundthisproblem: RunalltheWebapplicationsontheserverusingthesamedomainuseraccountand createoneSPNforthatserviceaccountusingtheappropriateserviceclass.Trustthe serviceaccounttodelegatecredentialstotheotherresourcesonthenetwork.
99
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Important YouwillhavetocreatedifferentHostHeadernamesforeachWebsiteinIIS.Define thehostheadernamesintheDNSasclassAentries.CreateSPNsusingtheHost Headernameinsteadofusingthehostnamewithdifferentserviceaccountsforeach Webservice.Trusttheserviceaccountstodelegatecredentialstootherresourceson thenetwork. UpdateIISwithahotfixasdescribedintheKBarticle http://support.microsoft.com/kb/908209/ThisinvolvesreplacingaDLLonserverand modifyingtheclientregistrysettingstopasstheportnumberwhilerequestingthe ticket.
Figure66. SPNCreationforWebServices
5.1.2.1.4 ProClarityAnalyticsServer
ProClarityAnalyticsServerisinstalledonMSDELLWEBSRV2.ItisaWebservice runningundertheapplicationpoolidentityofNETWORKSERVICE.Insuchacasewe donothavetocreateaSPNtoidentifythisservicebecauseSPNsforbuiltinsystem
100
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
accountsareautomaticallycreatedwhenthemachineisjoinedtoadomain.Theservice classusedisHOSTandcoversmostofthecommonservicesincludingHTTP.
5.1.2.2
TrustAccountforDelegation
TheWebapplicationsneedtobeconfiguredtodelegatecredentialstootherbackend services.ToimplementConstrainedDelegationweneedtoexplicitlyspecifytheservices towhichcredentialscanbedelegated.Thisisamuchmoresecuremeansofdelegating credentialsandisanaddedfeatureinWindows2003DomainFunctionalLevel. Inourscenario,alltheWebcomponentsrunningonMSDELLWEBSRV1serverare runningunderthecredentialsofMSDELLBI\WebServiceAccount.Weneedtotrustthis accounttodelegateusercredentialstoSQLServerDatabaseEngineandSQLServer AnalysisServices. 1. OntheDomainControlleropenActiveDirectoryUsersandComputers.Click Users.RightclickWebServiceAccountandclickProperties.
101
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
102
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
103
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
104
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
105
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
106
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure74. MSDELLBI\SQLServiceAccountProperties
107
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure75. MSDELLBI\ASServiceAccountProperties
Note EnsurethatforalltheenduseraccountstheAccountissensitiveandcannotbe delegatedcheckboxiscleared.
5.1.3 ServerComputerSettings
Thefollowingsectiondescribestheconfigurationsettingsthatneedtobedonein ActiveDirectorytothevariousservers.
5.1.3.1
TrustComputerforDelegation
108
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
2. ClickComputers.RightclickMSDELLWEBSRV2,clickProperties.
109
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
110
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
111
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
112
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
113
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure82. MSDELLBI\MSDELLSQLProperties
114
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure83. MSDELLBI\MSDELLASProperties
115
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure84. MSDELLBI\MSDELLWEBSRV1Properties
5.2 BackendServerSettings
5.2.1 SQLServerConfigurations
ForaclienttoauthenticatewithSQLServerithastoconnecttoSQLServerusingTCP/IP. ThiscanbeaccomplishedbyplacingtheTCP/IPprotocolatthetopoftheclientprotocols list. 1. 2. 3. 4. 5. OpenSQLServerConfigurationManager. ExpandtheSQLNativeClientConfiguration. RightclickClientProtocolsandclickProperties. IfTCP/IPisdisabled,clickTCP/IPintheDisabledProtocolslistandenableit. ClickTCP/IPandmoveittothetopofthelist.
116
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure85. SQLServerClientAuthentication
5.2.2
AnalysisServicesConfigurations
NoadditionalconfigurationisrequiredonAnalysisServicestoimplementKerberos AuthenticationandDelegation.
5.3 WebApplicationSettings
5.3.1.1 AnonymousAccess
Whenanonymousaccessisturnedon,noauthenticatedusercredentialsarerequiredto accessthesite.Thisoptionisbestusedwhenyouwanttograntpublicaccessto informationthatrequiresnosecurity.WhenausertriestoconnecttoyourWebsite,IIS assignstheconnectiontotheIUSER_ComputerNameaccount,whereComputerNameis thenameoftheserveronwhichIISisrunning.Bydefault,theIUSER_ComputerName accountisamemberoftheGuestsgroup.Thisgrouphassecurityrestrictions,imposed byNTFSfilesystempermissions,thatdesignatethelevelofaccessandthetypeof contentthatisavailabletopublicusers.
117
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Ifyouturnonanonymousaccess,IISalwaystriestoauthenticateusersbyusing anonymousauthenticationfirst,evenifyouturnonadditionalauthenticationmethods.
5.3.2
ReportingServicesConfigurations
ThefollowingsectiondescribesthatconfigurationsthatneedtodonetoReporting ServicestoenableKerberos.
5.3.2.1
1.
DisableAnonymousAccess
Figure1. AuthenticationMethodsinIIS
118
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
119
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
120
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure88. EditingAuthenticationProviders 5. ForExcelServices,bydefaulttheaccessmodelissettoTrustedsubsystem.Setthis toDelegation. Trustedsubsystem(defaultinaSharePointfarmdeployment)isamodeinwhichthe frontendandbackendservercomponentshaveatwowaytrust.Thisallowsfilesto beretrievedfromOfficeSharePointServer2007byusingtheExcelServicesaccount. However,eventhoughExcelServicesretrievesthefiles,itperformsasecuritycheck toverifythattheuserrequestingthefilehastheappropriatepermissions.Inthis mode,thebackendExcelCalculationServicesserverdoesknowtheusersidentity, butdoesnothaveafullusersecuritytokenandsocannotdelegateittoother computers. Delegationisamodeinwhichthefrontendserversofthefarmalwaysdelegatethe usersidentitytothebackendservers.Inthiscase,filesareretrievedastheenduser whoisrequestingtheworkbookinsteadoftheExcelServicesaccount.Thebackend ExcelCalculationServicesserverhastheusersfullidentity(securitytoken)andso candelegateittootherservers. Todothis,youhavetoruntheseSTSADMcommandsfromthecommandprompt. NavigatetothedirectorywhereSTSADM.exeislocated.Bydefaultitsinstalledat
121
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
C:\ProgramFiles\CommonFiles\MicrosoftShared\Webserverextensions\12\BIN, andtype:
stsadm -o set-ecssecurity -ssp ShareServicesProviderName accessmodel delegation stsadm -o execadmsvcjobs
Example:
stsadm -o set-ecssecurity -ssp MSDELL-SSP -accessmodel delegation stsadm -o execadmsvcjobs
122
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
10. ClickStart,clickRun,typeinetmgr,andthenpressENTER. 11. Expandthelocalcomputernode,andthenclicktheWebSitesfolder.Theidentifier foreachWebsiteislistedintheIdentifiercolumn. 12. Openacommandpromptandchangetothefollowingdirectory: %systemdrive%\Inetpub\adminscripts. 13. FortheSharePointidentifier,runthefollowingcommandtocheckwhatthecurrent AuthenticationProviderissetto. cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders. 14. IftheresultdoesnotshowNegotiateinityouneedtosettheAuthenticationprovider usingthefollowingcommand: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM" Thissettingisnotalwaysautomaticallyapplied.Forinformation,seeHowtoconfigure IIStosupportboththeKerberosprotocolandtheNTLMprotocolfornetwork authenticationintheMicrosoftKnowledgeBase.
Figure90. SettingtheAuthenticationmodeoftheSharePointWebsite
123
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure91. IdentifyingthelocationoftheWeb.config
124
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure92. Web.configforPPSWebService
125
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure93. Web.configforPPSPreview EnsurethatthePPSMonitoringWebsiteinIISsupportsbothNTLMandKerberos LocatethenumericidentifierforthePPSMonitoringWebsite. ClickStart,clickRun,typeinetmgr,andthenpressENTER. Expandthelocalcomputernode,andthenclicktheWebSitesfolder.Theidentifierfor eachWebsiteislistedintheIdentifiercolumn. Openacommandpromptandchangetothefollowingdirectory: %systemdrive%\Inetpub\adminscripts ForthePPSMonitoringidentifier,runthefollowingcommandtocheckwhatisthe currentAuthenticationProvidersetto: cscript adsutil.vbs GET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders IftheresultdoesnotshowNegotiateinityouneedtosettheAuthenticationprovider usingthefollowingcommand: cscript adsutil.vbs SET w3svc/< IDENTIFIER#> /Root/NTAuthenticationProviders "Negotiate,NTLM" Thissettingisnotalwaysautomaticallyapplied.Forinformation,seeHowtoconfigure IIStosupportboththeKerberosprotocolandtheNTLMprotocolfornetwork authenticationintheMicrosoftKnowledgeBase.
3. 4. 5. 6. 7. 8.
9.
126
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
Figure94. SettingtheAuthenticationmodeofthePPSWebsite
5.3.5
1.
ProClarityAnalyticsServerConfigurations
127
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure95. ProClarityGlobal.asa
5.4 EndUserSystemConfigurations
1. InInternetExplorerAdvancedsettings,enableIntegratedWindows Authentication.
128
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentKerberosDelegation:SetupandConfiguration
129
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
130
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
6 UserAccessandSecurityConfigurations
Inatypicalbusinessintelligencescenario,therearemultipleanalyticalsolutionsdeployed withmanyusersaccessingthem.Eachuserorusergrouphasdifferentsetsofpermissions. Thesepermissionsincludeauthorizationtoviewreports,accessbackenddatabaseservers, rolebasedsecuritytorestrictthedatatheycansee,permissiontoalterorpublishtheirown content,manageotheruserstoseecontent,andothers.
6.1 SQLServer2005DatabaseEngine
IntheMicrosoftBusinessIntelligenceTechnologyPlatformSQLServerisusedfor:
Note: ReportdatacanbefetchedfromAnalysisServices,Excelorotherdatasourceswhichsupport OLEDB,ODBCandotherformats. AnalysisServicescanfetchdatafromothersourcesaswell.
Therearetwowaystheuserscanaccessthebackenddatasource. 1. StoredCredentials:Ifthedatasourcedoesnotrestrictdatabasedontheuser credentialsorifthedatasecuritylogicisimplementedintheapplicationitself,then thecredentials(WindowsaccountorSQLServerlogin)canbehardcodedinthe applicationsdatasourceconnectionstring.Thereareotherrelatedsecurityissuesif youusestoredcredentialslikeensuringthepasswordisnotstoredaspaintextorit isnotsentoveranunsecurenetworketc. 2. WindowsAuthentication:Thisisthesafestwaytoaccessabackenddatabase server.LoginsandrolesontheSQLServerdefinethelevelofaccessdomainuserora usergrouphas.
131
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
132
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure99. PermissionsandRoleMembershipinSQLServer
6.2 SQLServer2005AnalysisServices
AnalysisServicesisaprimarysourceforreportingandanalyticalapplicationslikeReporting Services,PerformancePointServer,ProClarity,Excel,andothers. UnliketheSQLServerdatabaseengine,AnalysisServiceshasarolebasedsecuritywhichnot onlydefineswhatobjectsoftheOLAPsolutionauserhasaccessto,butalsodefineswhat datatheuserispermittedtosee.Thisisnormallyusedinbusinessintelligenceapplications wheredifferentusers/usergroupshaveaccesstotheirregionalordepartmentaldataonly.
133
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure100. Role
134
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
135
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
136
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
137
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure104. ExcelServicesViewDomainAdmin.Unrestricteddataaccess
Note: SimilartotheexampleshownaboveinExcelServices,otherapplicationslikeReporting ServicesandPerformancePointServercanrestrictdatabasedontheusersroleinAnalysis Services.
6.3 SQLServer2005ReportingServices
InSQLServerReportingServices,authorizationisprovidedthrougharolebasedsecurity modelthatisspecifictoReportingServices. AllusersinteractwithReportingServiceswithinthecontextofarole.Ausercanbeassigned todifferentkindsofrolesfordifferentitems.Forexample,auserwhoisamemberofthe ContentManagerroleforonereportmaybeamemberoftheBrowserroleforanotherreport. Predefinedrolesareprovidedthatgrouprelatedtasksintologicalunits.Examplesofsomeof therolesthatareavailableincludeContentManager,Publisher,andBrowser.Youcancreate newrolesormodifytheexistingonestocustomizethetasksthateachrolesupports.
138
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
6.3.1
1.
UserPermissions
Toprovideuserpermissionsatareportfolder,openReportManager,browsetothe folderandclickProperties.
Figure105. ReportManagerHome(Rootlevelfolder)
139
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
2. ClickNewRoleAssignment.
140
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
141
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
142
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
143
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure110. EditingpermissionsforMSDELLBI\User2
6.4 MicrosoftOfficePerformancePointServer2007
MonitoringServer,acomponentofPerformancePointServer,hasseveralrolesfor individualswhoperformvariousactivities.Insmallorganizations,oneormorepeople mayberesponsibleforadministeringallthefeaturesofMonitoringServer.Inlarger organizationsonegroupmaybeadministratorsonthesystemwhileanothergroup createslibrariesforreportsandkeyperformanceindicators(KPIs),anddesignsand buildsdashboards. Permissionsaregrantedtorolesandpermissionsareappliedtoanyuserwhobelongstoa role. TherearefourtypesofserverrolesforMonitoringServer: Administrator:ThisroleprovidescompletecontroloverMonitoringServerand accesstoalldashboarddata.AmemberoftheAdministratorrolecancreate,edit, anddeletealldashboardelements,andcanpublishtotheserver. Creator:Thisroleenablesuserstocreatereports,KPIs,scorecards,andother indicators.MembersoftheCreatorrolecanpublishdashboardelementsto
144
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
PerformancePointmonitoringserverrolesarecreatedandmanagedusingdashboard designer.
6.4.1
1.
UserPermissions
145
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
2. ToaddaUser1toarole,opendashboarddesignerusinganaccountthathas AdministratorprivilegesonMonitoringServer.
146
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure113. Options
4.
ClickConnecttoconnecttoMonitoringServer.
147
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
148
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
149
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
150
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure117. AddedpermissionsforMSDELLBI\User1asDataSourceManager
8.
NowUser1willbeabletocreatedatasourcesusingtheDashboardDesigner.
151
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
152
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure119. ProvidingMSDELLBI\User1withreadaccesstoascorecard
6.5 MicrosoftOfficeSharePointServer2007
6.5.1
1.
UserPermissions
ForausertobeabletoopenaSharePointpage,theuserneedstohaveatleastreader permissionsonthepage.
153
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
154
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
155
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
156
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure123. User1accessgrantedtoSharePointsite
6.6 ProClarityAnalyticsServer
6.6.1 UserPermissions
TheAnalyticsServersecuritymodelprovidesarobust,yetflexible,structurefor controllingaccesstoAnalyticsServerandanyreferencedMicrosoftAnalysisServices servers.BecausethisrolebasedmodelleveragesexistingWindowsNTuserinformation, itiseasilyintegratedintoWindowsenvironments.Moreover,youcanuseAnalytics ServersecurityincombinationwithAnalysisServices(OLAP)security. TheprimaryelementsoftheAnalyticsServersecuritymodelareroles,accessrights,and permissions: Roles:Determineaccess.NousercanaccessAnalyticsServerwithoutbeinga memberofanAnalyticsServerrole. Accessrights:DeterminethetypeofaccessrolemembershavetoAnalytics Server,theoptionsbeingAdministrator,Author,orReader.
157
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
6.6.1.1
1.
GrantingAccesstoPASWebsite
158
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure125. NewReaderroleonProClarityAdministrationTool
159
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
160
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
161
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure128. ProvidingMSDELLBI\User1withWebProfessionalAccess
162
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentUserAccessandSecurityConfigurations
Figure129. SelectingProfessionalAccess
163
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
7 Troubleshooting
ThefollowingsectionsummarizesthestepsrequiredtoconfigureKerberosDelegation foreachWebapplicationandalsoprovidestroubleshootingstepsforsomeofthebasic errors.
7.1 SQLServerReportingServices
1. WhenyouopentheReportServerorReportManagerinabrowseandyoureceivean errorServiceUnavailable. EnsurethattheReportingServicesServiceisrunning. OpenIISManager.EnsurethattheWebsiteunderwhichthereportingservicesvirtual directoriesarecreatedisnotstoppedandthereportingservicesapplicationpoolsarenot stopped. 2. Ifyouarenotabletoseethedeployedreportsorreportfoldersorifyougetanerror messageThepermissionsgrantedtouserDomain\Usernameareinsufficientfor performingthisoperation. Ensurethattheuseryouarelogginginashaspermissionstoviewthereports.Log ontoReportManagerusinganAdministratoraccountandmakesuretheuserhas permissionstoviewthereports.RefertoUserAccessandSecurityConfigurationfor detailsonhowtoassignausertoaroleinReportingServices. 3. IfyouarenotabletoconnecttothedatasourceandyoureceiveanerrorCannot createaconnectiontodatasourceDataSourceName.Loginfailedforuser Domain/Username. Youneedtoverifyiftheuserhaspermissionstoaccessthedatasource.Foruser permissionsonSQLServerandAnalysisServicesrefertotheUserAccessandSecurity Configurationsection. 4. IfyouarenotabletoconnecttothedatasourceandyoureceiveanerrorCannot createaconnectiontodatasourceDataSourceName.LoginfailedforuserNT AUTHORITY\ANONYMOUSLOGON. Thiserrorindicatesthattheuserscredentialsarenotpassedacrossthenetworktothe databaseserver.YouneedtorevisitthestepsrequiredtosetupKerberosDelegation. 5. IfReportingServicesdoesnotdisplaytheerrorandinsteaddisplaysFormore informationaboutthiserror,navigatetothereportserveronthelocalservermachine, orenableremoteerrors.
164
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentTroubleshooting
7.2 MicrosoftOfficeSharePointServer2007
1. IfyouarenotabletoaccesstheSharePointsiteoryougetanError:AccessDenied. EnsurethattheuseryouarelogginginashaspermissionstoviewtheSharePointsite. LogontoSharePointsiteusinganAdministratoraccountandmakesuretheuserhas permissionstoviewthesite. 2. WhilebrowsinganExcelServicesReportifyoureceiveDataRefreshFailed.Unableto retrieveexternaldataforthefollowingdataconnections:DataSourceName.Thedata sourcesmaybeunreachable,maynotberesponding,ormayhavedeniedyouaccess. MakesuretheuseryouareloggedinasauserwhohaspermissionsontheDataSource. Iftheuserhaspermissionsonthedatasourceandyoureceivethiserror,youshould makesurethattheDataConnectionLibraryisaddedtotheTrustedDataConnection Libraries. MakesureyouhaveenabledWindowsIntegratedAuthenticationinthedatasourceand enabledAlwaysattempttousethisfiletorefreshdata. MakesureyouhavechangedtheaccessmodelfromTrustedSubsystemto DelegationforExcelServices. RunSQLProfilertoidentifytheuserIDwithwhichExcelServicesistryingtoconnectto thedatasource.IftheloginisfailingduetoaNTAUTHORITY\ANONYMOUSUSER youneedtorevisitthestepsrequiredtoconfigureKerberosforSharePointandExcel Services.
7.3 PerformancePointServer2007
1. WhilecreatingaDataSourceinDashboardDesigner,whenyouclickTest ConnectionyoureceiveanerrorDataSourceConnectionFailed. Ensurethattheuserhasaccesstothedatasource. RunSQLProfilertoidentifytheuserIDwithwhichDashboardDesigneristryingto connecttothedatasource.
165
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
2. IfyouarenotabletoaccessaPerformancePointDashboarditemfromtheSharePoint site: Ensurethattheuseryouarelogginginashaspermissionstoviewthe PerformancePointobject.UsingPerformancePointDashboardDesigner,connectto PerformancePointServerusinganAdministratoraccountandmakesuretheuserhas permissionstoviewtheobjects. 3. IfyoucanviewthedashboardonaSharePointsitebutthedatadisplayedisnot accordingtothesecuritydefinedintheAnalysisServicesroles. RunSQLProfilertoidentifytheuserIDwithwhichPerformancePointDashboard ViewerWebpartistryingtoconnecttothedatasource. ToensurethatPerformancePointcanimpersonatetheclientuserscredentialstoother serviceslikeSQLServerandAnalysisServicesensurethat BPM.ServerConnectionPerUservalueissettoTrueintheWeb.configfilefor PerformancePointServerandSharePointServer.
7.4 ProClarityAnalyticsServer
1. WhenyouopentheProClarityAnalyticsServerpage,youdonotseeanybriefing books. RuntheProClarityAdministrationtoolusingaProClarityAdministratoraccountand makesuretheuserhassufficientpermissionstoviewthebriefingbook. 2. IntheProClarityAnalyticsPageyoudonotseetheoptionforLaunchWeb Professional. LaunchProClarityAdministrationtoolusingaProClarityAdministrationaccountand ensurethattheuserhasAllowProfessionalAccesschecked. 3. WhenyouopenaProClarityAnalyticsServerpageandreceiveanerrorThecubeused bythispagecouldnotbefound. Makesuretheuseryouareloggedinashaspermissionsonthecube. RunSQLProfilertoidentifytheuserIDwithwhichProClarityAnalyticsServeristrying toconnecttothedatasource.IftheloginisfailingduetoaNT AUTHORITY\ANONYMOUSUSERyouneedtorevisitthestepsrequiredtoconfigure KerberosforPAS.
166
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8 Appendix
8.1 AppendixA
FunctionalLevelsBackgroundInformation: http://technet2.microsoft.com/windowsserver/en/library/4a589ca2b57248cd94d2 7d5b0c817f411033.mspx WhetsNewisSQLServer2005SP2: http://download.microsoft.com/download/2/B/5/2B5E5D379B17423DBC8F B11ECD4195B4/WhatsNewSQL2005SP2.htm DeploymentModesforReportingServices: http://msdn2.microsoft.com/enus/library/bb326345.aspx ReportServerHowtoTopics(SharePointIntegratedMode): http://msdn2.microsoft.com/enus/library/bb283321.aspx HardwareandSoftwareRequirementsforInstallingSQLServer2005: http://technet.microsoft.com/enus/library/ms143506.aspx InstallingSQLServerDatabaseEngine: http://technet.microsoft.com/enus/library/ms144296.aspx InstallingSQLServerAnalysisServices: http://technet.microsoft.com/enus/library/ms143708.aspx InstallingSQLServerReportingServices: http://technet.microsoft.com/enus/library/ms143736.aspx InstallingSharePointinastandalonemachine: http://technet2.microsoft.com/Office/enus/library/bd99c3a903334c1c9793 a145769e48e61033.mspx?mfr=true DeployingSharePointinasimpleServerFarm: http://technet2.microsoft.com/Office/enus/library/bd99c3a903334c1c9793 a145769e48e61033.mspx?mfr=true MonitoringServerHardwareandSoftwarePrerequisites: http://technet.microsoft.com/enus/library/bb838773.aspx
167
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
8.2 AppendixB
SETSPNOverview: http://technet2.microsoft.com/windowsserver/en/library/b3a029a17ff04f6f87d2 f2e70294a5761033.mspx?mfr=true KerberosAuthenticationinWindowsServer2003:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/kerber os/default.mspx
HowtouseKerberosauthenticationinSQLServer: http://support.microsoft.com/kb/319723 HowtoconfigureSQLServer2005AnalysisServicestouseKerberosauthentication: http://support.microsoft.com/kb/917409/enus HowtoconfigureaWindowsSharePointServicesvirtualservertouseKerberos authenticationandhowtoswitchfromKerberosauthenticationbacktoNTLM authentication: http://support.microsoft.com/kb/832769/ ConfiguringKerberosforSharePoint2007Blog: http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuringkerberosfor sharepoint2007part1baseconfigurationforsharepoint.aspx InternetExplorer6cannotusetheKerberosauthenticationprotocoltoconnecttoa WebsitethatusesanonstandardportinWindowsXPandinWindowsServer2003: http://support.microsoft.com/kb/908209/ EssentialTipsonKerberosforSharePointDeployersblog: http://blogs.msdn.com/james_world/archive/2007/08/20/essentialguidetokerberosin sharepoint.aspx KerberosauthenticationanddelegationforMonitoringServer: http://technet.microsoft.com/enus/library/bb794629.aspx ConfigureMonitoringServerforKerberosconstraineddelegation: http://technet.microsoft.com/enus/library/bb794629.aspx UsingAnalysisServicesdatainExcelServices :http://www.sharepointblogs.com/tonstegeman/archive/2007/03/11/usinganalysis servicesdatainexcelservicespart1preparingtheadforkerberos.aspx
168
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8.3 AppendixC
8.3.1 Running32bitApplicationson64bitWindows (IIS6.0)
WindowsServer2003TM,ServicePack1enablesIIS6.0torun32bitWebapplicationson 64bitWindowsusingtheWindows32onWindows64(WOW64)compatibilitylayer. IIS6.0usingWOW64isintendedtorun32bitpersonalproductivityapplications neededbysoftwaredevelopersandadministrators,including32bitInternet InformationServices(IIS)Webapplications.
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
8.4 AppendixD
8.4.1 ServiceAccounts
ServicesinWindowsareprogramsthatruninthebackground.Thesecanbesettostart automaticallywhenthesystemstartsuportheycanbestartedmanually.Theyarenot dependentontheuserwhoisloggedontothecomputer. TheServiceAccountistheaccountthattheservicerunsas.Servicesmusthavealogon accounttooperate.ThisrequirementisnecessarysinceallprogramsrunninginNTor latermusthaveanaccountcontexttocontrolthescopeoftheiraccess.Sincethereis nobodyloggedontothemachinewhenitbootsinitially,theserviceaccountallowsthe servicetostartwellbeforeanyuserhasloggedontoamachine.Theaccount requirementalsoallowsaprogramtopersistaftersomeonehasloggedoffofamachine. Serviceskeeprunningunderthecontextofthelogonaccountforeachserviceuntil eachserviceisrestartedorthemachineisrebooted. Usingtherightserviceaccountwiththeleastpossiblepermissionsisveryimportant.If not,anattackercouldcompromisetheaccounttogainfullandunrestrictedaccessto thecomputer,domain,oreventotheentireforest.So,weneedtoidentifyservicesthat canrunwithlesserprivileges,anddowngradethoseprivilegesmethodicallywithjust therightamountofaccesstotheresourcesitneeds. Aserviceaccountcouldbeabuiltinsystemaccountoradomainuseraccount.During installationmostapplicationsgiveyouadefaultoptionofchoosingtheLocalSystem accountorNetworkServiceaccountasstartupaccounts.Forastandalonetestmachine thiswouldworkwell,butanenterpriseapplicationserverusingbuiltinsystem accountshasitsownsecurityimplications.Normally,applicationsrunondistributed environmentsandservertoservercommunicationisrequired.Whenservicesonthe serversrununderthesebuiltinsystemaccounts,implementingcertainrequired securityconfigurationcouldbeachallenge.
8.4.1.1
BuiltInSystemAccounts:
170
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
toresourcesandobjectsasmembersoftheUsersgroup.Thislimitedaccesshelps safeguardyoursystemifindividualservicesorprocessesarecompromised.Services thatrunastheLocalServiceaccountaccessnetworkresourcesasanullsessionwith nocredentials. NetworkServiceAccount TheNetworkServiceaccountisaspecial,builtinaccountthatissimilartoan authenticateduseraccount.TheNetworkServiceaccounthasthesamelevelof accesstoresourcesandobjectsasmembersoftheUsersgroup.Servicesthatrun astheNetworkServiceaccountaccessnetworkresourcesusingthecredentials ofthecomputeraccount. LocalSystemAccount TheLocalSystemaccountisapredefinedlocalaccountusedbytheservice controlmanager.Thisaccountisnotrecognizedbythesecuritysubsystem,so youcannotspecifyitsnameinacalltotheLookupAccountNamefunction.It hasextensiveprivilegesonthelocalcomputer,andactsasthecomputeronthe network.ItstokenincludestheNTAUTHORITY\SYSTEMand BUILTIN\AdministratorsSIDs;theseaccountshaveaccesstomostsystem objects.
8.4.2
ApplicationPools
WhenyourunIIS6.0inworkerprocessisolationmode,youcanseparatedifferentWeb applicationsandWebsitesintogroupsknownasapplicationpools.Anapplicationpool isagroupofoneormoreURLsthatareservedbyaworkerprocessorsetofworker processes.AnyWebdirectoryorvirtualdirectorycanbeassignedtoanapplication pool. Everyapplicationwithinanapplicationpoolsharesthesameworkerprocess.Because eachworkerprocessoperatesasaseparateinstanceoftheworkerprocessexecutable, w3wp.exe,theworkerprocessthatservicesoneapplicationpoolisseparatedfromthe workerprocessthatservicesanother.Eachseparateworkerprocessprovidesaprocess boundarysothatwhenanapplicationisassignedtooneapplicationpool,problemsin
171
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
otherapplicationpoolsdonotaffecttheapplication.Thisensuresthatifaworker processfails,itdoesnotaffecttheapplicationsrunninginotherapplicationpools.
8.4.2.1
IsolatingWebSitesandApplications
ToprovidecomprehensivesecurityforyourWebsitesandapplications,youmighthave toensurethattheWebsitesandapplicationsareprotectedfromotherWebsitesand applicationsthatarehostedonthesameserver.Byusingdifferentapplicationpoolsfor eachWebsiteandapplicationsinIISWebserveryoucanachieveisolationbetweens theapplicationandthussecurity. Forexample,anenterpriseorganizationmightplaceitshumanresourcesWebsiteand itsfinanceWebsiteonthesameWebserver,butindifferentapplicationpools. Likewise,anISPthathostsWebsitesandapplicationsforcompetingcompaniesmight runeachcompanysWebservicesonthesameserver,butindifferentapplicationpools. Usingdifferentapplicationpoolstoisolateapplicationshelpspreventonecustomer fromaccessing,changing,orusingconfidentialinformationfromanothercustomers site.
8.4.2.2
ApplicationPoolIdentity
Foreachapplicationpool,youcanspecifyanapplicationpoolidentity,whichisauser accountthatisassignedtoanapplicationpool.Afterspecifyingtheapplicationpool identity,youassignpermissions(suchasNTFSpermissionsorSQLdatabase permissions)foreachapplicationpoolidentity.Becauseindividualapplicationpoolscan usedifferentidentities,youcanselectivelygrantordenyresourceaccesstoan applicationpool.TheWebsitesandapplicationsrunninginanapplicationpoolhave thesameuserrightsandresourcepermissionsassignedtotheapplicationpoolidentity. Forexample,ifyouarerunningtwoWebapplicationsonthesameWebserver,each applicationhavingitsownSQLServerdatabaseandfileshare.Theapplicationpool identityunderwhichoneapplicationrunsshouldnothavepermissionsontheother applicationsdatabaseandfileshare,elsethiswouldcompromisesecurityoftheother system. FormoreinformationonisolatingWebsitesandapplicationspleaserefertothe followingMicrosoftWindowsServer2003MSDNarticle: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/60e3 8cf55ba94b30a4d40da5976b83f3.mspx?mfr=true
172
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8.5 AppendixE
8.5.1 SANInformation
TheSANusedinthetestenvironmentconsistof15RAIDdiskseachhaving146GBofspace. TheSANsupportsdifferentRAIDlevelsincludingRAID0,RAID1,RAID5,RAID10and RAID50etc. InourtestenvironmentwehaveconfiguredSQLServerDBengineandSQLServerAnalysis servicesDataandLogdirectoriesonSAN. SANconsistsoftotal15physicaldisksasfollows a. b. c. d. e. f. g. h. i. j. k. l. m. n. o. PhysicalDisk1:0:0 PhysicalDisk1:0:1 PhysicalDisk1:0:2 PhysicalDisk1:0:3 PhysicalDisk1:0:4 PhysicalDisk1:0:5 PhysicalDisk1:0:6 PhysicalDisk1:0:7 PhysicalDisk1:0:8 PhysicalDisk1:0:9 PhysicalDisk1:0:10 PhysicalDisk1:0:11 PhysicalDisk1:0:12 PhysicalDisk1:0:13 PhysicalDisk1:0:14
173
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
b. c. d. e. f.
8.5.2
SANConfigurationforSQLServerDATADirectory
HerearethedetailedstepsforconfiguringSQLServerDATAdirectoryontheSAN.Wewill allocatethephysicaldisksforDatadirectoryasmentionedintheprevioussection. 1. FromDellclickOpen,thenclickManageApplications,andthennavigateto ServerAdministratorandclickServerAdministratortolaunchDellOpenManage ServerAdministratorpage. ClickStorageontheleftpaneandclickVirtualDiskstoviewallthevirtualDisks availableontheserver. ClickGoToCreateVirtualDiskWizardtoaddanewVirtualDisktotheserver. ClickGoToAdvancedWizardandselectRAID10andtypeSSDATAasanamefor theVirtualDisk. OntheselectphysicaldiskspageselectdesiredphysicaldisksselectPhysicalDisk 1:0:6toPhysicalDisk1:0:11. OntheSelecttheVirtualDiskAttributesforRAID10PagetypeSSDATAinthe Namefield. ClickFinishonthenextpagetofinishcreatingVirtualDiskontheserver.Your screenshouldlooksimilartothebelowscreen.
2. 3. 4. 5. 6. 7.
174
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
Figure130. VirtualDiskFinishPage 8. IfyouclickVirtualDiskslinkontheleftpanerightpaneshouldlistyournewly createdVirtualDisk. 9. ToinitializeyournewlycreatedvirtualdiskselectFastInitializefromtasksand clickExecute. 10. Inthenextpage,itmaygiveyouawarningsayingFastInitializedestroysalldataon thedisk.IgnorethewarningandclickFastInitializebuttontocompletethe initialization. 11. Yourfinalscreenshouldlooklikethefollowingimage.
175
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Figure131. AddingVirtualDisktotheServer 12. ToviewtheaddedvirtualdiskontheservergotoAdministrativeToolsandclick ComputerManagement. 13. InComputerManagement,clickDiskManagementintheleftpanetoviewthe newlyaddedVirtualDiskanditwillbeshownasunallocateddiskspace. 14. UsingInitializeandConvertDiskWizardcompletetheInitializationandConversion ofDisk. 15. RightclicktheunallocateddiskspaceandselectNewVolumetoallocateadrive lettertotheVirtualdiskandstartusingit.
176
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8.6 AppendixF
8.6.1 Tempdb
Tempdbisasystemdatabasewhichisusedduringalotofactivitieslikecreating temporarytables,cursors,andindexes.InSQLServer2005,tempdbrequiresmoredisk spacethanearlierversionsofSQLServer. Foroptimalperformanceoftempdbyoumightwanttoconsider: Movingtempdbtoafasterdrive. SettherecoverymodeloftempdbtoSIMPLE.Thismodelautomaticallyreclaims logspacetokeepspacerequirementssmall. Settheinitialsizeoftempdbfilestoalargevaluebasedonthetypicalworkloadin yourenvironment.Thisavoidsfrequentgrowthofthetempdbfiles. Therearecaseswhenthereismoreworkloadandtempdbneedstogrow.Forsuch casesyouneedtosetthetempdbfilestogrowautomatically. Ensurethatthefilegrowthincrementissetreasonably.Averysmallvaluecould meanthattempdbmighthavetoconstantlykeepexpandingwhichisanexpensive process. Createmanytempdbfilestoreducecontention.Itsageneralpracticetocreate onefileforeachlogicalCPUontheserver.Ensurethateachtempdbfileisthe samesize,thisallowsforoptimalproportionalfillperformance. FormoredetailedinformationonOptimizingTempDBrefertothefollowingMSDNarticle: http://msdn2.microsoft.com/enus/library/ms175527.aspx
8.6.1.1
ToMoveTempDB
InSQLServer2005,itispossibletomovesystemdatabasesfromonelocationto another.Movingsystemdatabasesmaybeusefulinthefollowingsituations:
Failurerecovery.Forexample,thedatabaseisinSuspectmodeorhasshut downbecauseofahardwarefailure.
Plannedrelocation. Relocationforscheduleddiskmaintenance.
ThissectiondescribesthestepsinvolvedtomoveTempdbtoanewlocation. 1.
177
OpenSQLServerManagementStudio.
InstallingandConfiguringtheMicrosoftBusinessIntelligencePlatform
Example:
SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(Ntempdb);
Example:
ALTER DATABASE tempdb MODIFY FILE ( NAME = tempdev , FILENAME = E:\Tempdev.mdf ) ALTER DATABASE temodb MODIFY FILE ( NAME = templog , FILENAME = E:\Templog.ldf )
Example:
SELECT name AS DBFileName, physical_name AS CurrentLocation, state_desc AS CurrentState FROM sys.master_files WHERE database_id = DB_ID(Ntempdb);
178
2008Dell,Inc.Allrightsreserved.
AGuideforsecurityanddeploymentoptionsinadistributedDellPowerEdgemulticoreOpteronbasedserver environmentAppendix
8.6.1.2
1.
ToAddtempdbFilesandSetAutogrowth
OpenSQLServerManagementStudio. clicktempdbandclickProperties.
Toaddadditionalfilestotempdb:
2. InObjectExplorerexpandDatabases.ExpandSystemDatabases.Right 3. ClickFiles. 4. ClickAddtoaddanewfiletotempdb.Typeanameforeachfileyouadd. 5. Ensurethatthepathforthetempdbfilesissettothefolderwhereyouwantto placethem. 6. Foreachofthedatafilesensurethatinitialsizeissettothesamevalue. 7. Chooseanappropriateautogrowthoption. THISWHITEPAPERISFORINFORMATIONALPURPOSESONLY,ANDMAYCONTAIN TYPOGRAPHICALERRORSANDTECHNICALINACCURACIES.THECONTENTIS PROVIDEDASIS,WITHOUTEXPRESSORIMPLIEDWARRANTIESOFANYKIND. 2008DellInc. ReproductioninanymannerwhatsoeverwithoutthewrittenpermissionofDellInc.is strictlyforbidden. Trademarksusedinthistext:AMD,andOpteronareregisteredtrademarksofAMD Corporation;Microsoft,Windows,andWindowsServerareregisteredtrademarksof MicrosoftCorporation.
179