KB19580: How to setup Kerberos (Integrated) authentication for the MicroStrategy Intelligence Server on Microsoft Windows operating systems.

Note: Some of the information mentioned in this knowledge base article applies to the Windows Active Directory configuration and the operating system configuration which may require domain administrator privileges. Users should contact their system administrators for assistance.
 
This article explains the steps users in a Microsoft Windows Active Directory environment must do to use Kerberos (Integrated) authentication to authenticate against the Strategy Intelligence Server. There are two parts to this configuration:
 

• User Account Configuration:
  All Active Directory domain user accounts that would access the Strategy Intelligence Server must be defined to be delegated. This means the option Account is sensitive and cannot be delegated must be cleared. 
   
   

• Intelligence Server Configuration:
  The Strategy Intelligence Server account or machine must be trusted for delegation.
  
• Running Strategy Intelligence Server using a domain user
  If Strategy Intelligence Server is run under a user account, the user must be created in the domain with the Account is trusted for delegation authentication option. As part of this configuration, the following steps must be taken: 
   
  
• The user account under which the Intelligence Server is to be run should have the following Service Principal Name associated with the account: 'MSTRSVRSvc/MachineName:Port'. The Service principal name can be added using the 'setspn.exe' utility that is a part of the Microsoft Windows Server support tools. For example:
  
  
  

  
  >setspn.exe -L mstrsvr_acct 
  Registered ServicePrincipalNames for CN=Strategy Server Account,CN=Users,DC=vmnet-esx-mstr,DC=net:
  
  >setspn.exe -A MSTRSVRSvc/KRB901W2K3-32:34952 mstrsvr_acct 
  Registering ServicePrincipalNames for CN=Strategy Server Account,CN=Users,DC=vmnet-esx-mstr,DC=net
  MSTRSVRSvc/KRB901W2K3-32:34952
  Updated object
  
  >setspn.exe -L mstrsvr_acct
  Registered ServicePrincipalNames for CN=Strategy Server Account,CN=Users,DC=vmnet-esx-mstr,DC=net: MSTRSVRSvc/KRB901W2K3-32:34952

  
  
  
   
  
• For the User account under which the Intelligence Server will run as a service, In the delegation tab, the option 'Trust this user for delegation to any service (Kerberos only) should be selected. 
  Note: For version 10.11, the option "Trust this user for delegation to specific services only" is supported. Please refer to KB440503: New in MicroStrategy 10.11: Kerberos Constrained Delegation.
  
  

• The Intelligence Server should be run as an application by invoking the MSTRSvr2_64.exe file in the "Program Files\Strategy\Intelligence Server" folder or by providing the Active Directory user credentials in the service monitor: 
  

• Running Strategy Intelligence Server using the local system account
  If Strategy Intelligence Server is run under by a local system account, the Strategy Intelligence Server host machine must be configured to be trusted for delegation. This can be configured in the domain controller by selecting the Trust computer for delegation authentication option for the Strategy Intelligence Server host machine. As part of this configuration, the following steps must be taken:
   
  
• The Intelligence Server should be run under the 'Local System' account on the Microsoft Windows machine as shown below:
   
  

• On the Domain Controller the Service Principal name 'MSTRSVRSvc/MachineName:Port' should be added to the computer account as shown below:
  
  
  

  
  >setspn.exe -L KRB901W2K3-32 
  Registered ServicePrincipalNames for CN=KRB901W2K3-32,CN=Computers,DC=vmnet-esx-mstr,DC=net:
  
  >setspn.exe -A MSTRSVRSvc/KRB901W2K3-32:34952 KRB901W2K3-32 
  Registering ServicePrincipalNames for CN=KRB901W2K3-32,CN=Computers,DC=vmnet-esx-mstr,DC=net
  MSTRSVRSvc/KRB901W2K3-32:34952
  Updated object
  
  >setspn.exe -L KRB901W2K3-32 
  Registered ServicePrincipalNames for CN=KRB901W2K3-32,CN=Computers,DC=vmnet-esx-mstr,DC=net:
  MSTRSVRSvc/KRB901W2K3-32:34952

  
  
  
   
  
• The Computer account should have the option 'Trust this computer for delegation to any service (Kerberos only)' enabled:
  Note: For version 10.11, the option "Trust this user for delegation to specific services only" is supported. Please refer to KB440503: New in MicroStrategy 10.11: Kerberos Constrained Delegation.
  

• Once the user accounts are configured and the Server is running, a user object must be created for the user that is to use Integrated Authentication to log into Strategy, and the Integrated Authentication ID must be added for the user:
   
  

• By default, users that are logged into Strategy inherit permissions from the '3rd Party Users' group. Also, if the users are not in the Strategy metadata, the session is temporary only and is seen as below:
   
  

• Users should ensure that the Project source used for logging in through Strategy Developer has the exact server name (lower case) as the one used for the service principal name.

19580