KB319307: How to enable Kerberos (Integrated) authentication through MicroStrategy Web on IIS 7.5 and above in MicroStrategy 10.x and above

• Strategy

This article provides step by step instructions on how to configure Kerberos Integrated authentication on IIS 7.5 using MicroStrategy Web 10.x and above

Enabling integrated authentication for IIS
Integrated authentication in Strategy requires communication between the Key Distribution Center (KDC), Internet Information Services 7.5 (IIS) and above, and Strategy Intelligence Server. IIS must be configured by the system administrator of the machine to enable integrated authentication.
The following information presumes that Kerberos (Integrated) authentication is already setup for the Strategy Intelligence Server as documented in the following technical notes:

KB19580 - How to setup Kerberos (Integrated) authentication for the MicroStrategy Intelligence Server 9.x on Microsoft Windows operating systems
KB19110 - How to configure MicroStrategy Intelligence Server Universal 9.x for Kerberos (Integrated) authentication on Unix/Linux operating systems
What is Kerberos?
Kerberos is a computer network authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. It provides mutual authentication wherein both the user and the server verify each other's identity using 'Kerberos tickets.'

Creating Active Directory Service account
1. Create Active Directory service user to run IIS application pool for Strategy Web.
2. Assign Service Principle Name (SPN) to user account using the following command:


SETSPN -A HTTP/fully.qualified.domain.name user-logon-name

Note: If Strategy Web is accessed with the machine name only, a second SPN must be assigned using the machine name (e.g. HTTP/machinename)

3. Verify the SPN is correctly set using the following command:
SETSPN -L user-logon-name

4. Enable Delegation for user account

Configuring IIS for Kerberos Integrated Authentication
The following set of steps must be taken to enable integrated authentication for Strategy Web on IIS 7.5 and above.

1. On the Strategy Web server machine, access IIS Manager.
2. Browse to and Application Pools > StrategyWebPool and access Advanced Settings either through a right-click or the actions pane on the right hand side.
3. Under Process Model > Identity, set application pool identity the the user created in the previous section. Confirm and apply the changes.

4. Browse to the Strategy virtual application by expanding "Default Web Site" and clicking on "Strategy". Open Configuration Manager.

5. Under section, select "system.webServer/security/authentication/windowsAuthentication" and set "UseAppPoolCredentials" to true. Select "Apply" and return to the Features view.

Note: For more information on UseAppPoolCredentials refer to the following link.

6. Again, select the Strategy application under Default Web Site and on the feature panel select "Authentication"

7. Enable/Disable the following:
- Anonymous Authentication: Disabled
- ASP.NET Impersonation: Enabled
- Basic/Forms authentication: Disabled
- Windows Authentication: Enabled

8. Restart IIS for the changes to take effect.
Enabling allowtgtsessionkey registry key
To enable single sign-on authentication to Strategy Web from a Microsoft Windows machine, a Windows registry setting must be modified on the machine hosting IIS. The value 'AllowTgtSessionKey' as a DWORD type must be created for the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, as can be seen below:

Modification of the allowtgtsessionkey registry setting is required by Microsoft to work with Kerberos security. For information on the implications of modifying the registry setting and steps to modify the registry setting, users should refer to the following Microsoft documentation:
For Microsoft Windows 2003 http://support.microsoft.com/kb/837361

Configuring the krb5.ini file

Successful communication between Kerberos, IIS, and Strategy also requires the configuration of the krb5.ini file. This file is included with an installation of Strategy Web, and can be found in the directory "Program Files (x86)\Common Files\Strategy".


default_realm = <DOMAIN REALM>

default_keytab_name = <path to keytab file>

forwardable = true

no_addresses = true

 

<DOMAIN_REALM> =

{kdc = <IP address of KDC>:88

admin_server = <IP address of KDC admin>:749

}

 

.domain_realm = DOMAIN_REALM

The user must edit the above file to reflect the appropriate information from their own environment. The meaning of the user configurable properties are explained below:

DOMAIN REALM: The realm used for authentication purposes. This is the realm where the computers and users reside. A domain realm is commonly of the form example.com.

Note: The capitalization of DOMAIN_REALM must match the capitalization used in the syntax for krb5.ini listed above. For example, if DOMAIN_REALM is in uppercase, you must include your domain realm in uppercase.

path to keytab file: Not required. The directory path to the keytab file. Keytab files are part of a Kerberos security system and should be stored in a secure location. This parameter is optional and may not be specified for KDC parameter.
IP address of KDC: The IP address of the Windows machine that hosts your Active Directory domain controller. This can be the same IP address as <IP address of KDC admin>. Note: Port Number may not need to be specified for the KDC parameter.
IP address of KDC admin: The IP address of the Windows machine that hosts your Active Directory domain controller admin server. This can be the same IP address as <IP address of KDC>.

In addition to the krb5.ini file, a jaas.conf file must be created and stored in the "Program Files (x86)\Common Files\Strategy" folder. The file should contain the following text:


/**
 * Login Configuration for JAAS.

 */

 

com.sun.security.jgss.krb5.initiate {
 

  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true debug=false;

};

If not already set, the location of the jaas.conf and the krb5.ini file should be added to the registry to the key - 'HKEY_LOCAL_MACHINE\SOFTWARE\MicroStrategy\JNI Bridge\Configuration\JVM Options'. The value name is 'WebOptions' and is a REG_SZ type. This value should be set to:
-Djava.security.auth.login.config=%MSTR_CLASSPATH%\jaas.conf;-Djava.security.krb5.conf=%MSTR_CLASSPATH%\krb5.ini

On Microsoft Windows x64 machines the registry key is: 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MicroStrategy\JNI Bridge 64\Configuration\JVM Options' while the value name and value is the same.

After completing these steps, restart IIS.

Third Party Software Installation WARNING

The third-party product(s) discussed in this technical note is manufactured by vendors independent of Strategy. Strategy makes no warranty, express, implied or otherwise, regarding this product, including its performance or reliability.

Comment

0 comments

Details

Knowledge Article

Published:

June 7, 2017

Last Updated:

October 25, 2018

default_realm = <DOMAIN REALM> default_keytab_name = <path to keytab file> forwardable = true no_addresses = true <DOMAIN_REALM> = {kdc = <IP address of KDC>:88 admin_server = <IP address of KDC admin>:749 } .domain_realm = DOMAIN_REALM

/** * Login Configuration for JAAS. */ com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true debug=false; };