Troubleshooting Master Data Services (MDS) Permission Authorization

StackOverflow https://stackoverflow.com/questions/23358903

Question

I have been testing Master Data Services for future project. A few days ago MDS stopped authenticating with clients without any known reason. I am using SQL SERVER 2012 BI edition.

In general, I can access MDS page on the server using http://localhosts/mds; however, if I try to access http://servername/mds from either server or client I get an error message :

ERR_INVALID_AUTH_CREDENTIALS on Chrome or asked for credentials on IE. I cannot authenticate with my credentials.

Please advise

Was it helpful?

Solution

I have found the answer on the link below: Windows authentication failing in IIS 7.5

There are 2 providers for Windows Authentication (Negotiate and NTLM). When setting the Website Authentication to Windows Authentication, while Windows Authentication is highlighted, click on the Providers link on the right pane or IIS Manager and move NTLM to the top. By default Negotiate is on top which is why you are getting an authentication prompt.

OTHER TIPS

If you need to continue to use Kerberos authentication rather than NTLM (say the MDS website is being accessed through WAP (Windows Application Proxy), you will need to do the following in addition to the standard setup. This is assuming that the baseline setup has gone with hitch.

  1. You will need to register the Service Principal Name in Active Directory. Say you have configured the MDS web site to run under MyDomain\MDSServiceAccount and the webserver is called MDS.mydomain.local, you will need to run the following command with an account with the relevant Active Directory permissions

SETSPN -S HTTP/MDS.mydomain.local

  1. In the IIS Manager, using the "Configuration Editor" you will need to set the useAppPoolCredentials to be True. This option is located in system.webServer/security/authentication/windowsAuthentication. At what level in the IIS you chose to do this is up to you, depending on what you using the server for. The safest is at lowest level, ie. the web application, or /MDS in this example

Depending on the size of your server estate there may be a delay before this configuration takes effect. To speed up this process, run the SETSPN command from the Web Server and run KLIST PURGE from the command line of the web server and client machines for good measure.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top