SSAS with Kerberos delegation gets connection timeout error

Question

I have a situation where clients connecting to my webservice(that exists on another server) must access SQL Server databases and SSAS servers.

It must use the credentials of the client that is calling the service when accessing the SQL Servers and SSAS cubes.

For this to work I do

var winId = HttpContext.Current.User.Identity as WindowsIdentity; var ctx = winId.Impersonate(); //Access Database/SSAS ctx.Undo();

in my service which works fine when accessing SQL Server databases.

However when I access the SSAS servers I get "The connection either timed out or was lost"

There are a number of posts like http://denglishbi.wordpress.com/2009/03/31/windows-server-2008-kerberos-bug-%E2%80%93-transport-connection-issues-with-ssas-data/ http://sqlblogcasts.com/blogs/drjohn/archive/2009/03/28/kerberos-kills-large-mdx-queries-on-windows-server-2008-ssas.aspx

on this but I am using Windows Server 2008 R2 where my service lives so this should not be a problem as this bug should have been fixed by Microsoft.

Any information as to how to best diagnose this problem would be appreciated.

To clarify the SSAS servers do have SPNs. This was actually working at one point but has now stopped. Appears no sign of duplicate SPNs or anything.

What is interesting is it works intermittently on one SSAS server but seems to work all the time for the other. They both have named SPNs as mentioned by this document

https://support.pyramidanalytics.com/entries/22056243-Configuring-Kerberos-Delegation-for-Named-Instances-of-SSAS-with-Active-Directory-and-additional-pro

Answer 1

My production environment is a load-balanced (and under heavy load) on a very large corporate Active Directory network. The following took a lot of testing to finally nail down settings that work.

• I also run on Windows 2008 Server R2
• My web services are in ASP.NET in IIS. For authentication I enabled "Windows Auth" and "ASP.NET Impersonation". Kernel mode is disabled and provider is "Negotiate:Kerboros"
• SPNS and Trusted Delegation are setup for an AD account. My AD account looks like sys_myservice (sys_ is just a naming convention at my company)
• The Application Pool identity is set to use the sys_myservice
• After you make all these changes in your dev env, restart the entire server. For some odd reason this is always necessary when we bring on new servers and configure them.

With this setup my web services access SSAS, SQL Server, and more that use Windows Kerboros auth and all queries are performed correctly under the user's credentials.

The difference in my setup from yours is ASP.NET Impersonation is enabled at the IIS level. I had trouble doing the impersonation in code which is what you are trying to do. If you get code-level impersonation to work with your workflow I would be really interested in seeing you post an update.

Forgot to mention. My services are in a MVC application, I apply a global filter to all Action methods to force the application to authenticate all connections.

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new System.Web.Mvc.AuthorizeAttribute());
    }

and in my web.config system.web section

<authentication mode="Windows" />
<identity impersonate="true" />

Answer 2

I agree that the intermittently 'successful' SSAS instance is suspicious. I wonder if it's really using Kerberos all the time. Could be using a combination of negotiate/NTLM and Kerberos, with one auth method actually working and the other approaching failing. Might be worth another look at the SPN. This link might help: http://msdn.microsoft.com/en-us/library/dn194200.aspx

Answer 3

Did you try using Wireshark or any other Network Analysis tools to see anything red happening at that point of failure? Probably its better if you provide more troubleshooting observations from your end.

Also, does your web services has a Load balancer?

Regards, Sasi.