Configuring Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers
If you install Symantec Management Platform on a different server than the SQL Server Analysis and Reporting Services and the Authentication Type is set to Windows Integrated Authentication, users cannot access the reports to which you grant them access unless you configure Kerberos.
If Stored Credentials provides enough control over the reports, you can reconfigure the Reporting Services data sources to use Stored Credentials to access the Analysis Services cubes. Then, you do not need to configure Kerberos.
If you need the control that Windows Integrated Authentication provides over the information in the reports, you must configure Kerberos. Kerberos allows the user's credentials to pass from the Symantec Management Platform server to the SQL Server Analysis and Reporting Services server. Kerberos must be correctly configured on the following servers: Symantec Management Platform and the SQL Server Analysis and Reporting Services servers.
Kerberos Authentication and configuration is a function of Microsoft Active Domain. Although configuration and support of Kerberos authentication is beyond the support policies of Symantec, we provide the following as guidance to help in configuring Kerberos in your environment.
To configure Kerberos on the Symantec Management Platform and SQL Server Analysis Services and Reporting Services servers
From Active Directory, set the computer on which the Symantec Management Platform is hosted to Trust this computer for delegation to any server (Kerberos only).
If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you also need to set that account to be trusted for delegation. If the Application Pool is using the default value "ApplicationPoolIdentity", you may skip this step.
Add the following Service Principal Names to the Symantec Management Platform:
Setspn - S http/netbiosNamenetbiosName
For example, Setspn - S http/computer1 computer1
Setspn - S http/Fully Qualified Domain NamenetbiosName
For example, Setspn - S http/computer1.domain.com computer1
If the Application Pool that Symantec Management Platform uses in IIS uses a domain account, you may need to set the Service Principal Names for that account instead of computer1.
Setspn - S http/computer1 domain\username
Setspn - S http/computer1.domain.com domain\username
For additional information on Setspn, see the Microsoft Technet Web site at the following URL: