When planning a deployment of PerformancePoint Monitoring & Analytics (PPS M&A), an often overlooked component in the business solution is the ProClarity Analytics Server (PAS) application layer.  

PAS is sometimes not deployed by customers, and their analysts aren't trained in the effective use of these analytical tools. In my view, this is often a mistake.  Analytics has at least two constituencies--and all need to be considered when planning a successful BI deployment.

A sales specialist I have a great deal of respect for, Mac Hussey, once explained it this way...this isn't a direct quote but my interpretation of his ideas: PerformancePoint server M&A's native scorecards, analytic grids & views cover "Little a" (lightweight analytics), while PAS covers "Big A" (heavy analytics). 

Two A's...so what's the difference? "Little a" is flashy, cool and as easy to use as a web page--often requiring no training beyond a quick overview.  In most industrial and service industries, perhaps 85% of BI dashboard users are executives, managers and line of business users.  These users don't use analytics in their primary job function, but use analytics to support their "real" jobs. 

Even in the long-run, they may only want/need "Little a". If your organization fits this mold, it may seem that reaping the low-hanging fruit using "Little a" is really where all the value lies--and that's certainly true at first. Eventually, though, the "Little a" users want to know root causes, and analysts really need to dig and develop further insights.  That's when "Big A" is needed (ProClarity Analytics). 

"Little a" is certainly a "low hanging fruit picker" and brings in quick ROI in for any BI dashboard deployment.  Yet time spent deploying and training on "Big A" is where the game-changing ROI comes from over the mid/long-term. Currently this means deploying an additional application (PAS) and training end-users.  

Eventually I'm sure we'll see ProClarity Analytics fully integrated into PerformancePoint, and the "ProClarity" product brand will be just a fond memory. When that happens, every user will have access to both the "Big a" and "Little a", even if--as with Excel's features--they only know how to use the most common analytical capabilities offered by the product.  Until then, Microsoft BI practitioners who address the needs of users in the "here and now" will need to continue to pay close attention to the spectrum of user needs when planning BI deployments.

In a Microsoft BI environment, we very often want to grant data visibility permissions at the datebase level.  The most common way to accomplish this is to use Kerberos delegation. 

In Active Directory, delegation comes in two flavors: Constrained and Unconstrained. Constrained delegation provides an enhanced level of security for deployments where Kerberos delegation is used to pass end-user credentials to back-end services.

In an unconstrained delegation configuration, servers and service accounts are trusted to send Kerberos tickets to any service on any destination computer. This typically isn’t a problem, since administrators know what their service accounts are used for, and what software is installed on their servers.

However, using constrained delegation provides an additional level of security by restricting which back-end services on which destination server a computer account or service account may pass Kerberos tickets to. Constrained delegation satisfies the “principle of least privilege”, where even trusted principals are granted only the minimum permissions needed to get their job done.

Promoting delegation from unconstrained to constrained delegation is relatively simple. This additional level of security isn't without cost, however.  Following a constrained model will result in additional long-term administration (the addition of a new back-end web server or database will require additional Active Directory configuration). However, if the least privilege principle is the best practice in your company, constrained delegation is for you.

The following process goes through constrained configuration of a typical distributed Microsoft BI environment. This process assumes you’ve already configured an unconstrained Kerberos delegation environment. The following only covers the upgrade to constrained delegation.

In the following scenario, there are:

1. A single database server running SQL Server and Analysis Services (BI-DB).
2. An application server hosting PPS Monitoring Server, ProClarity Analytics Server and Reporting Services (BI-APP)
3. Finally there is a SharePoint server (BI-WEB).

Services on each server are run using the service accounts svc_bi_db, svc_bi_app, and svc_bi_web, respectively.

First the documentation. Don’t skip this step! The key to completing this process successfully is organization, because any mistake may cause integrated authentication to fail and the troubleshooting will be difficult and even more time consuming! You need to know what service accounts are running each service on every server, and use this information to make Active Directory configuration changes.

Documentation is a two-step process: document delegation trusts needed for each server, then the trusts needed for each service account. If you’ve already setup your basic Kerberos delegation using SetSPN or ADSIEdit, you should have this information handy.

The following are the trust requirements for our scenario:

With this information, we’re ready to make the Active Directory changes. These changes are mostly made in the Active Directory Users and Computers snap-in, however we’ll see that the named instance used for the OLAP server isn’t supported by this snap-in (I don't know whether this is a bug or the intended behavior, but you can read about it in Microsoft knowledge base article 936628). We'll work around this limitation by making the final configurations in the ADSIEdit snap-in.

First let’s take care of the machine account configurations:

1. Launch Active Directory Users and Computers.  Find the PPS server (BI-APP for us) in the list, double-click it.
2. Click on the delegation tab. 
3. Select the third option, Trust this computer for delegation to specified services only
4. Click the Use Kerberos Only radio button
   
5. Click the Add button
6. In the Add Services dialog, click the Users or Computers… button, then enter the service account used to run the database services on the database server (the second column in table #1). 
   
7. In the Add Services dialog, we need to select all the services in the third column of table #1 (MSSQLSvc/BI-DB:1433 and MSOLAPSvc.3/BI-DB:PROD in this example), then click OK.  Note that if your OLAP database is a named instance (as ours is), then only MSSQLSvc is available…this is because this snap-in doesn’t work for named OLAP instances.  We’ll get around this problem later using the ADSIEdit snap-in.
8. With MSSQLSvc added to the Delegation tab of the BI-APP machine account, press OK on this dialog to save the delegation settings.
   
9. Repeat the same sequence for the BI-WEB server, but this time in addition to adding services for the account svc_bi_db, also add services for the svc_bi_app account to allow delegation of security for HTTP services to that machine.  When you’re done, the computer account delegation tab for BI-WEB should look like this:
   
10. Repeat the same sequence for BI-APP’s service account (svc_bi_app) using the values in columns 2 & 3 of table #2, yielding the following configuration when complete:
    
11. Again, the same sequence for BI-WEB’s service account (svc_bi_web), yielding the following configuration:
    
12. If your OLAP database has no instance name (you're using the "default instance"), you’re done!  If not, you’re almost finished, except that the Active Directory Computers and Users snap-in doesn’t support the named instance of the OLAP database.  So, open the ADSIEdit snap-in (adsiedit.msc) instead.
13. Navigate within ADSIEdit to find the computer account for the APP server (BI-APP for us). 
14. Right-click on the computer, choose Properties.
15. In the Attribute Editor, locate the string msDS-AllowedToDelegateTo, and click the Edit button.
16. Add two values for the OLAP database used in your environment (MSOLAPSvc.3/BI-DB.terrafirma.kerr.cc:PROD and MSOLAPSvc.3/BI-DB:PROD for our example).  Note that the two are the same except one has the FQDN and the other has only the NetBIOS name of the server.  Both are required.  When finished, the string editor should look like this:
    
17. Click OK, on the string editor, then OK on the machine properties to save changes.  If you return to this editor in ADSIEdit, you can review and update these chnages.  However, beware that if you review changes in the Active Directory Users and Computers snap-in, you won't see these named instance entries.
18. Repeat this change for the web server as well (BI-WEB in this example)
19. Repeat this change for the user accounts used on the BI-WEB and BI-APP servers (svc_bi_web and svc_bi_app in this example).

OK, that’s all.  Now the environment is configured for constrained delegation.  From this point on, AD will still allow Kerberos delegation as before, except now it will carefully check not only that service accounts are running on the machine they should, but also that each service account is only passing tickets to servers/services that are pre-authorized.

Microsoft’s security focus over the last few years has brought many improvements in the overall level of security.  Along with this level of security also comes an increasing number of hoops to jump through to accomplish simple tasks.

Recently I found that it became impossible to install software from network shares onto Windows 64-bit servers.  Trying to do so resulted in the error message:

“Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”

Searching on the Internet, the most commonly suggested workaround I found was to uninstall the Internet Explorer Enhanced Security Configuration from the computer.  This actually does work, but really doesn't sound like a great solution to me. 

As it turns out, the solution is quite simple...but also a bit of a head scratcher.  You wouldn’t think accessing files on your LAN would be controlled by an Internet Explorer setting (well maybe you would, but I wouldn’t!).  Yet, changing IE settings is the easy way to solve this problem.

The solution is to add the LAN server where your install source share is to the Local Intranet zone in Internet Explorer.  I suppose adding to the Trusted Sites would probably work, but since a share location is in the intranet for most of us, I think that’s the more logical place to make this change.

Here’s how I solved it on a 64-bit Windows 2003 R2 server with SP2 and IE7:

1. In Internet explorer, select Tools/Options, then click on the Security tab
2. Select the Local Intranet icon, then press the Sites button
   
   
   
3. In the Add this website to the zone textbox, enter the name of the server in the form file://servername, then click the Add button
   
   
4. Click the Close button on the bottom of the dialog, then OK on the Internet Options dialog

With that change made, your server should now be able to run software from network locations.  No more need to copy them to a local file location first!