Reporting Services Service Account
In a distributed environment where components are installed on more than one server or if host headers are used, Kerberos security must be configured. One of the components of Kerberos is the Service Principal Name (SPN). Whenever user credentials must be passed from one system to another, the system that is attempting to pass the credentials must be trusted for delegation. For this step to take place successfully, Kerberos delegation must be configured.
 |
Configuring SPNs is an advanced task and should only be performed by an appropriately trained professional. The steps and configurations given in this help file are to be used as a guide - your system may require additional configuration due to different hardware and software compatibilities. |
Set SPNs
In order to access the K2 Reports from the K2 Workspace, you need to set the SPNs for the Reporting Services Service Account.
The following placeholders are used in the commands:
- domain\Reporting Services Service Account - The Reporting Services Service Account that runs the Reporting Services application pool
- MachineName - The name of the computer on which Reporting Services is running
- MachineName.FQDN - The fully qualified domain name of the computer on which Reporting Services is running
|
Be sure to set all the SPNs as listed below. Also, the service account is required so be sure to specify the account properly. |
 |
If you are using Host Headers to access your Reporting Services Service, use the HostHeader value instead of the MachineName in the below commands. An SPN for each Host Header will need to be created. |
Open a command prompt on a server that has the Windows Support Tools installed, and execute the following commands:
- setspn -A HTTP/MachineName domain\Reporting Services Service Account
- setspn -A HTTP/MachineName.FQDN domain\Reporting Services Service Account
After the commands have successfully executed, you can verify the SPNs were set by executing the following command:
- setspn -L domain\Reporting Services Service Account
Configure Delegation for Reporting Services Service Account
After the SPN has been set, a new Delegation tab is available in Active Directory Users and Computers for the Service Account. By default, the option selected is the Do not trust this user for delegation. You need to set the account to be trusted for delegation, by following the below steps:
|
If you are running your Active Directory domain in Windows 2000 native mode, the Delegation tab will not be present. Instead, on the Account tab, you will see a Trust this user for delegation check box. |
 |
Open Active Directory Users and Computers (Start > All Programs > Administrative Tools > Active Directory Users and Computers) |
 |
Find the domain\Reporting Services Service Account and view its properties |
 |
On the Delegation tab, select the Trust this user for delegation to specified services only option |
 |
Select the Use Kerberos only option, and click on Add |
 |
Click on Users or Computers and select the domain\K2 Service Account you created as the K2 Server Service Account |
 |
In the Available Services section, select the K2HostServer item listed: |
 |
Click OK. Your properties should resemble the following: |
 |
Click OK |
Configure Delegation for the K2 Service Account
In order to use the SQL Server Reporting Services Service Object to schedule Reporting Services reports and include SmartObject data, you will need to configure the K2 Service Account with delegation.
|
If you are running your Active Directory domain in Windows 2000 native mode, the Delegation tab will not be present. Instead, on the Account tab, you will see a Trust this user for delegation check box. |
|
Open Active Directory Users and Computers (Start > All Programs > Administrative Tools > Active Directory Users and Computers) |
|
Find the domain\K2 Service Account and view its properties |
|
On the Delegation tab, select the Trust this user for delegation to specified services only option |
|
Select the Use Kerberos only option, and click on Add |
|
Click on Users or Computers and select the domain\Reporting Services Service Account you created as the SQL Server Reporting Services Service Account |
|
In the Available Services section, select the HTTP item listed |
|
Click OK twice to exit the dialog windows |
|
While infrastructure changes are required by K2, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes. |
