I recently patched a Data Warehouse farm (March 2015 CU + several security hotfixes) and users reported that their connections from PerformancePoint to PowerPivot workbooks quit working. Error messages indicated that the PerformancePoint Unattended Service Account were getting accessed denied.
There were no Failure Audits in the Security Event log. I validated kerberos settings such as SPNs for everything, web app authentication, AD delegations, etc. I couldn't find anything.
Involved MS and we found the issue within 45 minutes and reminded me of a Kerberos configuration I'd forgotten about.
PowerPivot Redirector
There's a PowerPivot redirector that lives on each server in the farm, or at least the configuration for one does. It has its own private web.config file that also has to be set to Negotiate from NTLM to get the PerformancePoint -> PowerPivot connection to work. According to timestamps the last time I'd updated the web.config was a couple years ago.
The web.config for the redirector lives in <14hive>\ISAPI\PowerPivot
There are two custom bindings that need to be updated to look like below:
<customBinding>
<binding name="RedirectorBinding">
<webMessageEncoding webContentTypeMapperType="Microsoft.AnalysisServices.SharePoint.Integration.Redirector.RawContentTypeMapper, Microsoft.AnalysisServices.SharePoint.Integration" />
<httpTransport manualAddressing="true" authenticationScheme="Negotiate" transferMode="Streamed" maxReceivedMessageSize="9223372036854775807"/>
</binding>
<binding name="RedirectorSecureBinding">
<webMessageEncoding webContentTypeMapperType="Microsoft.AnalysisServices.SharePoint.Integration.Redirector.RawContentTypeMapper, Microsoft.AnalysisServices.SharePoint.Integration" />
<httpsTransport manualAddressing="true" authenticationScheme="Negotiate" transferMode="Streamed" maxReceivedMessageSize="9223372036854775807"/>
</binding>
</customBinding>
By default this is set to NTLM.
After making the change on a server, perform an IISReset. Make this change on each server in the farm.
EDIT:
thought it would be good to include the file location.
EDIT2:
Given this is in the PowerPivot Redirector, I believe this was probably caused by the SQL Patches that were also applied. SQLServer 2012 SP2 and CU6 were also applied.
No comments:
Post a Comment