Kerberos authentication and delegation for Monitoring Server

Updated: 2009-04-09

The articles in this section outline the changes that are required to get PerformancePoint Monitoring Server working using delegation.

Delegation enables a Web application or service to use the caller’s identity to access remote network resources. Delegation operates based on Integrated Windows authentication and the Kerberos protocol. Scenarios that require the use of delegation are commonly referred to as double-hop scenarios. In the case of PerformancePoint Monitoring Server, this would include scenarios where Internet Information Services is located on a different computer from the target data source.

Configuring delegation for PerformancePoint Monitoring Server may require changes to the application pool identity user accounts, the service principal names (SPNs) registered in the Active Directory directory service, and the client and middle-tier servers. Based on the environment, different configuration options are explained, including constrained delegation.

Before you deploy Monitoring Server, you must ensure that your environment meets the following prerequisites:

  • All users must be part of the same Active Directory domain.

  • Active Directory must be configured in at a Windows 2000 Native functional level or higher. For more information about domain functional levels, see Active Directory Functional Levels (


    If you choose to deploy constrained delegation, Active Directory must be configured at a Windows Server 2003 functional level.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for PerformancePoint Monitoring Server.

See Also