TheGeezer2010
asked on
Sharepoint 2010 Performance Point - advice on deploying Secure Store Service
I am in the process of deploying Performance Point but hesitating now after reading this
Microsoft advise :-
Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases
Does this REALLY mean I have to find a separate middleware server, deploy this service and run a separate SQL server with just this database on it ? Has anyone deployed this service successfully on a WFE on a simple farm configuration.
Also, they recommend using Kerberos authentication to authenticate individual accounts, but my understanding is that if I have Sites which are not on the default ports (80 and 443), the CRAWL service will fail - it will only work on non-default ports using NTLM ? Seems to be a CATCH 22 !!!
I am proposing to set this service up on the WFE in common with all other services (it is fairly meaty 16GB box), and either :-
1. Create the database within the current SQL instance (which also contains the content and config databases)
2. Create a new SQL instance and create this database for the Secure Store ONLY on the new instance.
All recommendations welcomed !!
Microsoft advise :-
Create the secure store database on a separate application server running SQL Server. Do not use the same SQL Server installation that contains content databases
Does this REALLY mean I have to find a separate middleware server, deploy this service and run a separate SQL server with just this database on it ? Has anyone deployed this service successfully on a WFE on a simple farm configuration.
Also, they recommend using Kerberos authentication to authenticate individual accounts, but my understanding is that if I have Sites which are not on the default ports (80 and 443), the CRAWL service will fail - it will only work on non-default ports using NTLM ? Seems to be a CATCH 22 !!!
I am proposing to set this service up on the WFE in common with all other services (it is fairly meaty 16GB box), and either :-
1. Create the database within the current SQL instance (which also contains the content and config databases)
2. Create a new SQL instance and create this database for the Secure Store ONLY on the new instance.
All recommendations welcomed !!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My understanding od the CRAWL is that it will only crawl a web successfully if it is hosted on either 80 or 443 when Kerberos authentication is used. This link explains this :-
http://technet.microsoft.com/en-us/library/ee806870.aspx
Known issues
SharePoint Server 2010 can crawl Web applications configured to use Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to default ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, SharePoint Server 2010 Search cannot crawl SharePoint Server 2010 Web applications that are configured to use Kerberos authentication if the Web applications are hosted on IIS virtual servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443). Currently, SharePoint Server 2010 Search can only crawl SharePoint Server 2010 Web applications hosted on IIS virtual servers bound to non-default ports that are configured to use either NTLM authentication or Basic authentication.
In view of this, one question please Ach1lles - which authentication method did you use when using NTLM - the single account or the individually mapped accounts ?
Any other tips for configuring this to work with Performance Point Services ?
Thanks
http://technet.microsoft.com/en-us/library/ee806870.aspx
Known issues
SharePoint Server 2010 can crawl Web applications configured to use Kerberos authentication if those Web applications are hosted on IIS virtual servers that are bound to default ports (TCP port 80 and Secure Sockets Layer (SSL) port 443). However, SharePoint Server 2010 Search cannot crawl SharePoint Server 2010 Web applications that are configured to use Kerberos authentication if the Web applications are hosted on IIS virtual servers that are bound to non-default ports (ports other than TCP port 80 and SSL port 443). Currently, SharePoint Server 2010 Search can only crawl SharePoint Server 2010 Web applications hosted on IIS virtual servers bound to non-default ports that are configured to use either NTLM authentication or Basic authentication.
In view of this, one question please Ach1lles - which authentication method did you use when using NTLM - the single account or the individually mapped accounts ?
Any other tips for configuring this to work with Performance Point Services ?
Thanks
Hmm...didn't know that.
I don't understand your question "which authentication method did you use when using NTLM - the single account or the individually mapped accounts"
I don't understand your question "which authentication method did you use when using NTLM - the single account or the individually mapped accounts"
ASKER
Hi Ach1lles
Read that there were three methods of authenticating users :-
1. Kerberos via AD account
2. Single account used by all users
3. Individual accounts authenticated by alternative means
Basically, if you don't use kerberos you are stuck with 2 or 3.
I have created a domain account which will be used to retrieve data for Performnace Point, and which is stored in the encrypted database which hosts the Secure Store service. I presume therefore that this consitutes option 2 ?
Read that there were three methods of authenticating users :-
1. Kerberos via AD account
2. Single account used by all users
3. Individual accounts authenticated by alternative means
Basically, if you don't use kerberos you are stuck with 2 or 3.
I have created a domain account which will be used to retrieve data for Performnace Point, and which is stored in the encrypted database which hosts the Secure Store service. I presume therefore that this consitutes option 2 ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sometimes avice and reassurance that even though you are not strictly adhering to the guidelines of Microsoft, that in practice the solution you are about to implement will actually work fine anyway. Ach1lles provided exactly this here.
ASKER
http://technet.microsoft.com/en-us/library/ee806889.aspx
Thanks for your reply - I will go ahead and deploy on the WFE using same SQL then. Looks like I am a one-man supply of your points these days :-)