none
AS2008 + Kerberos = Can't Deploy, can process? RRS feed

  • Question

  •  

    Hi Guys,

     

    Here's what we're looking at:

     

    Servers

    -----------------------------------------------------

    DW-DEV - SQL Server 2008 EE

    SP-DEV - MOSS 2007 SP2

     

    We've got Kerberos setup (and working) between SP-DEV and DW-DEV for Reporting Services, Excel Services, etc.  This is working correctly after quite a bit of work.  Despite that, we can no longer deploy AS databases from our development PC's running VSTS 2008.

     

    It doesn't matter if the target AS database already exists or not, you get:  "The connection either timed out or was lost."  with no additional detail to speak of.  If we load the solution on DW-DEV itself (VSTS 2008), we can deploy and process fine.  We are also able to process cubes from our development PC's.

     

    Any ideas?

     

    Cheers!

    Sunday, December 7, 2008 11:38 PM

All replies

  • Hi,

     

    Honestly to say it's difficult to guess, what can be wrong with your configuration.

     

    Here are some general helpful links, maybe looking through them you may come up with solution.

    Troubleshooting Analysis Services 2005 connectivity problems

    Kerberos Authentication and Delegation in Analysis Services 2005

    How to configure SQL Server 2005 Analysis Services to use Kerberos authentication

     

    There should not be any significant changes in 2005\2008 configuration, so information for v. 2005 is still appliable.

     

    Regards,

    Olga

    Tuesday, December 9, 2008 7:08 AM
    Answerer
  • I'm having exactly the same problem.  SSAS on Windows 2008, BIDS on Windows Vista.  Windows firewall disabled. SQL SP1 applied to both server and client machines.  Kerberos delegation configured (and tested through performancepoint/sharepoint, and working fine). Have the same "Connection either timed out or was lost" when trying to deploy from the Vista BIDS to W2K SSAS.

    Also we're having the same problems described here: http://denglishbi.spaces.live.com/Blog/cns!CD3E77E793DF6178!1214.entry?wa=wsignin1.0&sa=95492105 that deals with a bug between client and server that both use vista kernel.

    This "feels" like it might be related.  I'm going to try to introduce an XP client with BIDS into the mix and see if it has the same problem...will keep posted, if you resolve please post also.

    Thanks dronezer,
    Rob
    Thursday, April 16, 2009 2:18 AM
  • Update:

    • I installed SQL 2008 BIDS on an XP machine, opened the same project with the same deployment server settings, and it worked perfectly. 
    • I can deploy from the Vista machine--if I enter the ipv4 address of the target SSAS server.  However using the server name or fqdn of the server results in the "unable to connect" error.
      --in the SSAS server's security log, I can see that my IP connections use NTLM, while the name/fqdn connections use kerberos (both logins succeed)
      --Setting the kerbrtos LogLevel flag in the registry generates "0x1b Unknown Error" events with Kerberos as the source corresponding to failed deployment attempts.
    • Curiously, the connections that fail to deploy will correctly warn that the database to be deployed exists, so a connection evidently is being made (not a firewall issue)
    I included some additional summary and work-around info here: http://www.robkerr.com/post/2009/04/SSAS-2008-Deployment-The-connection-either-timed-out-or-was-lost.aspx


    Rob Kerr (BlueGranite)
    Thursday, April 16, 2009 6:14 AM
  • Hi,

    this is a known issue with Kerberos on Windows 2008 and Vista.
    It is discribed here:
    Updated Errors may occur after configuring Analysis Services to use Kerberos authentication on Advanced Encryption Standard Aware Operating Systems
    http://blogs.msdn.com/psssql/archive/2009/04/03/errors-may-occur-after-configuring-analysis-services-to-use-kerberos-authentication-on-advanced-encryption-standard-aware-operating-systems.aspx

    Here you can find a couple of workarounds that you can use untill the fix comes out.

    Regards,
    Orsi
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, April 16, 2009 6:58 AM
    Answerer
  • Thanks for confirmation and for the link, Orsi!
    Thursday, April 16, 2009 7:19 AM
  • Using the IP address as opposed to the server name also seems to get rid of the issues.

    Thursday, April 16, 2009 4:50 PM
  • Yes & no....it forces authentication back to NTLM instead of kerberos.  If you don't need delegation (2 hops, for example web parts in a sharepoint site), then it helps.  However delegation won't succeed, so it's only a temp work-around.
    Thursday, April 16, 2009 4:53 PM