多服务器环境下的Kerberos认证问题(仅影响KPI网络组件)
当您在多服务器环境下安装AX2009角色中心和企业门户,而环境中的每个服务器都运行Windows Server 2008时,您可能会碰到认证问题。
多服务器场景工作的基本要求是用到的服务帐号(比如业务接口代理帐号)必须配置Kerberos认证和服务主体名称(SPNs),否则整个场景不会正常工作。
然而即使Kerberos和SPN配置正确,如果您有以下组件运行在Windows Server 2008服务器上,您仍然可能碰到认证问题:
- Microsoft SQL Server 2005 or 2008(包括数据库引擎,报表服务和分析服务)
- Microsoft Office SharePoint Server 2007 或者 Microsoft Windows SharePoint Services 3.0
我们第一次碰到如下两个问题时情况为:企业门户, SQL报表服务, SQL分析服务都运行于Windows Server 2008服务器,并且每个服务单独运行在一台服务器上。当用户浏览包含SQL Server或者业务概况 /KPI列表的角色中心页面,并且该页面的数据是从分析服务数据库中返回时,我们在应该显示报表的网络组件中得到如下错误:
An error has occurred during report processing. (rsProcessingAborted) Get Online Help
Query execution failed for dataset ' <some dataset> '. (rsErrorExecutingCommand) Get Online Help
The connection either timed out or was lost.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
An existing connection was forcibly closed by the remote host
我们也碰到过一个相似的问题,情况为:SQL Server报表和分析服务同时运行在一台服务器上,企业门户运行在另一台远程服务器上。当用户浏览包含业务概况/KPI列表的角色中心页面时,网络组件无法运行。而显示SQL报表的网络组件工作正常。
在两个案例中,我们在企业门户服务器或者SQL报表服务器的Windows应用事件日志中发现的是相似的错误:
Source: Microsoft.Dynamics.Framework.Portal
Event ID: 1000
Task Category: None
Level: Error
Description:
An unexpected error has occurred.
The connection either timed out or was lost.
Microsoft.AnalysisServices.AdomdClient.AdomdConnectionException
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.EndRequest()
at
Microsoft.AnalysisServices.AdomdClient.XmlaClient.CreateSession(ListDictionary
properties, Boolean sendNamespaceCompatibility)
at
Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Microsoft.
AnalysisServices.AdomdClient.AdomdConnection.IXmlaClientProviderEx.CreateSession(Boo
lean sendNamespaceCompatibility)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.ConnectToXMLA(Boolean
createSession, Boolean isHTTP)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.Open()
at
Microsoft.Dynamics.Framework.Portal.UI.WebControls.WebParts.BusinessOverviewWebPart.
InitConnection()
Unable to read data from the transport connection: An existing connection was
forcibly closed by the remote host.
System.IO.IOException
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32
size)
at System.IO.BufferedStream.Read(Byte[] array, Int32 offset, Int32 count)
at Microsoft.AnalysisServices.AdomdClient.DimeRecord.ForceRead(Stream stream,
Byte[] buffer, Int32 length)
at Microsoft.AnalysisServices.AdomdClient.DimeRecord.ReadHeader()
at Microsoft.AnalysisServices.AdomdClient.DimeReader.ReadRecord()
at Microsoft.AnalysisServices.AdomdClient.TcpStream.GetResponseDataType()
An existing connection was forcibly closed by the remote host
System.Net.Sockets.SocketException
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32
size)
在两个案例中,我们通过在企业门户,SQL报表服务器和分析服务器上安装Windows Server 2008修复KB 969083 : "A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used"解决了问题。
更多参考:
下面的BLOG博文详细讨论了SQL Server分析服务器上的Kerberos认证问题
原文地址: