When viewing the Events by Severity widget in the Events > Data In Motion dashboard in the Risk Fabric console, no values are displayed. Instead, progress indicators for each value are displayed interminably. In addition, the Top Users with Very Unusual Incidents widget may also return no values and instead display the message "No User Information".

The Calculate Risk Scores step (19) of the nightly RiskFabric Processing job also fails and the following error message is logged in both the SQL Server Agent history log and in the RiskFabric relational database table dbo.Log_DataTransformation:

Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".

The following error messages are also logged in the Information Centric Analytics (ICA) server log:

[70:ERROR] LoggingExceptionFilterAttribute.OnException() https://<hostname>/api/WidgetAgingView/GetSectionData
System.AggregateException: One or more errors occurred. ---> System.Data.SqlClient.SqlException: Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".

 

[5:ERROR] DALException.SaveLog() Error: Cannot set the initialization properties for OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".

 

[5:ERROR] DALException.SaveLog() System.Data.SqlClient.SqlException (0x80131904)

NOTE: The server log file follows the naming convention w3wp_RiskFabric.<yyyyMMdd>.log and is located on the application (IIS) server in the following path: %ProgramData%\BayDynamics\Logs

Release: 6.x

Component: Microsoft SQL Server Analysis Services

These error messages indicate an authentication failure connecting to the RiskFabric OLAP cube through the RiskFabric_ASDB linked server. This can be due to insufficient or misconfigured permissions, use of the wrong authentication method, or by corruption of the MSOLAP driver.

Communications between the Risk Fabric site hosted in Internet Information Services (IIS) and the RiskFabric OLAP cube hosted in SQL Server Analysis Services (SSAS) pass through the RiskFabric_ASDB linked server in the SQL Server (MSSQL) instance hosting the RiskFabric relational database. In an environment in which Kerberos authentication is used, the credentials of the RiskFabricAppPool identity account in IIS are used to query the cube.

In environments in which Kerberos has not been configured to enable the passing of authentication tickets between the servers hosting components of Information Centric Analytics (ICA), it is necessary to configure the RiskFabric_ASDB linked server to specify a security context identity for querying the cube. This failure will still occur, however, if the named security context identity of the RiskFabric_ASDB linked server is not a member of the Server Administrators role on the SSAS server, or has otherwise not been granted rights to query the cube.

NOTE: When implementing Kerberos Constrained Delegation (also referred to as Trusted Delegation) for a Group Managed Service Account (gMSA) under which component services will run (IIS, MSSQL, SSAS), Kerberos will be configured to enable the passing of authentication tickets between ICA's component servers; however, if the linked server's connection configuration remains set to specify a security context, authentication attempts will still fail.

To resolve this condition, first follow the Permissions procedure below to ensure the service account has sufficient rights to query the cube. Next, determine whether authentication to the SSAS server should use Kerberos or a named security context and follow the relevant procedure for your environment. If you are uncertain as to whether Kerberos should be used, consult with your AD administrator and/or SQL Server DBA.

If this error persists after you have followed these procedures, download the MSOLAP driver from Microsoft's Analysis Services client libraries page and re-install the driver.

Permissions

Follow this procedure to confirm the ICA service account has sufficient permissions to query the RiskFabric OLAP cube on the SSAS server:

1. Open SQL Server Management Studio (SSMS)
2. Connect to the Analysis Services server hosting the RiskFabric OLAP cube
3. In Object Explorer, right-click the server's hostname and select Properties
4. In the Analysis Server Properties window, select the Security page
5. If the ICA service account is not present in the list of Server Administrators, add the account using the Add... button
6. Click the OK button to close the Analysis Server Properties window

If your security policies prohibit assigning the ICA service account to the Administrators role in SSAS, follow this procedure to grant the account read-only access to the RiskFabric OLAP cube:

1. Open SSMS
2. Connect to the Analysis Services server hosting the RiskFabric OLAP cube
3. In Object Explorer, navigate to Databases > RiskFabric > Roles
4. Right-click Roles and select New Role
   The Create Role window opens
5. On the General page, enter a name and description and select the Read definition permission
6. On the Membership page, use the Add... button to add the SQL Server Agent service account
7. On the Cubes page, change the Access value to Read
8. On the Cubes page, change the Local Cube/Drillthrough Access value to Drillthrough and Local Cube
   The Local Cube/Drillthrough Access dialog window opens
9. Click the OK button in the Local Cube/Drillthrough Access dialogue box to continue
10. Click the OK Button to save the role and close the Create Role window

Kerberos

To configure Kerberos for use with ICA, refer to the Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server section of the Symantec ICA Administrator Guide. Service Principal Names (SPN) must be properly configured for the IIS, MSSQL, and SSAS services for Kerberos authentication to work.

NOTE: Although constrained delegation has been tested and certified for use with ICA, Broadcom does not provide support for the configuration and use of SPNs, constrained delegation, and Kerberos. As noted in the Configure the ICA Service Account to use Active Directory Trusted Delegation section of the Symantec ICA Administrator Guide:

Active Directory (AD) Trusted Delegation is not a requirement in all environments. AD Trusted Delegation is an optional security configuration that is supported by Microsoft, but not officially supported by Broadcom.

Broadcom provides the following documentation as a general guideline for your convenience.

If you have any configuration issues, you must work with your Active Directory administrator and/or Microsoft to troubleshoot and resolve those issues.

When implementing constrained delegation in an environment in which Kerberos was not previously configured for use with ICA, configure the RiskFabric_ASDB linked server to establish a connection to the SSAS server using the login's current security context by following this procedure:

1. Open SSMS
2. Connect to the Database Engine hosting the RiskFabric relational database
3. In Object Explorer, navigate to Server Objects > Linked Servers
4. Right-click the RiskFabric_ASDB linked server and select Properties
   The Linked Server Properties - RiskFabric_ASDB window will open
5. Select the Security page
6. Select the radio button next to the option Be made using the login's current security context
7. Click the OK button to close the Linked Server Properties - RiskFabric_ASDB window

Named Security Context

If Kerberos authentication is not used, follow this procedure to set the security context identity used by the RiskFabric_ASDB linked server:

1. Open SSMS
2. Connect to the Database Engine hosting the RiskFabric relational database
3. In Object Explorer, navigate to Server Objects > Linked Servers
4. Right-click the linked server RiskFabric_ASDB and select Properties
   The Linked Server Properties - RiskFabric_ASDB window opens
5. In the Linked Server Properties - RiskFabric_ASDB window, select the Security page
6. Select the radio button Be made using this security context
7. Enter the ICA service account credentials to connect to the SSAS server
8. Click the OK button to close the Linked Server Properties - RiskFabric_ASDB window

Symantec ICA Administrator Guide: Configure the ICA Service Account to use Active Directory Trusted Delegation