When viewing the Events by Severity widget in the Events > Data In Motion dashboard in the Risk Fabric console, no values are displayed. Instead, progress indicators for each value are displayed interminably. In addition, the Top Users with Very Unusual Incidents widget may also return no values and instead display the message "No User Information
".
The Calculate Risk Scores step (19) of the nightly RiskFabric Processing job also fails and the following error message is logged in both the SQL Server Agent history log and in the RiskFabric
relational database table dbo.Log_DataTransformation
:
Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".
The following error messages are also logged in the Information Centric Analytics (ICA) server log:
[70:ERROR] LoggingExceptionFilterAttribute.OnException() https://<hostname>/api/WidgetAgingView/GetSectionData
System.AggregateException: One or more errors occurred. ---> System.Data.SqlClient.SqlException: Cannot initialize the data source object of OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".
[5:ERROR] DALException.SaveLog() Error: Cannot set the initialization properties for OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".
[5:ERROR] DALException.SaveLog() System.Data.SqlClient.SqlException (0x80131904)
NOTE: The server log file follows the naming convention w3wp_RiskFabric.<yyyyMMdd>.log
and is located on the application (IIS) server in the following path: %ProgramData%\BayDynamics\Logs
Release: 6.x
Component: Microsoft SQL Server Analysis Services
These error messages indicate an authentication failure connecting to the RiskFabric
OLAP cube through the RiskFabric_ASDB
linked server. This can be due to insufficient or misconfigured permissions, use of the wrong authentication method, or by corruption of the MSOLAP driver.
Communications between the Risk Fabric site hosted in Internet Information Services (IIS) and the RiskFabric
OLAP cube hosted in SQL Server Analysis Services (SSAS) pass through the RiskFabric_ASDB
linked server in the SQL Server (MSSQL) instance hosting the RiskFabric
relational database. In an environment in which Kerberos authentication is used, the credentials of the RiskFabricAppPool
identity account in IIS are used to query the cube.
In environments in which Kerberos has not been configured to enable the passing of authentication tickets between the servers hosting components of Information Centric Analytics (ICA), it is necessary to configure the RiskFabric_ASDB
linked server to specify a security context identity for querying the cube. This failure will still occur, however, if the named security context identity of the RiskFabric_ASDB
linked server is not a member of the Server Administrators
role on the SSAS server, or has otherwise not been granted rights to query the cube.
NOTE: When implementing Kerberos Constrained Delegation (also referred to as Trusted Delegation) for a Group Managed Service Account (gMSA) under which component services will run (IIS, MSSQL, SSAS), Kerberos will be configured to enable the passing of authentication tickets between ICA's component servers; however, if the linked server's connection configuration remains set to specify a security context, authentication attempts will still fail.
To resolve this condition, first follow the Permissions procedure below to ensure the service account has sufficient rights to query the cube. Next, determine whether authentication to the SSAS server should use Kerberos or a named security context and follow the relevant procedure for your environment. If you are uncertain as to whether Kerberos should be used, consult with your AD administrator and/or SQL Server DBA.
If this error persists after you have followed these procedures, download the MSOLAP driver from Microsoft's Analysis Services client libraries page and re-install the driver.
Follow this procedure to confirm the ICA service account has sufficient permissions to query the RiskFabric
OLAP cube on the SSAS server:
RiskFabric
OLAP cubeIf your security policies prohibit assigning the ICA service account to the Administrators
role in SSAS, follow this procedure to grant the account read-only access to the RiskFabric
OLAP cube:
RiskFabric
OLAP cubeTo configure Kerberos for use with ICA, refer to the Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server section of the Symantec ICA Administrator Guide. Service Principal Names (SPN) must be properly configured for the IIS, MSSQL, and SSAS services for Kerberos authentication to work.
NOTE: Although constrained delegation has been tested and certified for use with ICA, Broadcom does not provide support for the configuration and use of SPNs, constrained delegation, and Kerberos. As noted in the Configure the ICA Service Account to use Active Directory Trusted Delegation section of the Symantec ICA Administrator Guide:
Active Directory (AD) Trusted Delegation is not a requirement in all environments. AD Trusted Delegation is an optional security configuration that is supported by Microsoft, but not officially supported by Broadcom.
Broadcom provides the following documentation as a general guideline for your convenience.
If you have any configuration issues, you must work with your Active Directory administrator and/or Microsoft to troubleshoot and resolve those issues.
When implementing constrained delegation in an environment in which Kerberos was not previously configured for use with ICA, configure the RiskFabric_ASDB
linked server to establish a connection to the SSAS server using the login's current security context by following this procedure:
RiskFabric
relational databaseIf Kerberos authentication is not used, follow this procedure to set the security context identity used by the RiskFabric_ASDB
linked server:
RiskFabric
relational databaseSymantec ICA Administrator Guide: Configure the ICA Service Account to use Active Directory Trusted Delegation