In environments in which Kerberos has not been configured to enable the passing of authentication tickets between the servers hosting components of Information Centric Analytics (ICA), it is necessary to configure the RiskFabric_ASDB linked server on the SQL Server (MSSQL) relational database host to specify a security context identity for querying the RiskFabric OLAP cube hosted on the SQL Server Analysis Services (SSAS) server.

When implementing Kerberos Constrained Delegation (also referred to as Trusted Delegation) for a Group Managed Service Account (gMSA) under which component services will run (for example, Internet Information Services (IIS), SQL Server (MSSQL), SSAS), Kerberos will be configured to enable the passing of authentication tickets between ICA's component servers. If the linked server's connection configuration remains set to specify a security context, authentication attempts will fail and log the following error:

[5:ERROR] DALException.SaveLog() Error: Cannot set the initialization properties for OLE DB provider "MSOLAP" for linked server "RiskFabric_ASDB".
[5:ERROR] DALException.SaveLog() System.Data.SqlClient.SqlException (0x80131904)

Version : 6.x

To configure Kerberos for use with ICA, refer to the Passing Kerberos Credentials to the Symantec ICA Application Server and Microsoft SQL Server section of the Symantec ICA Administrator Guide. Service Principal Names (SPN) must be properly configured for the IIS, MSSQL, and SSAS services for Kerberos authentication to work.

NOTE: Although constrained delegation has been tested and certified for use with ICA, Broadcom does not provide support for the configuration and use of SPNs, constrained delegation, and Kerberos. As noted in the Configure the ICA Service Account to use Active Directory Trusted Delegation section of the Symantec ICA Administrator Guide:

Active Directory (AD) Trusted Delegation is not a requirement in all environments. AD Trusted Delegation is an optional security configuration that is supported by Microsoft, but not officially supported by Broadcom.

Broadcom provides the following documentation as a general guideline for your convenience.

If you have any configuration issues, you must work with your Active Directory administrator and/or Microsoft to troubleshoot and resolve those issues.

When implementing constrained delegation in an environment in which Kerberos was not previously configured for use with ICA, configure the RiskFabric_ASDB linked server to establish a connection to the SSAS server using the login's current security context by following this procedure:

1. Open SQL Server Management Studio (SSMS)
2. Connect to the Database Engine hosting the RiskFabric relational database
3. In Object Explorer, navigate to Server Objects > Linked Servers
4. Right-click the RiskFabric_ASDB linked server and select Properties
   The Linked Server Properties - RiskFabric_ASDB window will open
5. Select the Security page
6. Select the radio button next to the option Be made using the login's current security context
7. Click the OK button to close the Linked Server Properties - RiskFabric_ASDB window

Symantec ICA Administrator Guide: Configure the ICA Service Account to use Active Directory Trusted Delegation