Home > Robin Kruithof, Work > Per-User Identity for Performance Point exhibits intermittent behavior

Per-User Identity for Performance Point exhibits intermittent behavior

This week I had to troubleshoot a strange problem on SharePoint 2010 (But also applies to SharePoint 2013) of a client regarding PerformancePoint. The reason of this post is that it took a while to figure out the resolution and I have seen multiple people asking for a resolution for the same problem without a clear answer.

This specific client uses a lot of PerformancePoint Dashboards showing users their required information. All the dashboards are configured with “Per-User Idenitity” authencation. The reason I tell you this is that “Per-User Idenity” authencation needs to be Kerberos on the SharePoint farm  to function correctly. The client had a double two-tier SharePoint farm. So they had two databases and two application servers that also function as the web servers. All of a sudden out of nowhere all dashboards stopped working.

The client started to see the following errors:

"This action cannot complete because PerformancePoint Services is not configured correctly. Additional details have been logged for your administrator."

This error was displayed on almost all the dashboards. The strange thing is that if you refresh the page, sometimes a dashboard would show correctly. After searching through all the logs that didn’t give me a idea where the problems where coming from I opened one of the dashboards in the Dahsboard Designer and tested the connection there.

My results:


I tried again:


Whenever I tested my connection I got a successful connection once and then a error the next try. The above behavior points to a problem with authentication and so I went on a search on the internet to look for what I was missing. I found the following:

When running kerberos the account that run the Claims to Windows Token Service needs the following rights:

  • Local administrator on the application server running PerformancePoint

Local Security Policy

  • Act as part of the operating system
  • Impersonate a client after authentication
  • Log on as a service

As stated above the client had two application servers and there was the problem. For some reason still unknown the Claims to Token Windows Service account had the above rights removed on one of the servers.

I re-added the right for the account on that server, restarted the Claims to Token Windows Service and all the dashboards started working again like expected.

The moral of this story is: Check the configuration of both servers first before going on a wild goose chase.

The reason why the rights for the Claims to Token Windows Service where removed is unknown but it can only be that they have been removed manually or removed via a group policy so check with your IT Department so this does not happen again!

I hope this post helps people with a similar problem in the future as it can really take forever to figure out why this is not working.

via SpeakingSilent » Robin Kruithof http://speakingsilent.wordpress.com/2013/06/03/per-user-identity-for-performance-point-exhibits-intermittent-behavior/

Robin Kruithof
I am Robin Kruithof. I am working at CXS in the Netherlands as a Microsoft Project Consultant. My passion lies in Project Management and everything in the Project Management domain.

This article has been cross posted from speakingsilent.wordpress.com/ (original article)

Categories: Robin Kruithof, Work Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: