SSRS Reports or Excel Services Authentication Error using Power Pivot

Problem

Cannot connect to PowerPivot document from Report Builder or Excel.

Indicators

With PowerPivot documents residing in a PowerPivot library on a SharePoint 2010 site, you cannot connect to any PowerPivot document as a data source in SSRS 2008 R2 or Excel 2010 with the PowerPivot add in installed. The PowerPivot document in SharePoint 2010 works fine and you have access to it. When connecting from Report Builder, the connection test succeeds,   but when trying to create a query in a dataset, it throws the error: The remote server returned an error: (401) Unauthorized. When connecting from Excel, Excel launches the "Multidimensional Connection 10.0" dialog, which it usually does when it can't connect to the source.

Research

Unable to connect to data source ….The remote server returned an error: (401) Unauthorized.

This error seems to be coming from IIS on the WFE. After researching this error a possible reason for this error is the network configuration we have setup. We are using Kerberose to authenticate  over mutilple endpoints. Both of the above clients use SharePoint PowerPivot and Excel services to access the data residing in the excel document. The image below illustrates the technology stack.

Figure 1  PowerPivot Life Cycle

As can be seen by the above illustration, multiple hops are needed to get through the different service providers along the way.

Currently NTLM is the default configuration for the PowerPivot Service. NTLM is not a recommend authentication mechanism as it has been replaced by Kerberos. Our current environment is Kerberos enabled and is accessible from our Farm servers. 

Solution

NTLM authentication  is failing to provide credentials all the way through the technology stack. Analysis serverice is never provided the nessesary identification. This is what is called a double- hop failure [1] Analysis services must be used because it is what does that actual grunt work of creating the data cube. After this cube has been created, it is then handed back to the calling services and finally to the user.

To solve this problem, we must change the authentication mechanism to reply on our Kerberos environment.  To do this we must change the Power Pivot web.config http bindings and custom configs.[2]

Procedure

1. Navigate to “ C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\isapi\PowerPivot\web.config”

2. Within the basicHttpBinding node change the follow attribute:

    Before:

    After:

3. Within  customBinding  nodes change the httpsTrasport node’s  attribute:

    Before: authenticationScheme= “NTLM”

    After:  authenticationScheme= “Negotiate”

4. Repeat steps 2 & 3 for each web server.

---

[1] Double-hop authentication: Why NTLM fails and Kerberos works

[2] Cannot connect to PowerPivot document from Report Builder or Excel

Data's Final Resting Place

I was asked recently a question regarding where SharePoint documents go when they are deleted. This is a tiered answer. Like so many other questions, we need to ask what data you want to know about.

Documents:

When a user deletes a document from a document library, it is a 2 stage process. When a user deletes a document from a document library it is sent to a site recycle bin. After 30 days (by default) this document is permanently removed from the site and the underlying database.

If the document is deleted by the user from this recycle bin before the document is removed automatically, it is sent to the Site Collection's recycle bin. At this point, the Site Collection administrator can restore it if necessary.

At this point the document is marked for deletion, if you should peak into the database and look at the dbo.AllDocs table you will find the following important information in the following fields:

• ID: a unique identifier that holds the GUID of the document


• SiteID: another unique identifier that holds the Site Collection GUID from which the document came from


• DirName: Directory where the document is stored. Even if the document is deleted, this field is still valid. SharePoint will use this to have a location to restore the document.


• WebId: a unique identifier that holds the GUID of the subweb site from which the document was stored.


• ListID: this is the unique Identifier that holds the GUID of the List the document came from. Since document libraries under the hood are modified lists, you can query the dbo.AllLists table with the value to get the reference to this list.


• DeleteTransactionId: Another unique identifier holding the transaction identifier (not a GUID). This field will be set to 0x if the document is not in the recycle bin.

There are other fields that are quite valuable, so take a look at this page for more information.

Site Collection and Web Site

To truly purge your database of the the documents without waiting for administrative action is to delete the entire web site. This will purge all of your documents from your site. This includes their reference in the Site Collection recycle bin. Gone. Poof.