Table of Contents

Kerberos Authentication for SSAS

If you're on macOS or Linux and need to connect to an on-premises SQL Server Analysis Services (SSAS) instance, you'll need to set up Kerberos authentication. This is because the ADOMD.NET library used for SSAS connections relies on Windows authentication, which requires Kerberos on non-Windows platforms.

Note

This only applies to on-premises SSAS. Microsoft Fabric and Azure Analysis Services use Azure AD token authentication, which works on all platforms without any extra configuration.

What You Need

  • Your machine must be able to reach the Active Directory domain controller
  • A valid AD user account with access to the SSAS instance
  • The krb5 Kerberos utilities installed on your machine

Step 1: Install Kerberos Tools

macOS

macOS includes Kerberos tools by default. No installation needed.

Linux (Debian/Ubuntu)

sudo apt install -y krb5-user

Linux (Fedora/RHEL)

sudo dnf install -y krb5-workstation

Linux (Arch)

sudo pacman -S krb5

Step 2: Configure Kerberos

Edit /etc/krb5.conf (macOS: /Library/Preferences/edu.mit.Kerberos) to point at your domain:

[libdefaults]
    default_realm = YOURDOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    YOURDOMAIN.COM = {
        kdc = dc01.yourdomain.com
        admin_server = dc01.yourdomain.com
    }

[domain_realm]
    .yourdomain.com = YOURDOMAIN.COM
    yourdomain.com = YOURDOMAIN.COM

Replace YOURDOMAIN.COM with your Active Directory domain (in uppercase) and dc01.yourdomain.com with your domain controller's hostname.

Step 3: Obtain a Ticket

Request a Kerberos ticket using your AD credentials:

kinit [email protected]

Enter your password when prompted. Verify the ticket was issued:

klist

You should see a ticket for krbtgt/[email protected].

Step 4: Connect in Semantic Modeler

With a valid Kerberos ticket, Semantic Modeler can authenticate to SSAS using your Windows credentials:

  1. Open the Environment Editor.
  2. Set the Working Server or Publish Server to your SSAS instance (e.g., ssas-server\instance).
  3. The connection uses your Kerberos ticket automatically. No username/password prompt is needed.

Ticket Expiry

Kerberos tickets expire (typically after 8-10 hours, depending on your domain policy). If your connection stops working, run kinit again to get a fresh ticket.

You can check your ticket's expiry with:

klist

Troubleshooting

"Cannot find KDC for realm": Check that your /etc/krb5.conf points to the correct domain controller and that your machine can reach it (try ping dc01.yourdomain.com).

"Clock skew too great": Your machine's clock is too far off from the domain controller's clock. Sync your system time with NTP.

"Server not found in Kerberos database": The SSAS server's Service Principal Name (SPN) may not be registered. Ask your AD administrator to verify that the SPN is set up correctly for the SSAS service account.

Alternative: Use Fabric or Azure AS

If Kerberos setup is impractical for your environment, consider publishing your model to Microsoft Fabric or Azure Analysis Services instead. Both use Azure AD token authentication, which works on all platforms without any extra configuration.

Topic Link
SQL Server Analysis Services SSAS overview
Analysis Services client libraries ADOMD.NET and client libraries
Service Principal Names Service Principal Names (SPN)
Edit this page