So I'm again finding myself battling the Kerberos monster!!
Today I have an acctest server (XX-ATS-ASSHP102) running SSRS, SQL DB Engine & SSAS. I'm trying to configure NATIVE SQL Reporting Services to use a data source with Windows Integrated mode towards a SSAS cube on the same server. When I use the servername (or 127.0.0.1) it works perfectly. But when I use the DNS name bidb.acctest.internal it fails with the error "The connection either timed out or was lost.". The profiler on SSAS says "anonymous login" so the Kerberos login is broken at some point.
The weird thing is that this works perfectly in production environment, but I've missed something in the ACCTEST environment.
The SPN for the serviceaccount running SSAS has correctect SPN:s:
MSOLAPSvc.3/bidb.acctest.internal
MSOLAPSvc.3/bidb.acctest.internal:MSSQLSERVER
MSOLAPSvc.3/XX-ATS-ASSHP102
MSOLAPSvc.3/XX-ATS-ASSHP102.XX.XXXXXXXXXXX.net
MSOLAPSvc.3/XX-ATS-ASSHP102.XX.XXXXXXXXXXX.net:MSSQLSERVER
MSOLAPSvc.3/XX-ATS-ASSHP102:MSSQLSERVER
The SSRS account has delegation with "any service". No account has the "sensitive" flag.
DNS names are A-records, except the hostname for the SSRS site which is a c-name, but it's identical in production.The "impersonate client after login" and "replace token" permissions are correct in the policy.
The rsreportserver.config says:
<Authentication>
<AuthenticationTypes>
<RSWindowsNTLM/>
</AuthenticationTypes>
<RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>
<RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
<EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>
both in production and in acctest env.
I don't know what I've missed. Need fresh ideas? Please help.