SSAS Load Balancing with Kerberos
As part of a lifecycle management project, we are moving from a single SSAS server with two instances (SERVER1/MULTI and SERVER1/TAB) to a process server (PROCESS/MULTI and PROCESS/TAB) and two load balanced query servers (QUERY1/MULTI and QUERY1/TAB on one, QUERY2/MULTI and QUERY2/TAB on the other).
We are attempting to use a hardware appliance for load balancing between the two instances across the two servers which requires setting up IIS and MSMDPUMP (based on Configure HTTP Access to Analysis Services on IIS 8.0 | Microsoft Learn).
Many of the reports that use the multidimensional and tabular instances require Kerberos to work. I found this at SPN registration for an Analysis Services instance | Microsoft Learn:
>SPN registration for SSAS instances listening on fixed ports
You can't specify a port number on an Analysis Services SPN registration. The Analysis Services SPN registration can only use instance name. If you installed Analysis Services as a default instance and configured it to listen on a non-default port, you can't connect to that instance using Kerberos. You must configure it to listen on the default port (TCP 2383) for enabling Kerberos connections to that instance. A default instance of Analysis Services listening on non-default port can only accept NTLM connections. For named instances, you need to start SQL Server Browser service and use instance names in your connection strings instead of port numbers.
According to Configure the Windows Firewall to Allow Analysis Services Access | Microsoft Learn, "You cannot use a non-default port for Analysis services if you need to connect to your instance using Kerberos."
I have also found that, unlike the relational database engine, Analysis Services does not allow you to add a NIC to the server and dedicate it to a specific instance. Based on what I’ve found online, SSAS always listens on all IPs (except for some edge cases around clustered instances that don’t apply here).
We are also looking at Windows Network Load Balancing (NLB) instead of the hardware appliance, but I’m wondering whether Kerberos would still be an issue with that. Given that we have two instances on each server and they both require Kerberos, is load balancing even a workable “solution” or are we stuck with either having a single query server (abandoning load balancing) or splitting the two instances onto different servers (additional licensing)?