Update 21/01/2011: Update below regarding Excel Services and Multi-tenancy!
One of the exciting new features of SharePoint 2010 is multi-tenancy, if you’re working in hosted or shared environments then it is no less than a must-have feature.
Unfortunately in the real world of software nothing is perfect at RTM, and this would have to be one of those cases!
In short neither Project Server or PerformancePoint appear to support multi-tenancy in SharePoint 2010, it would seem that the feature has yet to be fully implemented for either service application, however the situation is not as bad as you might fear.
Project Server in a multi-tenanted environment
Firstly although Project Server does not accept any subscription related parameters when provisioning a new instance using PowerShell or the Central Admin, it does appear to work in a tenanted environment. Basically the fact that any provisioned PWA site is a site collection of its own means that once you have provisioned your PWA instance you can use the following PowerShell command to associate your PWA site collection with your tenant subscription:
Set-SpSite $PWASiteUrl -SiteSubscription $subscription
More good news is that once provisioned a PWA instance is able to communicate with other service applications belonging to the same subscription. Most importantly: Secure Store Service. Without that Excel Services wouldn’t work!
All is not good though, especially if you like to use the full feature set of the 2010 product, read on..
PerformancePoint in a multi-tenanted environment
This is where the news gets bad, it would appear that PerformancePoint in 2010 does not support multi-tenancy at all, it actually doesn’t appear to respect tenant subscriptions and so as a result you might end up with errors like the following when attempting to run Dashboard Designer or configuring the service application unattended account;
w3wp.exe (0x04E4) 0x0ED8 Secure Store Service Secure Store 7557 Critical The Secure Store Service application Secure Store Service Proxy is not accessible. The full exception text is: Access is denied. adfdd2a3-b6e5-4d92-8c5e-5a44fd821969
w3wp.exe (0x04E4) 0x0ED8 Secure Store Service Secure Store d9ld Unexpected Unexpected exception from endpoint address
w3wp.exe (0x04E4) 0x0ED8 Secure Store Service Secure Store d9le Unexpected Logging unknown/unexpected client side exception: SecurityAccessDeniedException. This will cause this application server to be removed from the load balancer queue. Exception: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied
Some searching will lead you to a number of sources talking about the lack of a Master Key being created in the Secure Store which is most certainly the cause of the issue, unfortunately it appears that in the case where your Secure Store is created with tenancy enabled PerformancePoint is unable to see the Secure Store service application (and thus unable to retrieve the master key)!
Some deep reading led me to some TechNet articles detailing the requirements for PerformancePoint (sorry can’t find the link ATM), basically PPS requires that a Secure Store Service Application exists in the default proxy group, and as I’ve found that app also cannot be tenanted.
Fortunately this can also be worked around, maintaining a non-tenanted default Secure Store app dedicated to PPS does not as I see it introduce any security implications, in particular as you will have to provision a separate PPS service for each tenant in your farm (thus losing much of the benefits of multi-tenancy).
All I can say on this one is that I can’t wait for SP1 for PPS, maybe then we’ll even be able to name our databases and lose that BETA PowerShell command line syntax? :)
Update 21/01/2011:
See the following blog for information on how Excel Services impacts the above configurations!
Hi Martin,
Great little blog on MT in SP2010. Any news on the features of PS2010 that don’t work if setup with MT on? eg Ad-Synch?
Hi Martin! Your blog have been really useful for us, we are currently installing a Project Server 2010 in a multi tenancy environment. We have migrated all our PS2007 data to our new environment but are facing a huge problem when trying to synchronize the resource pool with an AD group. We think we have identified the problem, and it’s related to multi tenancy. We receive a lot of error in the event log telling that “A general exception occurred during the communication with active directory. Context: ValidateAdSyncUserProperties. Additional information: AD Schema property not found: “SPO-WindowsLiveNetId”. Exception Info”.
We decided to check into the function ValidateAdSyncUserProperties using the reflector and found the issue. There is an if-statement with an IsHostedEnvironment parameter which is true if your SPSite-object has a SiteSubscription.
If your SPSite-object has a SiteSubscription the synchronization job trying to catch the field “SPO-WindowsLiveNetId” from your active directory, which we don’t have, so the job fails. The “SPO-WindowsLiveNetId” is coming from the database “ProjectServer_Published” and more closely from the table dbo.MSP_WEB_ADMIN_AD (the field value for WADMIN_AD_ERESPOOL_PROPERTY_USER_ACCOUNT). If you change this field value to samAccountName the synchronization starts to work again :) Of course we know that this is not a supported this to do so we have now registered a case at the MS Support. Hopefully they will help us out..
Have you managed to get the synchronization to work properly?
Cheers
Great investigation there Carl! That’s fascinating to see some special configurations made by MS when PWA is tenanted, personally I haven’t used AD sync as our environments are purely hosted using claims with custom code for account management.
But the fact that it is looking for something called “WindowsLive” makes me think that it is for hosting providers to leverage, definitely something I’ll look into next time I get a chance!
Martin
Hi,
Just for your knowledge, we just received this from MS Support:
“I have received confirmation that setting the value of WADMIN_AD_ERESPOOL_PROPERTY_USER_ACCOUNT field in the MSP_WEB_ADMIN_AD table in the PWA_Published database, to SAMAccountName is a change which Microsoft would support.
It is also very unlikely that any fix will be produced for this issue in the short-term;
However, documentation around this area could well be enhanced with the information your research has highlighted.
Very many thanks for working so diligently on this case.”
This is good news for us that wants to host Project Server 2010 in a multi tenancy farm :)
Cheers
Project Server 2010 does not support multi-tenant environments. Do not install Project Server 2010 on a multi-tenant SharePoint Server 2010 farm. If you have Project Server 2010 installed on a farm, do not configure multi-tenancy on that farm
http://technet.microsoft.com/en-us/library/ee662109.aspx