We are using Integrated Security=SSPI, and I can connect to SSAS 2005 just fine. I can also connect to the cube through OWC...
but when I try to connect in C# (.net 1.1), I get the message: the peer prematurely closed the connection. I did plenty of searches on this message, and I should have all the required files to connect - it just doesn't connect.
So I did a trace, and when I connect through OWC, it shows an Audit Log with my username. When I try to connect w/ .net, it shows ANONYMOUS LOGON
Here is my connection string that is being used: (xxx's are filled w/ the right values)
Provider=MSOLAP.3;Cache Authentication=True;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=xxx;Data Source=xxxx;
Any ideas?
I realized that this might be happening because the virtual directory was set to use anonymous access. So, I took that off of the directory and made sure 'integrated windows authentication' was checked. I did an iisreset and tried out the changes, but it still was using ANONYMOUS LOGON.
I then tried to make a normal windows app because before, I was using a web app. This connected with my name just fine!
So it seems like the problem is with the iis virtual directory setup still wanting to use the anonymous account. I even set deny permission to the web project directory for iusr, iwam, network service.
I'd be glad to receive some feedback.
|||Its the double hop scenario. The user comes in with credentials and they get used to access the web site/service. But when the web site/service goes to the db, the ASP.Net (local) user is used for authentication.That is why it works when one runs it outside the web site/service but not within. If it is IIS 6 you can try the application pooling in InetMgr by specifying a user that has access and the have the site use that pool...your mileage may vary.
Otherwise you will need to connect not using the impersonation route but by passing in a DB user name and password.
Another option is Active Directory and having the machine accepted while using Kerberos Authentication...but again, your mileage may vary.|||
There is a need to implement the specific user's crudentials when accessing SSAS. It sounds like one option you gave would still be using a single logon account.
If we go the route of active directory, is there a way to pass the current user's logon info but not have it be visible to developers? the connection open method takes a (plain text?) un/pw if SSPI isn't used.
|||You may want to look into Protected Configuration as provided by ASP.Net 2. That would encrypt the information into the web.config. See this Security Practices: ASP.NET 2.0 Security Practices at a Glance to see if that answers your question, search for (encryption). Otherwise one of the other notes may be beneficial.|||Were you able to get a resolution to this issue? I have a .NET application that I am trying to pass role-based security into SSAS 2005. This is a double-hop scenario and we have implemented Active Directory to try to restrict access to dimension data. However, it is not passing through the appropriate security restriction to the dimension data.
No comments:
Post a Comment