Re: The following system error occurred: .
- From: "Nick Large" <nlarge@xxxxxxxxxxxxxxxxx>
- Date: Fri, 20 Feb 2009 08:10:11 -0600
Hi Charles,
I found this technet article,
http://technet.microsoft.com/en-us/library/cc917670.aspx which describes the
exact same error and am looking into it to see if this contains the
solution.
Below is an extract from the article covering my problem.
Error Condition 3: Integrated Windows Authentication Credentials Cannot Be
Forwarded
The client application attempts to connect by using HTTP through IIS to a
SQL Server 2005 Analysis Services instance. The IIS service is running,
directory security for the OLAP virtual directory is configured for
Integrated Windows authentication only, and the specified Analysis Services
instance is running. The user who is attempting to connect has sufficient
permissions to connect and perform the task attempted.
Note In this scenario, if the IIS service and the Analysis Services
instance are hosted on the same computer, the connection attempt will be
successful.
Errors Observed
The client application receives an error message similar to one in the
following table.
Client Application
Error Message
UDL file
Test connection failed because of an error in initializing provider.
The following system error occurred: .
Microsoft Excel 2007 / Microsoft Excel 2003
The following system error occurred: .
SQL Server Management Studio
Cannot connect to http://<server_name>/olap/msmdpump.dll. Unsupported
data format: (Microsoft.AnalysisServices.AdomdClient)
Simple Sample ADOMD ClientAccess
Connection to http://<server_name>/olap/msmdpump.dll server is not
ready or connectivity is broken. Full text message received follows:
Unsupported data format:
ANONYMOUS LOGON or NT AUTHORITY\ANONYMOUS LOGON appears as the NTUserName in
a SQL Profiler Trace for the Audit Login and Discover Begin events.
Note If your client application is a SQL Server 2005 Reporting Services
report in this scenario, the error message will typically be "Login failed
for user 'NT AUTHORITY\ANONYMOUS LOGON."
Error Resolution Recommendations
These errors are raised because the IIS service cannot forward the logon
credentials of the user who is trying to connect to an Analysis Services
instance through IIS. These errors are the result of the classic double hop
scenario in which a user logs on and is authenticated on one computer and
uses a client application to attempt to connect to a service on a third (or
fourth) computer through a service running on an intermediary computer-in
this scenario, the IIS service. For security reasons, the forwarding of a
user's security credentials (in the form of a Kerberos ticket or NTLM access
token) is not permitted unless Kerberos is configured.
You will generally resolve this problem in one of the following ways:
a.. Configure the IIS service to use IIS anonymous authentication. For
more information on IIS anonymous authentication, see Error Condition 2: IIS
Anonymous Connection Not Permitted.
b.. Configure Kerberos to enable the client credentials to be forwarded by
the IIS service to the Analysis Services instance. The steps necessary for
configuring Analysis Services for authentication using Kerberos and enabling
delegation are documented in KB Article 917409, How to configure SQL Server
2005 Analysis Services to use Kerberos authentication.
c.. Configure the IIS service to use basic authentication and enable
Secure Sockets Layer (SSL) to ensure that authentication information does
not travel across the network in clear text. This enables users to submit a
user name and password to the IIS service, which uses these security
credentials to authenticate the user and present the user's token and
connect to the Analysis Services instance, impersonating the user who
connected to IIS. These credentials can either be embedded in the connection
string used by the application or the user can be prompted for these
credentials.
d.. Cache the credentials necessary to connect to the Analysis Services
instance in the middle tier. For example, if you are using SQL Server 2005
Reporting Services, you can configure the report data source to store the
credentials. For more information, see Specifying Credential and Connection
Information.
e.. Configure the Analysis Services instance to permit anonymous logons
(generally only for testing purposes). You can accomplish this by using one
the following methods:
a.. Add the Windows Everyone group to an Analysis Services security role
within the Analysis Services instance. Grant this role the appropriate
permissions. Change the value for the Analysis Services server property
Security \ RequireClientAuthentication to False in the Analysis Services
instance. Then change the value for the local security policy Network
access: Let Everyone permissions apply to anonymous users to Enabled on the
computer.
b.. Add the ANONYMOUS LOGON user account (from either the local computer
or the Windows domain) to an Analysis Services security role with the
appropriate permissions.
Important Permitting anonymous connectivity has significant security risks
and should not be undertaken lightly. However, it can occasionally be
appropriate and can be useful for testing purposes.
Note If you configure Analysis Services to permit anonymous connectivity,
you can also use the SSPI=Anonymous connection string property.
"Nick Large" <nlarge@xxxxxxxxxxxxxxxxx> wrote in message
news:%23hNrgHskJHA.2460@xxxxxxxxxxxxxxxxxxxxxxx
Oh, and the other thing, I did see that when the error occurs that the
system logs in as NT Authority\ANONYMOUS whereas when I refresh it, it
appears as the correctly assigned user on the connection string and the
report is generated. Could this possibly be an OLEDB issue (ie. the OLEDB
is not parsing the connection correctly in some instances), or reporting
services issue (Ie. RS is not finding the correct connection?) ??
Nick.
"Nick Large" <nlarge@xxxxxxxxxxxxxxxxx> wrote in message
news:OSue2yqkJHA.3480@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Charles.
It seemed to work splendidly for a while and then I started getting the
message again. I did see that the browser service was disabled. I
assume that this is by default on installation of SQL 2005, but would not
understand why that would be wise, could it be a security risk having it
on, or just that it is not necessary in most cases to have it switched
on? Anyway, I will post back if I see the message again.
Thanks,
Nick.
""Charles Wang [MSFT]"" <changliw@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Bk2JC8ZkJHA.5280@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi Nick,
How are things going?
I was on a vacation last week. My colleague Robbie and Peter helped
assist
you on this post. Now I am back to office and will provide further
assistance for you.
Regarding this issue, it looked that you worked around it by specifying
the
TCP port number after the data source name. That is a great news and I
am
glad to hear that. Going after your current workaround, I would like to
add
more comments. Did you check if SQL Server Browser service was started
on
your server? Analysis Services records the port number and the instance
name with SQL Server Browser, which is the service that handles lookup
of
named instances. If your SQL Server Browser service was not started,
your
Analysis Services instance may not be correctly identified by your
clients.
You can check the status of SQL Server Browser from SQL Server
Configuration Manager->SQL Server 2005 Services. If it is not started,
please manually start it.
Thank you for choosing Microsoft. Please do not hesitate to let me know
if
you have any other questions or concerns.
Best regards,
Charles Wang
Microsoft Online Community Support
=========================================================
Delighting our customers is our #1 priority. We welcome your
comments and suggestions about how we can improve the
support we provide to you. Please feel free to let my manager
know what you think of the level of service provided. You can
send feedback directly to my manager at: msdnmg@xxxxxxxxxxxxxx
=========================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
=========================================================
.
- References:
- The following system error occurred: .
- From: Nick Large
- RE: The following system error occurred: .
- From: Robbie Meng
- Re: The following system error occurred: .
- From: Nick Large
- Re: The following system error occurred: .
- From: Nick Large
- Re: The following system error occurred: .
- From: "Peter Yang"
- Re: The following system error occurred: .
- From: Nick Large
- Re: The following system error occurred: .
- From: "Charles Wang [MSFT]"
- Re: The following system error occurred: .
- From: Nick Large
- Re: The following system error occurred: .
- From: Nick Large
- The following system error occurred: .
- Prev by Date: create ODS (operational data source) before Data warehouse!!!?
- Next by Date: Re: The following system error occurred: .
- Previous by thread: Re: The following system error occurred: .
- Next by thread: Re: The following system error occurred: .
- Index(es):
Relevant Pages
|
Loading
