Re: Connecting to OLAP through ADOMD and ImpersonateUser
From: scroyston (scroyston_at_discussions.microsoft.com)
Date: 01/05/05
- Next message: Dave Wickert [MSFT]: "Re: Cube LastProcessed time from a stored procedure"
- Previous message: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- In reply to: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Next in thread: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Reply: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 5 Jan 2005 15:07:03 -0800
Thanks, I have machine A trusted for delegation through active directory per
the HowTo.
It is a custom application that uses ADOMD to connect to MSAS on machine B.
It is not a web application. Do I have to do something with the app to
authorize it for delegation?
The HowTo just says I need to have the user running the app correctly set up.
I also tried running the app through the SYSTEM user (since the howto says
no special work is required), but I got the same problems.
"Jéjé" wrote:
> you have to trust for delegation your machine A.
> in the active directory, open the property page of the machine A and trust
> the computer for delegation.
>
> Do you use a custom Ntier application (like a custom windows service)? or a
> web site?
> maybe you have to use the setspn utility to allow a specific account to
> delegate the authentication.
>
> For a website, its like this:
> (with IIS6 and if the application pool is the network service)
> setspn -a HTTP/mywebsitename.com myservername
>
> (with IIS6 and if the application pool is a specific user)
> setspn -a HTTP/mywebsitename.com mydomain\myuser
>
> HTTP/mywebsitename.com cannot be associated to 2 different account using
> setspn.
>
> If you have a custom windows service I don't know how to authorize it (I
> don't know the syntax which replace the HTTP used for a web site)
>
>
> "scroyston" <scroyston@discussions.microsoft.com> wrote in message
> news:5F85B5E8-4915-4FAB-889E-172417BF037E@microsoft.com...
> >I have a client machine using ADOMD (Machine A) to connect to an MSAS
> > Server (Machine B). We are heavily using Cube security. Given that
> > the username/password is ignored in an MSOLAP connection string, I am
> > using:
> > LogonUser(username, null, password, LOGON32_LOGON_NEW_CREDENTIALS,
> > LOGON32_PROVIDER_WINNT50)
> > ImpersonateUser(token)
> > Connection.open(...)
> > RevertToSelf(...)
> >
> > With client and server on the same machine things work great.
> >
> > With two separate machines I get "Database X does not exist".
> >
> > I assume ImpersonateUser(...) disallows the 'single hop' requirement of
> > NTLM
> > authentication, and that I need to use a Kerberos setup.
> >
> >
> > I have followed the kerberos MSAS setup HowTo. I've allowed the machines
> > to
> > delegate, etc.
> > My connection string has Integrated Security=SSPI;SSPI=Kerberos included.
> >
> > Now I get:
> > "The operation requested failed due to security problems - unknown error"
> > the first time and
> > "The operation requested failed due to security problems - the user could
> > not be authenticated"
> > subsequent times.
> >
> > A few questions:
> > 1) Am I correct in assuming I need to use kerberos?
> > 2) Am I using the correct api's
> > 3) Am I using the correct parameters to logonuser
> > 4) Is there a good way to debug this? I can't find anything in either
> > machine's event logs.
> >
> > Thanks
> >
>
>
>
- Next message: Dave Wickert [MSFT]: "Re: Cube LastProcessed time from a stored procedure"
- Previous message: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- In reply to: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Next in thread: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Reply: Jéjé: "Re: Connecting to OLAP through ADOMD and ImpersonateUser"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
