Re: Using forms authentication to control security access to msolap.asp. Is it possible using ASP.NET?

>> So, my two questions are:
>> 1. Is there some trick to enable Forms Authentication in MSOLAP.ASP?
>> (my guess is No based on your post...)

Sorry. No.

>> 2. Is there some port of MSOLAP.ASP to ASP.NET? I've tryed one, but
>> everytime I call the MSMDPUMP method I receive a COMException... I'll
>> keep trying.
>>

Sorry. No. It is ASP only.

Here is what I would recommend that you do. On the virtual directory that
msolap.asp is located change its security to BASIC only. Install an SSL
certification on the machine so you can encrypt the underlying data flow
(including the username/pwd coming from your ASP.NET server. Create a local
machine account on IIS/Analysis server to be something like
YOURAPPUSERNAME -- pwd: YOURAPPPWD

On the connectstring from your ASP.NET machine say:

data source=https://server/<vd where msolap.asp is
located>;uid=YOURAPPUSERNAME;pwd=YOURAPPPWD

You need SSL to ensure that the uid and pwd passed to IIS are encrypted.

This uses http connectivity with a known username and pwd. General access to
the Analysis server is denied. Lastly if you are REALLY interested in
limiting connectability, put a firewall in front of your Analysis server and
only allow inbound connections from your ASP.NET machine.

That gives you two layers of access. Users can only come in from one machine
(the ASP.NET server); and they must know the uid and pwd for a local machine
account on the Analysis server.

--
Dave Wickert [MSFT]
dwickert@xxxxxxxxxxxxxxxxxxxx
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ravi Ambros Wallau" <nospam@xxxxxxxxxx> wrote in message
news:%23Ody$j2cFHA.1036@xxxxxxxxxxxxxxxxxxxxxxx
> Dave:
> Read "intend" and not "pretend" in the following sentence:
> IIS Server and Analysis Services are currently in the same machine, and
> we don't pretend to change this in near future, at least unless this
> authentication problem is resolved.
>
> My native language is Portuguese, and "intend" is "pretender" in
> portuguese - my mistake.
>
> "Ravi Ambros Wallau" <nospam@xxxxxxxxxx> wrote in message
> news:%23OAUTTzcFHA.2436@xxxxxxxxxxxxxxxxxxxxxxx
>> Dave:
>> IIS Server and Analysis Services are currently in the same machine,
>> and we don't pretend to change this in near future, at least unless this
>> authentication problem is resolved.
>> We are using HTTP access, and only the HTTP port 80 is enabled in our
>> firewall. The "Pivot Table" component maps to the URL in our IIS server,
>> as described in the docs you presented to me.
>> Resuming, our infra seems to be ok.
>> The problem is that we use Forms Authentication to validate user and
>> password. Our application has a user database, and the internet portal
>> can be used to add/ edit users, and to change their roles in the system.
>> We can't leave the URL of MSOLAP open to the world, as I told before,
>> because this is a big security issue.
>> It seems to me that MSOLAP.ASP + MSMDPUMP.DLL page are only a "bridge"
>> between Analysis Services and the "Pivot Table" component present in some
>> ASP.NET (or HTML) page. I've successfully change MSOLAP.ASP page to log
>> all Server Variables, Cookies and Session attributes into a file. But
>> that what is really usefull to me (Session) is unavailable, probally
>> because it's provided by an ASP.NET application.
>>
>> So, my two questions are:
>> 1. Is there some trick to enable Forms Authentication in MSOLAP.ASP?
>> (my guess is No based on your post...)
>> 2. Is there some port of MSOLAP.ASP to ASP.NET? I've tryed one, but
>> everytime I call the MSMDPUMP method I receive a COMException... I'll
>> keep trying.
>>
>> Well, this is it.
>>
>> "Dave Wickert [MSFT]" <dwickert@xxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:ess%23o0rcFHA.1288@xxxxxxxxxxxxxxxxxxxxxxx
>>> Analysis Services only supports NT authentication. Ultimately everything
>>> has to get back to an NT account. See the section titled "Security
>>> Administration" in the AS Operations Guide
>>> http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/anservog.mspx
>>> and additional information in the Improved Web Connectivity white paper
>>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql2k/html/sql_datapump.asp
>>>
>>> What kind of connectivity do you have between the IIS server (where your
>>> ASP.NET app is running) and the Analysis server? Are they on the same
>>> machine? Or different machines in same domain? Or different machines
>>> with a firewall between them?
>>>
>>> What kind of access are you using between your ASP.NET app and Analysis
>>> Services? TCP/IP or http access? If using TCP/IP then your server name
>>> in the connectstring is the machine name for the Analysis server -- if
>>> using http access then your server name in the connectstring is:
>>> http://<machinename>/<virtual_directory_for_where_msolap_dot_asp_lives>
>>>
>>> What that I could provide some guidance around what your options are.
>>> --
>>> Dave Wickert [MSFT]
>>> dwickert@xxxxxxxxxxxxxxxxxxxx
>>> Program Manager
>>> BI SystemsTeam
>>> SQL BI Product Unit (Analysis Services)
>>> --
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "Ravi Ambros Wallau" <nospam@xxxxxxxxxx> wrote in message
>>> news:%23UxihJrcFHA.2688@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Hi:
>>>> My organization has developed a portal made in ASP.NET (C#). This
>>>> portal is open for Internet, and we decide to use Forms Authentication
>>>> to validate user and password. This authentication doesn't seems to be
>>>> valid (or not) when using MSOLAP.ASP. It's a big security risk for me
>>>> leave the MSOLAP.ASP page open "to the world", and it's really boring
>>>> to the user tip a logon information again, and also the extra effort to
>>>> keep a second user database (in Windows or in another place) is
>>>> tedious, error prone and inneficient.
>>>> Is there some way that force MSOLAP.ASP to use Forms Authenticatiom?
>>>> Debugging this ASP page, I have some suspicious that cookies and
>>>> another informations are sent with MSOLAP request, better saying, some
>>>> browser informations are sent within ActiveX request.
>>>> But I really can't find any usefull to validate the user. Session is
>>>> unavaiable for me, I believe that the reason is that my application is
>>>> developed is ASP.NET.
>>>> Is there some port of MSOLAP.ASP for .Net platform? Is it possible
>>>> to use Forms Authentication? Did anyone had the same problem?
>>>>
>>>> Thanks,
>>>> Ravi.
>>>>
>>>
>>>
>>
>>
>
>


.