Re: HTTP Access to SSAS with anonymous even possible?
- From: "ChrisHarrington" <charrington-at-activeinterface.com>
- Date: Tue, 6 Nov 2007 16:31:04 -0500
Matt,
Feel free to contact me off-line. You can explain in further detail what you
wish to accomplish. And I can share the techniquest I have used.
Chris Harrington
www.activeinterface.com
"MattM" <MattM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:55F9C1A2-ED13-4126-8937-1DDC7AABDD95@xxxxxxxxxxxxxxxx
Then perhaps I need help with the definition of anonymous. What I want to
tell SSAS is that it should serve up this data to an anonymous caller. If
I
made a domain account, had IIS run under that domain account, then added
that
domain account to the SSAS list of valid roles/users, I'm not really
allowing
anonymous callers. I don't see much difference between that setup and
flipping on integrated security and adding domain user accounts to the
roles
in SSAS. In both cases you're telling SSAS who to allow to make the call
but
more importantly you're telling SSAS that it MUST identify the caller
(either
the IIS user or the specific IIS machine). The white paper even mentions
that
anonymous doesn't identify the caller and is only for controlled
environments
where access is done at the IIS level:
"Anonymous access
When this mode is selected, the pump ( msmdpump.dll) is running with
credentials; in our case, these are the credentials of IUSR_MACHINENAME
user.
Therefore, every connection to Analysis Services is opened as
IUSR_MACHINENAME user. When this mode is selected, there is no distinction
between which user is connecting to IIS and which to Analysis Services.
There
is no way to distinguish between users.
This mode is to be used when the security infrastructure does not take
advantage of the security functionality of Analysis Services. This is most
likely an extremely controlled environment, where users are given or
denied
access to the virtual directory."
"ChrisHarrington" wrote:
I also believe that it must be a domain account.
The issue isn't whether it is anonymous or not - the issue is "does the
service account have permissions against SSAS"
Chris Harrington
"MattM" <MattM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:228C6BF7-E7AF-4E3E-9DDC-A291E300D9E6@xxxxxxxxxxxxxxxx
I can go back and check on the policy but I find it hard to believe
using a
domain account is recommended over a local account. I'm no expert but
if
the
local IUSR_Machine account is compromised it can't do much beyond the
local
server, but a compromised domain account leaves all the servers it's
valid
on
compromised. If you have a MSDN white paper that refers to this
practice
I'd
love to read about it. It might help me build a case to change our
setup.
I agree that enabling the guest account is not a good option but I'm
still
looking for some verification that it's required. As I said in the
first
post, the white paper states that anonymous is possible yet it fails to
give
the details on how to get it done. I do know that on SQL 2000 you could
do
anonymous access and NOT enable the guest account - we have a server
set
that
way right now.
The goal is get some asp pages that have old pivot table reports on
them
working in SSAS 2005. We migrated from SQL 2000 and now we just want to
maintain that functionality on SSAS 2005. The white paper implies it
can
be
done but I'm not sure that is really true or it's leaving out important
steps.
I think we need to keep it anonymous because not every user will be
authenticated to the domain. This is on an intranet where we have our
own
authentication mechanism like ClearTrust. That means a user could
connect
to
the intranet without having any kind of domain login. As far as I know
that
means all the normal integrated authentication methods are not possible
and
anonymous is our best option.
"Jeje" wrote:
strange to know that your policy prohibit this option!!!!
it's a first recommendation when you have multiple servers...
and more specially in your case.
the only other option is:
* authorize the windows guest account on the SSAS server
* enable the anonymous access to SSAS
from what I remember, the guest account must be enabled to allow
anonymous
access to SSAS...
but enabling the guest account is far more unsecure than changing
iusr_machine to a domain account !!!!
but... do you really need anonymous account?
or do you want to use the kerberos delegation system?
also using HTTP, you can specify a user id / password in the
connection
string.
so everybody can use the same user / password (a restricted account
which
can be used only in SSAS)
"MattM" <MattM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:67746D29-8F6B-495B-92D4-3E01C2255978@xxxxxxxxxxxxxxxx
This isn't an option in our environment because our security policy
prohibits
it. I can't imagine this would be advisible or wise either. Plus, if
this
is
what is required to make anonymous access work, then it most
definitely
should be part of the instructions and the IUSR_Machine account
shouldn't
even be mentioned.
Again, the white paper seems misleading to me because it appears
that
anonymous is not possible unless IIS and SSAS are on the same box.
"Jeje" wrote:
try to change the anonymous account in IIS
instead of using the IUSR_Machine account, use a valid user domain
account.
"MattM" <MattM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EADA9907-1397-47E3-9B94-A6EB1B4B4987@xxxxxxxxxxxxxxxx
I'm trying to follow the information at this link
(http://www.microsoft.com/technet/prodtechnol/sql/2005/httpasws.mspx)
but
I
think it's misleading me into thinking I can accomplish my goal.
The
article
states you can have SSAS and IIS on separate servers. It also
says
you
can
use anonymous access. But I think you can't have both.
The white paper says when using anonymous access the msmdpump.dll
is
running
with the IUSR_MACHINENAME account, but with the SSAS on a
separate
server
it's not possible to add that account as valid because that
account
is
local
to the IIS server. So the IIS server is sending it's
IUSR_MACHINENAME
account
but the SSAS server won't allow it.
My goal is convert some OWC reports on ASP pages from SQL 2000 to
SSAS
2005.
The code worked fine with our SQL 2000 server but so far we can't
get
it
work
on SSAS 2005.
.
- References:
- Re: HTTP Access to SSAS with anonymous even possible?
- From: Jeje
- Re: HTTP Access to SSAS with anonymous even possible?
- From: MattM
- Re: HTTP Access to SSAS with anonymous even possible?
- From: ChrisHarrington
- Re: HTTP Access to SSAS with anonymous even possible?
- From: MattM
- Re: HTTP Access to SSAS with anonymous even possible?
- Prev by Date: Re: Generating empty KPIs for Excel
- Next by Date: Re: Null totals in all measures for all dimensions
- Previous by thread: Re: HTTP Access to SSAS with anonymous even possible?
- Next by thread: Excel 2007 performance issue while viewing calculated member
- Index(es):
Relevant Pages
|
