I've defined a few permission groups to a cube. Now I'm trying to
view the cube via ASP, which connects and displays data when on
viewing the webpage from the server *OR* on any PC which has a user
logged in with Administrator rights. If i go to another,
non-Administrator-rights box, the page errors, stating the Cube not
available. I can not give IUSER administrator rights and currently am
using windows integrated authentication for IIS validation. I have
tried passing a standard userid/password to the connection string, no
success. Heard anything as to why OLAP would not accept passed
userid/password in this type of security setup? Any other thoughts?

When using http connectivity with NTLM, you only have a few options.
1) You can run IIS and AS on the same machine, in which case, your Windows
NT credentials can be used directly.
2) You can run IIS and AS on different machines but in the same domain
(which is a requirement), but then you need to either run basic
authentication between your client machine and IIS (and pass on the connect
string a domain username and pwd to impersonate on the IIS machine) or look
at using Windows Kerberos delegation. Basic authentication by far is the
more common technique.

More on this subject can be find in the following white paper:
http://msdn.microsoft.com/library/de...l_datapump.asp

Hope that helps.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mark G" <immy619_97 (AT) yahoo (DOT) com> wrote

Dave - can you elaborate on item 2A - passing username a
connect string? Namely, how? I have already been pouring
over the article you mention all week - but still have the
same problem as the original post. -Chip

When you pass the username/pwd on the connectstring, PTS uses that to do a
BASIC authentication login into IIS (if requested by the web server). It may
be that you haven't turned on BASIC authenticaiton on the virtual directory
where msolap.asp exists. If you have anonymous enabled, then it by-default
will be used; then IIS tries NTLM; and if all of those fail, then it tries
BASIC. So if you are going to use username/pwd on the connectstring, then
1) you should BASIC as the only option for that virtual directory; and
2) if over the public Internet, or in a high security Intranet situation,
you should have SSL enabled (and use https://) so that the password (which
is normally sent lightly converted with BASIC) has full encryption.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Chip" <chip.reevesNOSPAM (AT) bellsouth (DOT) com> wrote

review: trying to query an OLAP cube (cube has individual users
defined from a windows 2000 domain), passing the current logged in
userid, via an IIS server ASP webpage, IIS has integrated security
turned on and nothing else.

solution: apparently OLAP can not handle the authentication format
that IIS passes to OLAP natively. to work around this you must turn
on kerberos OR you can IUSER_<servername> to the OLAP Administrators
group OR in the OLAP cube, add "Everyone" to the group (but that does
defeat securing the cube on the individual user level)