I have a client machine using ADOMD (Machine A) to connect to an MSAS
Server (Machine B). We are heavily using Cube security. Given that
the username/password is ignored in an MSOLAP connection string, I am
using:
LogonUser(username, null, password, LOGON32_LOGON_NEW_CREDENTIALS,
LOGON32_PROVIDER_WINNT50)
ImpersonateUser(token)
Connection.open(...)
RevertToSelf(...)

With client and server on the same machine things work great.

With two separate machines I get "Database X does not exist".

I assume ImpersonateUser(...) disallows the 'single hop' requirement of NTLM
authentication, and that I need to use a Kerberos setup.


I have followed the kerberos MSAS setup HowTo. I've allowed the machines to
delegate, etc.
My connection string has Integrated Security=SSPI;SSPI=Kerberos included.

Now I get:
"The operation requested failed due to security problems - unknown error"
the first time and
"The operation requested failed due to security problems - the user could
not be authenticated"
subsequent times.

A few questions:
1) Am I correct in assuming I need to use kerberos?
2) Am I using the correct api's
3) Am I using the correct parameters to logonuser
4) Is there a good way to debug this? I can't find anything in either
machine's event logs.

Thanks

you have to trust for delegation your machine A.
in the active directory, open the property page of the machine A and trust
the computer for delegation.

Do you use a custom Ntier application (like a custom windows service)? or a
web site?
maybe you have to use the setspn utility to allow a specific account to
delegate the authentication.

For a website, its like this:
(with IIS6 and if the application pool is the network service)
setspn -a HTTP/mywebsitename.com myservername

(with IIS6 and if the application pool is a specific user)
setspn -a HTTP/mywebsitename.com mydomain\myuser

HTTP/mywebsitename.com cannot be associated to 2 different account using
setspn.

If you have a custom windows service I don't know how to authorize it (I
don't know the syntax which replace the HTTP used for a web site)


"scroyston" <scroyston (AT) discussions (DOT) microsoft.com> wrote

Thanks, I have machine A trusted for delegation through active directory per
the HowTo.

It is a custom application that uses ADOMD to connect to MSAS on machine B.
It is not a web application. Do I have to do something with the app to
authorize it for delegation?
The HowTo just says I need to have the user running the app correctly set up.
I also tried running the app through the SYSTEM user (since the howto says
no special work is required), but I got the same problems.

"Jéjé" wrote:

can you access another ressource with delegation? (through your code)
like accessing SQL Server using the NT authentication

do you see anything in the event log? (on the 2 computers)
Activate the kerberos log (its a registry entry to change)

"scroyston" <scroyston (AT) discussions (DOT) microsoft.com> wrote

If you enable HTTP access to your Analysis Server you actually get a prompt
for username/password.

Would that work for your application?


--
Yours sincerely
Thomas Kejser

M.Sc, MCDBA


"scroyston" <scroyston (AT) discussions (DOT) microsoft.com> wrote