Hi there

We have a ASP.net web application connecting to a remote SSAS 2005 server.
The IIS web site can be configured for Integrated or Forms security with
anonomous access disabled. Impersonation is enabled in the web.config.

When I use Forms authentication I get a connection exception telling me it
failed to connect (Connection Actively Refused). I did a bit of research and
found several details on "Double Hopping". This is where the user in IIS's
credentials cannot be passed to another machine.

I've tried impersonating the authenticaed user in my code but I still get
the same problem, presumably because I am just changing the indentity of the
ASP.net thread.

Does anyone have a workaround for this or do you all have web applications
that have Forms Authentication and that live on the same server as the SSAS
Server?

This all works fine when I use Integrated Security

TIA

If you want to pass the users credentials through to SSAS, the only way
would be to use Kerberos (see
http://www.mosha.com/msolap/articles...delegation.htm )

If you did not mind your web site connecting to SSAS with a single user
account you would have the following options:

1) Otherwise you could set up the identity of your application pool (in
IIS6) with a fixed user.

2) Or you could set up a fixed user using the identity setting in
web.config and specifying a specific user and password.

3) Or you could set up http authentication on SSAS and specify a
username and password in the connection string.

--
Regards
Darren Gosbell - SQL Server MVP
Blog: http://www.geekswithblogs.net/darrengosbell

In article <#v7$s$d4GHA.1012 (AT) TK2MSFTNGP05 (DOT) phx.gbl>, gilly1409
@hotmail.com says...

Thanks for response Darren.

We can't use a single user as user/group/role security is going to be
applied to various areas of the server but thanks for Moshas
link.

Graham


"Darren Gosbell" <jam (AT) newsgroups (DOT) nospam> wrote

The other (last?) option is to use msmdpump.dll and connect to SSAS through
a Virtual Directory secured with Basic Authentication (IIS 6 has to be set
to run in IIS 5.0 Isolation Mode). This will allow you to connect as any
arbitrary user through the Connection String properties. This requires that
your ASP.NET application needs to know the user's password, however.

IMO, the Windows Auth only design is a pretty serious flaw in an otherwise
ok system. Authentication and authorization is generally a real PITA
requiring either an elaborate Kerberos/Active Directory octopus of services
to configure or simply abandoning a 3+ tier app design altogether. The
latter seems to favorite workaround on the web.

-z



On 9/27/06 3:46 AM, in article e2lIxHi4GHA.3404 (AT) TK2MSFTNGP04 (DOT) phx.gbl,
"Gilly" <gilly1409 (AT) hotmail (DOT) com> wrote:

Zoltan

Basic Authentication (even with SSL) is not an option for our app. We want
to be able to allow integrated for intranet users and forms authentication
for remote users.

And I completely agree with you regarding Kerberos/AD! Mosha's link is a
possibilty but for now we will leave both on same server.


"Zoltan Grose" <zgrose (AT) mac (DOT) com> wrote