Hi all,
I have a solution that uses dynamic security on cubes. First the user is
authenticated against AS roles and then there is a c# assembly that retreives
his allowed members from relational table. Assembly gets UserName (mdx
function) and name for each restricted dimension and attribute(hardcoded).
Everythings works fine.

Problem happens when I go from Reporting Services. I have couple of reports
based on UDM, data source uses windows authentization. User is authenticated
agains cube, so that means that correct account is passed. But UserName
function then returns empty string. When I connect directly to cube, correct
account name is passed to assembly.

Any comment? All services run on the same box. Can be related to delegation
problem? Thanks for any help, it's very important to me.

Radim

Sounds like the classic NT 2-hop authentication problem.
NT credentials can only be passed between two machines (i.e. client and then
RS server). If you attempt to transfer them again from the RS server to the
AS server, then you get a blank username (actually an error, depending on
the OS and its settings). This is a well-known limitation of NT -- it is
totally unrelated to RS or AS. If you really need to do this then you have a
few choices:
1) run RS and AS on the same machine
2) implement kerberos
You could also switch to saved connections on the RS machine, but that would
defeat the dynamic security that you have already established.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI Systems Team
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Radim Hampel" <RadimHampel (AT) discussions (DOT) microsoft.com> wrote

Hi Dave,

thanks for the anwser. I know about the double hop, but as I mentioned all
services run on the same box. I did further investigation: the problem seems
to happen only on 64b release. No problem with 32b. Second conclusion is that
user credentials are successfully passed to assembly and stored procedure -
when I call suser_sname() in SP it returns correct user name. Strange. So the
problem is - UserName MDX function returns empty string even if the user is
property authenticated to AS.

Radim

"Dave Wickert [MSFT]" wrote:

I did not think there was a 64bit version of RS. So it would probably be
running in WOW (Windows On Windows) which could be why you are seeing
strange behaviour.

--
Regards
Darren Gosbell [MCSD]
<dgosbell_at_yahoo_dot_com>
Blog: http://www.geekswithblogs.net/darrengosbell