Hi:
My organization has developed a portal made in ASP.NET (C#). This portal
is open for Internet, and we decide to use Forms Authentication to validate
user and password. This authentication doesn't seems to be valid (or not)
when using MSOLAP.ASP. It's a big security risk for me leave the MSOLAP.ASP
page open "to the world", and it's really boring to the user tip a logon
information again, and also the extra effort to keep a second user database
(in Windows or in another place) is tedious, error prone and inneficient.
Is there some way that force MSOLAP.ASP to use Forms Authenticatiom?
Debugging this ASP page, I have some suspicious that cookies and another
informations are sent with MSOLAP request, better saying, some browser
informations are sent within ActiveX request.
But I really can't find any usefull to validate the user. Session is
unavaiable for me, I believe that the reason is that my application is
developed is ASP.NET.
Is there some port of MSOLAP.ASP for .Net platform? Is it possible to
use Forms Authentication? Did anyone had the same problem?

Thanks,
Ravi.

Analysis Services only supports NT authentication. Ultimately everything has
to get back to an NT account. See the section titled "Security
Administration" in the AS Operations Guide
http://www.microsoft.com/technet/pro.../anservog.mspx
and additional information in the Improved Web Connectivity white paper
http://msdn.microsoft.com/library/de...l_datapump.asp

What kind of connectivity do you have between the IIS server (where your
ASP.NET app is running) and the Analysis server? Are they on the same
machine? Or different machines in same domain? Or different machines with a
firewall between them?

What kind of access are you using between your ASP.NET app and Analysis
Services? TCP/IP or http access? If using TCP/IP then your server name in
the connectstring is the machine name for the Analysis server -- if using
http access then your server name in the connectstring is:
http://<machinename>/<virtual_directory_for_where_msolap_dot_asp_lives>

What that I could provide some guidance around what your options are.
--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ravi Ambros Wallau" <nospam (AT) nospam (DOT) com> wrote

Dave:
IIS Server and Analysis Services are currently in the same machine, and
we don't pretend to change this in near future, at least unless this
authentication problem is resolved.
We are using HTTP access, and only the HTTP port 80 is enabled in our
firewall. The "Pivot Table" component maps to the URL in our IIS server, as
described in the docs you presented to me.
Resuming, our infra seems to be ok.
The problem is that we use Forms Authentication to validate user and
password. Our application has a user database, and the internet portal can
be used to add/ edit users, and to change their roles in the system. We
can't leave the URL of MSOLAP open to the world, as I told before, because
this is a big security issue.
It seems to me that MSOLAP.ASP + MSMDPUMP.DLL page are only a "bridge"
between Analysis Services and the "Pivot Table" component present in some
ASP.NET (or HTML) page. I've successfully change MSOLAP.ASP page to log all
Server Variables, Cookies and Session attributes into a file. But that what
is really usefull to me (Session) is unavailable, probally because it's
provided by an ASP.NET application.

So, my two questions are:
1. Is there some trick to enable Forms Authentication in MSOLAP.ASP? (my
guess is No based on your post...)
2. Is there some port of MSOLAP.ASP to ASP.NET? I've tryed one, but
everytime I call the MSMDPUMP method I receive a COMException... I'll keep
trying.

Well, this is it.

"Dave Wickert [MSFT]" <dwickert (AT) online (DOT) microsoft.com> wrote

Dave:
Read "intend" and not "pretend" in the following sentence:
IIS Server and Analysis Services are currently in the same machine, and
we don't pretend to change this in near future, at least unless this
authentication problem is resolved.

My native language is Portuguese, and "intend" is "pretender" in
portuguese - my mistake.

"Ravi Ambros Wallau" <nospam (AT) nospam (DOT) com> wrote

Sorry. No.

Sorry. No. It is ASP only.

Here is what I would recommend that you do. On the virtual directory that
msolap.asp is located change its security to BASIC only. Install an SSL
certification on the machine so you can encrypt the underlying data flow
(including the username/pwd coming from your ASP.NET server. Create a local
machine account on IIS/Analysis server to be something like
YOURAPPUSERNAME -- pwd: YOURAPPPWD

On the connectstring from your ASP.NET machine say:

data source=https://server/<vd where msolap.asp is
located>;uid=YOURAPPUSERNAME;pwd=YOURAPPPWD

You need SSL to ensure that the uid and pwd passed to IIS are encrypted.

This uses http connectivity with a known username and pwd. General access to
the Analysis server is denied. Lastly if you are REALLY interested in
limiting connectability, put a firewall in front of your Analysis server and
only allow inbound connections from your ASP.NET machine.

That gives you two layers of access. Users can only come in from one machine
(the ASP.NET server); and they must know the uid and pwd for a local machine
account on the Analysis server.

--
Dave Wickert [MSFT]
dwickert (AT) online (DOT) microsoft.com
Program Manager
BI SystemsTeam
SQL BI Product Unit (Analysis Services)
--
This posting is provided "AS IS" with no warranties, and confers no rights.


"Ravi Ambros Wallau" <nospam (AT) nospam (DOT) com> wrote