Connect to a cube with Integrated WIndows Sercurity for Windows user with computer outside the domain

Question

Hello,I am trying to connect to an MSSAS cube with a windows user ( and i need this user to be the end user that connect to the cube) from outside the domain.It will be .Net application.I use msmdpump.dll before but the thing is it impersonate the connection so the user that connect to the Cube is not the real client user with is a problem for me because i like to manage the security throw roles.

SSRS is able to do what i am trying to achieve ( it ask you your domain user and password) then connect to the cube with these credential which is great,but i do that ?

With ADOMD.Net how do you provide windows user/password in the connection string ?

I tryed to only active windows security access with IIS and MSSAS but it's not working with a computer outside the domain even if in excel i provide a windows user/password.

Vincent

Answer 1

With ADOMD.Net how do you provide windows user/password in the connection string ?

Hello Vincent,

See MSDN Connection String Properties (Analysis Services) for all available properties; addtitional: AdomdConnection.ConnectionString Property  =>

---

Olaf Helper

[ Blog] [ Xing] [ MVP]

Answer 2

If you connect with ADOMD.NET and are already running under a service account, and if that service account user is an SSAS admin, you can specify EffectiveUserName=YOURDOMAIN\RealEndUser in the connection string. That's what SSRS is doing. I discussed this here: http://www.artisconsulting.com/blogs/greggalloway/Lists/Posts/Post.aspx?ID=18

---

http://artisconsulting.com/Blogs/GregGalloway

Answer 3

Thanks a lot. So if i understand correctly with ADOMD.NET there is a way to connect as an admin but impersonate the connection so SSAS get the end user and i can apply my role based security ?

All the best

Vincent

Answer 4

Correct

---

http://artisconsulting.com/Blogs/GregGalloway

Answer 5

Thanks,

So 2 questions ( Thanks for the article btw) :

Do i need an ISA server ( i can't do that ) ?

Do i need to activate Kerberos ( That's not an issue,i just need to be carrefull with my AD) ?

Vincent

Answer 6

You don't need ISA for this scenario. You don't need full Kerberos but you will need an SPN for SSAS setup unless it is running under LOCAL SYSTEM which is able to register an SPN on the fly. Try it and see if it works now.

---

http://artisconsulting.com/Blogs/GregGalloway

Answer 7

Sorry stupid question,but i thought that in order to get an SPN i still need to configure Kerberos on my AD Server (which is not a problem).

Vincent

Answer 8

I believe you just need to run setspn for the SSAS server and that's it. I think you can skip the rest of the Kerberos config steps if you want to. Post back of you find otherwise.

---

http://artisconsulting.com/Blogs/GregGalloway