OLAP, Forms Auth and OWC

[James]

In an Extranet configuration, we want to give access to shop managers
worldwide to an Analysis Services database through OWC.
We cannot use Windows authentication, and each shop manager should only see
data corresponding to his shop.
AS only supports Windows authentication.

What I'm trying to do is use OLAP role-based security to ensure that the
Denver shop manager only gets Denver data delivered into his OWC pivot table.

I have tried Forms Authentication, and read the following article, that
supposedly makes recommendations for my kind of scenario
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetAP05.asp
(the article uses SQL Server instead of AS)

The problem is, using this recommendation, all users come to the database as
ASPNET. I cannot differenciate at the database level between the Denver shop
manager and the Vancouver shop manager.

Can anybody think of a solution for this type of organisation? I would think
that this scenario would be pretty common.

I have gotten so far as to note that the
HttpContext.Current.User.Identity.Name does contain the name of the logged-in
user, but the System.Security.Principal.WindowsIdentity.GetCurrent().Name
still contains ASPNET. And that's the one that AS is using for
authentication. Is there a way I can force the WindowsIdentity to be the same
as HttpContext ?

 

[Wei-Dong XU [MSFT]]

Hi,

From my understanding, your issue is when the user logons into the server
through Form authentication of ASP.net. SQL server Analysis service can't
distinguish which logon user is the manager or the normal user, the
authenticated windows principal object is aspnet not windows account, so
the data retrieved from server is all the same.

So I'd suggest you can follow the kb article below to check the user
windows account after the form authentication. This authentication will
obtain the logon user credential and then validate it from Active
directory; so after that, the request will use the windows account as its
security credential so that AS will know which user is the manager and
others are not.
316748 How to authenticate against the Active Directory by using Forms
http://support.microsoft.com/?id=316748

Please feel free to let me know if you have any question.

Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Wei-Dong XU [MSFT]]

Hi,

It should work at windows2000. Please feel free to let me know if you have
any question.

Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[James]

The link shows me a method that I can use to authenticate a user. However, I
still cannot impersonate a Windows user. Quote: "store a GenericPrincipal
object in the HttpContext.User property". The http context isn't what is used
by Analysis Services to check security.

 

[Wei-Dong XU [MSFT]]

Hi ,

I have found your new post regarding this issue. I will follow up in the
new thread. Ok?
You new post:
Subject: OWC 11 security problem connecting to AS
Date: Wed, 11 Aug 2004 03:29:01 -0700
Newsgroups: microsoft.public.office.developer.web.components

Best Regards,
Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.