OWC10 & asp.net: impersonation issues

[Markus Stehle]

Hi all!

I hit some problems that I can't exactly explain and for which I can't find
a suitable solution. I have two asp.net web applications. The first
application is accessed via the local Intranet and uses asp.net dynamic
impersonation together with Intergreted Windows Authentication (IIS). Within
that application I have some pages, that contain pivot tables and
chartspaces that access an OLAP cube. These are fully interactive pages, the
code is written in JavaScript and is executed on client side. The pages are
accessed by different users - some users are members of the local
administrator group on my webserver, the others are just normal users. If a
standard user tries to access the page, the pivottable returns the error
"Database MyDB cannot be found" - if I add the respective user to the
administrator group, there are no problems.

The second web application is accessed via the internet, it uses static
impersonation and the IIS virtual directory allows anonymous access. Within
server side code, I create an instance of a OWC pivottable in order to
access an OLAP cube. When I try to connect, I get an error message "Database
MyDB cannot be found". To solve the problem in this scenario, I found out
that adding the ASPNET account to the local administrator group can solve
the problem.

Can anybody explain me this behavior? Adding the respective users or/and the
ASPNET account is not a suitable solution for me, so I would greatly
appreciate any suggestions. I already gave the ASPNET account full access
rights to the directory containing the OLAP cubes, but with no success.


Thanks

Markus

 

[Dan Ricker]

MSOLAP security is not my strongest point, but I strongly
recommend removing the ASPNET account from the Admin group
as soon as possible. If there is some other vulnerability
on your system it is possible that the ASPNET account user
could be used to externally take control of the box.

****************************************
The MSOLAP Analysis Manager has tools for adding "users"
in the Manage Users stuff.

Open Analysis Manager, Select the server in question and
expand. Right click the database in question and Select
Manage Roles. I do know that the "Roles" are associated
with Users and Groups on the box but that's about the best
I can do off the top of my head.

Thx
Dan

 

[Markus Stehle]

Hi!

I could solve the problems. To make it work in the first scenario (dynamic
impersonation, IIS Integrated Windows Auth) I had to create a role in
Analysis Manager that grants the desired users access to the Cube.

For the second scenario, I had to create a role that grants the ASPNET_wp
access to the cube. But: no role had to be created for the impersonated user
(static impersonation via web.config), it was enough to add the ASPNET_wp.


Markus