Connecting to AS2000 via OWC through a firewall
-
Hello! (originally, and mistakenly posted under Yukon's BI formu)...
(first, thankyou for taking the time to read this!)
I have an intranet. I have Windows 2000 server/ SQL Server2000/ AnalysisServices.
Users have Win2000 / office 2000 on the local intranet.
I have set up cubes, and setup connection to the cubes via Excel using "Microsoft OLE DB Provider for OLAP Services 8.0".
LOCAL users on the intranet ARE ABLE to connect to the cubes, by finding the Excel sheet I have placed on the intranet. Seeing the xls file, they are able to choose to Open the file in EXCEL or “Browse” the file in a Browser window. In both cases they are able to see the excel tabs, and interactively change dimensions. This is good. But…
Employees signon remotely to the intranet through their browsers by entering the address of our intranet and inputting their domain\username and Password at the prompt…thus authenticating to the domain.
When coming in thru the intranet, Users navigate to the my saved Excel file and open it. They are immediately able to see the excel data (in either Excel or Browser). Also, the OWC “Dimension Picker” window pops up. However, when they attempt to change a dimension a window pops up asking them to “Choose the location of the Multidimensional data source that you want to use.” (A note on the window says, “You need to provide authentication information only if you are establishing an HTTP connection.) I don’t know of any answers that allow one to get past this window. After that, I get the message:
“Unable to connect to the Analysis server. The server name ‘xxxxxxxx’ was not found. Please verify that the name you entered is correct, and then try again.”
Yes.. I am sure the name is correct.
4 Questions:
1. Why is the local intranet browser enabled to connect to the Cubes without ‘authentication’?
2. What is the difference that prevents a remote user from connecting and that forces that window to pop up? Or, why can’t the remote user find the Analysis cube?
3. Is it possible that HTTP connections to an Analysis server are only allowed with an Enterprise server? (if so, how did the local users connect via browser?)
4. Any general suggestions on what I am trying to accomplish? (i.e. using OWC through the internet, passing through the company firewall into the company’s intranet to reach an Analysis server).
Other background: Remote users Have installed PTSlite.exe. (on some remote users, a full version of AS2000 is installed, and still the same message shows up.)
I have set the options on the internet browser of the remote client to trust the local domain.
I have ensured that port 2725 is opened on the protective firewall of the company.
Finally, thanks to all you contributors for your help…(not just to my question, but to all the questions).
-
Hey Steve,
At last, someone else to share my pain....
(I work for a company that has developed a web-based MSOLAP analysis tool).I'm guessing that your extranet users are being authenticated by IIS (ie integrated Security on the virt dir in IIS). If this is the case then you're probably comign up against the NTLM wall - basically with NTLM (the standard windows security model in W2K [and NT??]) you can't pass credentials past the first hop. So, you users are being authenticated and those credentials are valid on the web server, but are not able to be passed on to any other servers within the domain. So, the OWC really can't *see* the <servername> when attempting to connect. To the best of my knowledge you have about 3 options:
1. Move your AS server on the web server - pros-> access will work
; cons -> possibly placing valuable data where your boss won't want it, normally web servers aren't as spec'd up as AS server boxes, IMHO a slack workaround suggestion from MSft.2. Use Kerberos authentication for your external users. Kerberos allows for >1 hop passing of credentials. I've not tried this, most of our (consulting) clients are either internal only users of AS. pros -> access will work
, could be other pros for using Kerberos?; cons -> I've heard that Kerberos can be hard to implement but thats just heresay, Kerberos requires ALL clients have at minimum W2K on client machines which doesn't sound like a problem for you (obvious problem for us as a s/w vendor).3. Try to use the msolap.asp page as the connection (string) target. Am assuming you're not using this already, as the connection string for this is a <http> address rather than <servername>. I've not used this either, but from BOL seems like a simple setup (filter BOL to AS and then type in http, a few down the list is "Connecting using HTTP". Just note with this one, you will need Enterprise Edition.
Steve.
-
Not sure exactly how the msolap is setup on IIS, but if you can get it to run as a IIS Out of Process application, then in Component Services set the Impersonation Level to impersonate the logged on user, then you can have the authentication information "pass-through" IIS (more specifically COM+) to SQL Server (or whatever).
This sounds like OLAP on IIS is setup to use the default IIS In process, which then tries to use the IIS identity account to access resources. By having it run as an application site, you can run in out of process, and have the user account security for running processes.
While I have not done OLAP, I often use this techique for client/server applications where I have the middle tier running on COM+ on a web server, and use Remote Data Services (part of ADO) from a client program to access the middle tier components. This authentication process is a tricky item to setup, but well worth it since the DCOM resolution is done on the server, not the client, and I do not have to register middle-tier components on the client machines.
Mark
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply