locked
Security Problem when the cube is not deployed in the PAS server RRS feed

  • Question

  • Hello,

     

    do you know guys if there is some security problem with ProClarity when it's using a cube on another server (not in the PAS)?

     

    We have got security problem in our customers when we open a cube out of the PAS server and publish it. The allowed users cannot open it. (The views don't open saying the user has no permission to open the cube even if he is a cube administrator)

     

    Thanks,

    Monday, November 12, 2007 1:28 PM

Answers

  •  

    Good Morning Alex,

     

    I have listed below and FAQ that discusses the configuration requirements in a 2 server deployment, which is the most common cause of the error message you are seeing.

    Please let me know if you have any questions.

    Best Regards,
    Dawn Fink

    ********************


    THE INFORMATION IN THIS ARTICLE APPLIES TO:
    ProClarity Analytics Server, ProClarity Web Standard, 5.x, 6.x

    SYMPTOMS:
    Opening a book with the Standard Web Client displays a warning message. The message states, "The cube used by this page could not be found". The message also states that the details of the condition have been recorded and sent to the web site administrator and that if immediate assistance is required, contact the administrator.

    CAUSE:
    The message fundamentally means that the ProClarity Analytic Server (PAS) could not contact Microsoft Analysis Services (MSAS) successfully. There are many reasons why this might happen. This article will cover the most common issues.

    Configuration 1:
    PAS is located on a separate machine from MSAS, and IIS authentication is set to "Windows Integrated".

    Cause:
    Because of architectural limitations in the MS model, it is not possible in an NT style domain to have the OLAP server and PAS server on separate physical machines, use NT authentication and have OLAP security respected at the same time. This is because PAS (IIS) does not receive credentials so it cannot pass them on to Analysis Services for log on.

    Resolution:
    There are a few possible solutions to this problem. Please note that this list is by no means exhaustive. Also, these suggestions are merely meant to act as a guide to troubleshooting and resolving the issue. ProClarity does not in any way guarantee factors outside the scope of the ProClarity products. These factors include, but are not limited to network security, data integrity, and general infrastructure functionality:

    1. Set the IIS authentication to Basic only. This will allow PAS (IIS) to receive credentials and pass them on to the OLAP server. Note that when this is done IIS will display a warning about credentials being passed in clear text when using this mode. The username and password will in fact still be encrypted, the encryption will just be of a very simple kind.

    2. Move MSAS and PAS (IIS) to the same machine. This will eliminate the need to pass credentials and so eliminate the problem.

    3. Do not use any security settings on MSAS. This means that everyone will have access to all of the information on the server.

    4. Configure your network to use the Kerberos authentication protocol, and then configure PAS, IIS, and Analysis Services to leverage the impersonation and delegation features of Kerberos. For further information on this, please contact ProClarity Technical Support.

    Configuration 2:
    PAS and MSAS are located on the same machine OR they are located on seperate machines AND IIS authentication is set to "Basic" and not "Windows Integrated".

    Cause:
    The user attempting to access MSAS does not have sufficient privilges to access the desired data.

    Resolution:
    Check the security roles on MSAS at both the cube level and the database level. Be sure the user has access to the data they are attempting to view.

    Configuration 3:
    PAS and MSAS are located on the same machine OR they are located on seperate machines AND IIS authentication is set to "Basic" and not "Windows Integrated" (or you are leveraging the features of the Kerberos protocol). The MSAS data has recently been migrated to another machine, the MSAS machine name has changed, one or more of the catalog names have been changed, or one or more of the cube names have been changed.

    Monday, November 12, 2007 3:33 PM

All replies

  •  

    Good Morning Alex,

     

    I have listed below and FAQ that discusses the configuration requirements in a 2 server deployment, which is the most common cause of the error message you are seeing.

    Please let me know if you have any questions.

    Best Regards,
    Dawn Fink

    ********************


    THE INFORMATION IN THIS ARTICLE APPLIES TO:
    ProClarity Analytics Server, ProClarity Web Standard, 5.x, 6.x

    SYMPTOMS:
    Opening a book with the Standard Web Client displays a warning message. The message states, "The cube used by this page could not be found". The message also states that the details of the condition have been recorded and sent to the web site administrator and that if immediate assistance is required, contact the administrator.

    CAUSE:
    The message fundamentally means that the ProClarity Analytic Server (PAS) could not contact Microsoft Analysis Services (MSAS) successfully. There are many reasons why this might happen. This article will cover the most common issues.

    Configuration 1:
    PAS is located on a separate machine from MSAS, and IIS authentication is set to "Windows Integrated".

    Cause:
    Because of architectural limitations in the MS model, it is not possible in an NT style domain to have the OLAP server and PAS server on separate physical machines, use NT authentication and have OLAP security respected at the same time. This is because PAS (IIS) does not receive credentials so it cannot pass them on to Analysis Services for log on.

    Resolution:
    There are a few possible solutions to this problem. Please note that this list is by no means exhaustive. Also, these suggestions are merely meant to act as a guide to troubleshooting and resolving the issue. ProClarity does not in any way guarantee factors outside the scope of the ProClarity products. These factors include, but are not limited to network security, data integrity, and general infrastructure functionality:

    1. Set the IIS authentication to Basic only. This will allow PAS (IIS) to receive credentials and pass them on to the OLAP server. Note that when this is done IIS will display a warning about credentials being passed in clear text when using this mode. The username and password will in fact still be encrypted, the encryption will just be of a very simple kind.

    2. Move MSAS and PAS (IIS) to the same machine. This will eliminate the need to pass credentials and so eliminate the problem.

    3. Do not use any security settings on MSAS. This means that everyone will have access to all of the information on the server.

    4. Configure your network to use the Kerberos authentication protocol, and then configure PAS, IIS, and Analysis Services to leverage the impersonation and delegation features of Kerberos. For further information on this, please contact ProClarity Technical Support.

    Configuration 2:
    PAS and MSAS are located on the same machine OR they are located on seperate machines AND IIS authentication is set to "Basic" and not "Windows Integrated".

    Cause:
    The user attempting to access MSAS does not have sufficient privilges to access the desired data.

    Resolution:
    Check the security roles on MSAS at both the cube level and the database level. Be sure the user has access to the data they are attempting to view.

    Configuration 3:
    PAS and MSAS are located on the same machine OR they are located on seperate machines AND IIS authentication is set to "Basic" and not "Windows Integrated" (or you are leveraging the features of the Kerberos protocol). The MSAS data has recently been migrated to another machine, the MSAS machine name has changed, one or more of the catalog names have been changed, or one or more of the cube names have been changed.

    Monday, November 12, 2007 3:33 PM
  • Hello Dawn,

     

    Thank you for your answer.

     

    After applying resolution 1 of Configuration 1 we end user must rewrite his user and password each time they open the solution.

    The cube has everyone read permission set, by the way. Do you know if there is another way to solve this keeping integrated security under this configuration.

     

    Best regards,

    Alex Berenguer

    Thursday, February 21, 2008 1:18 AM
  • Alex - Look into enabling Kerberos for your environment.  We have a similiar setup with the proclarity server on a different server than the analysis services server.

     

    I was sent a document called "ProClarity Analytics Server and Kerberos Delegation Setup.doc" by support when we were getting this setup that was very helpful.

     

    Jason

     

     

     

    Thursday, February 21, 2008 3:51 PM
  • I got the same situation.

    Where can I get this document?

    Can anyone give more detail on how to setup Kerberos for ProClarity Analytics Server?

    Thanks,
    Dos
    Sunday, July 27, 2008 5:53 PM