locked
Question regarding ProClarity Authentication. RRS feed

  • Question

  • Hello,

    I am having some issues with connecting to the PAS server with the Administrator plugin and the Professional Developers application as well.  For about two weeks, everything was working fine, and now I can no longer connect.  Other users are unaffected.

    The error appears to be an authentication based error.
    Within the Admin tool, when it used to connect automatically and authenticate, now it asks for my login and password, and never accepts it.  Professional is the same way.

    If I remote desktop into another machine, I can connect just fine.  If another user attempts to use my machine, they cannot connect.  The weird thing is, this is now a brand new machine with fresh installs of everything...! 

    I am looking for information on how authentication really works so I can than do some further troubleshoothing.
    Server version is 6.2.204.204

    There are some warnings in the event log on the PAS server, but they mean nothing to me.

    0x80072020
    0x80070035



    Thursday, December 20, 2007 4:09 PM

Answers

  • Mike,

     

    All PAS authentication is done through IIS.  So, the settings in your PAS virtual directory and your IE browser have a big impact on what is happening.  I'm going to make a couple assumptions based on what your describing.  First, you were able to connect with the Admin tool for some time and do so without logging in.  Also, you configured a brand new machine and are still seeing the log in prompt.  Finally, you are not talking about connection problems with the OLAP server right now.   

     

    First, check that the enhanced IE security is turned off on PAS.  Also, try turning off the firewall for the server.  Next make sure you are an administrator on the local server.  Try setting PAS to use only Basic authentication which allows you to specify an exact user when logging in to the Admin tool or the web page or connectiong via the Pro client.  You can move to Integrated authentication, which should eliminate the prompt by using the current user you are logged in to Windows with, after you verify Basic is working.  I would also verify that the SQL user you configured for PAS to talk with its SQL repository DB is the same in both the IIS metadata/PAS Admin tool and on the SQL Server.  Make sure that the username and password match in both places and that the password satisfies the SQL Server password requirements.  Finally, one of the codes you list indicates some possible issues with connecting to your Active Directory domain controllers. 

     

    On the authorization layer - which is where PAS itself decides who has access to the PAS objects, make sure you are an administrator.  Here are some helpful instructions.

     

    Assign 'Everyone' to the PAS administration role.

    From the SQL Enterprise Manager, open the Briefing Book database.
    Return all rows for the 'Roles' table.
    Find the 'Administrator' record and copy the 'RoleID' GUID for this record to the clipboard.
    Close the 'Roles' table. Return all rows for the 'Members' table.
    Navigate to the bottom of this table and place the cursor in a new record.
    Paste the GUID from step 3 into the 'MemberID' column.
    In the 'Caption' column, type "Everyone".
    In the 'SID' column, type "S-1-1-0".
    The 'Created By' column should have "ProClarity" entered, and the 'CreatedTime' and 'ModifiedTime' columns can be blank.
    Paste the GUID from step 3 into the 'RoleID' column.
    The 'MemberType' column should contain the test "UNIVERSAL".
    Save the table and close it.
    NOTE: Approach 3 will place the 'Everyone' group in the PAS administrator role. This is likely not a desirable model as it will give all users administrative privileges on PAS. When security has been setup, remove the 'Everyone' group from the admin role.

     

    -Joey

    Thursday, December 20, 2007 5:41 PM

All replies

  • Mike,

     

    All PAS authentication is done through IIS.  So, the settings in your PAS virtual directory and your IE browser have a big impact on what is happening.  I'm going to make a couple assumptions based on what your describing.  First, you were able to connect with the Admin tool for some time and do so without logging in.  Also, you configured a brand new machine and are still seeing the log in prompt.  Finally, you are not talking about connection problems with the OLAP server right now.   

     

    First, check that the enhanced IE security is turned off on PAS.  Also, try turning off the firewall for the server.  Next make sure you are an administrator on the local server.  Try setting PAS to use only Basic authentication which allows you to specify an exact user when logging in to the Admin tool or the web page or connectiong via the Pro client.  You can move to Integrated authentication, which should eliminate the prompt by using the current user you are logged in to Windows with, after you verify Basic is working.  I would also verify that the SQL user you configured for PAS to talk with its SQL repository DB is the same in both the IIS metadata/PAS Admin tool and on the SQL Server.  Make sure that the username and password match in both places and that the password satisfies the SQL Server password requirements.  Finally, one of the codes you list indicates some possible issues with connecting to your Active Directory domain controllers. 

     

    On the authorization layer - which is where PAS itself decides who has access to the PAS objects, make sure you are an administrator.  Here are some helpful instructions.

     

    Assign 'Everyone' to the PAS administration role.

    From the SQL Enterprise Manager, open the Briefing Book database.
    Return all rows for the 'Roles' table.
    Find the 'Administrator' record and copy the 'RoleID' GUID for this record to the clipboard.
    Close the 'Roles' table. Return all rows for the 'Members' table.
    Navigate to the bottom of this table and place the cursor in a new record.
    Paste the GUID from step 3 into the 'MemberID' column.
    In the 'Caption' column, type "Everyone".
    In the 'SID' column, type "S-1-1-0".
    The 'Created By' column should have "ProClarity" entered, and the 'CreatedTime' and 'ModifiedTime' columns can be blank.
    Paste the GUID from step 3 into the 'RoleID' column.
    The 'MemberType' column should contain the test "UNIVERSAL".
    Save the table and close it.
    NOTE: Approach 3 will place the 'Everyone' group in the PAS administrator role. This is likely not a desirable model as it will give all users administrative privileges on PAS. When security has been setup, remove the 'Everyone' group from the admin role.

     

    -Joey

    Thursday, December 20, 2007 5:41 PM
  • Hi Joey,

    Thanks for the insights on how this works.
    Unfortunately this is a very strict environment which is production and working for most people.
    Giving everyone Administrator access is out of the question.  We are currently using integrated authentication.  Trying basic even to test will not be possible.

    I will talk to our system admins about making myself an Admin of the server (which is normally against SOP) for testing purposes.  It should be noted everything is working fine for everyone else (4-5 developers, 100's of users)

    I think it might be an authentication issue to the Domain Conrtoller, but the errors give no insight as to what the problem is. 
    Do you have more details on what the actual errors mean, so I can talk with our system admins to look into something?  They are willing to help but need more info besides "theres an error code with no description."

    Thanks for your response and help,
    Mike



    Thursday, December 20, 2007 5:52 PM
  • Since it sounds like an IIS authentication issue, a good test is to try to access to the PAS virtual directory with a browser.  This will give you standard HTTP error codes if there's a problem, and will show information in the IIS logs that may be more familiar to the systems guys.  Just open IE and navigate to http://machine/pas (or whatever you named the virtual directory if you didn't use the default) and see if you can get in that way and if not, what the errors are.  Once you can get to the virtual directory with the browser, I would bet the Pro and Admin Tool will start working for you again.

     

    Thursday, December 20, 2007 6:42 PM
  • I should have mentioned in my earlier post that the IE client works just fine, until I load the developer client (professional) and try to download a book.




    Thursday, December 20, 2007 8:47 PM
  • Try collecting the IIS logs from your attempt to download a book.  This should give some insight on why the request is failing.  What behavior/error do you get when Pro fails to retrieve a book?  It reads as though your the only user with this issue, correct?  Try your user on another machine.

     

    -Joey

    Thursday, December 20, 2007 9:14 PM
  • Ill ask the sysadmins for the IIS logs.
    My ID works fine...from another machine.  Others peoples ID's work fine...from other machines.
    Only my specific PC has this issue...and im on the 4th different machine in 3 weeks.  Thats whats making this so bizzare.  Im not sure if there a driver conflict, a OS update conflict or what.

    The behavior when trying to download a book is the same as when trying to connect via the Admin tool..it refuses to accept my windows authentication and keeps prompting me over and over, without accepting anything.

    Right now I am doing my development from an RDP session on a spare PC....which is fine short term.
    Long term im worried if this problems spreads to our other developers.

    Thanks for the ideas though, keep em coming!

    - Mike

    Thursday, December 20, 2007 9:19 PM
  • If you can get to the PAS site with the browser and everything works fine from another machine, there's a pretty good chance you're not dealing with an IIS authentication issue as such.  It sounds like something is failing when you're attempting to retrieve a briefing book and that is simply being manifest as a failed authentication, which leads to the prompt for your credentials.

     

    The IIS log might give you some clues.  Also, what is the exact message logged in the PAS event log on the server when you try to retrieve a book?  Finally, I'm guessing you have, but have you tried just uninstalling and re-installing ProClarity Pro on your machine, since it seems to be a specific issue with that machine?  Or, is a better question how many times have you uninstalled and re-installed it?

     

    Thursday, December 20, 2007 11:06 PM
  • Its not just retrieving a book, its also trying to connect via the Admin tool.  It wont connect at all via the Admin tool.

    Yes, ive uninstalled and reinstalled many times.  Several times per machine.
    I will look at the logs in more detail this evening.  I quickly scanned them today and didn't see anything odd at all.


    Friday, December 21, 2007 12:06 AM