locked
SSAS & PAS on Different Servers using Windows Authentication RRS feed

  • Question

  •  

    Hi,

     

    I have read confusing information on this  set up and hope someone can clarify for me.

     

    My client has 2 servers;

     

    Server A contains;

     

    SQL server databases

    SSAS

    Data warehouse

    OLAP cubes (with cube security applied to different roles)

    ProClarity Analytics Server database

    ProClarity Dashboard Server database

     

     

    Server B contains;

     

    ProClarity Analytics Server (windows authentication only and set to use OLAP security in Admin tool)

    ProClarity Dashboard Server (windows authentication only)

    SS Reporting Services

     

    Can this scenario be implemented using integrated windows authentication?  I tested it on 2 virtual pc's and it seemed to work fine however I have read that it is not advisable to install SSAS and PAS on separate computers unless I use basic authentication.  In my testing, I set the PAS and Dashboard virtual directories to use windows authenication and changed the web config file in the dashboard server files to use windows authentication too. I added the PAS site to the local intranet list of sites and set security for this site to use automatic authentication for local intranet sites only. I then ran the dashboard as one of my test users who had cube security applied and I was asked for no passwords at any time and the correct dimensions (as dictated by the security attached to the role) were displayed.

     

    Could someone please explain why it is not advised to have SSAS and PAS on the same computer as I didn't seem to have / notice any problems?   

     

     

    Thanks!

     

     

    Tuesday, April 29, 2008 10:59 PM

Answers

  • You can use integrated authentication in both situations: where PAS resides on the same server as SQL/SSAS or where PAS resides on another server.  The issue that arises when PAS is on a different machine is that Kerberos has to be configured to delegate the logged in user credentials from the client browser to the cube, so that the user is allowed to read cube data.  I suspect that you may have gotten around this step by setting the automatic authentication for internal sites option.  The document that you refer to in your initial post is likely referring to having some prompt for the user to enter credentials, which would be considered more secure than the automatic option.  If SQL/SSAS and PAS are on the same server, then you shouldn't experience any issues using integrated authentication at all.  Does this answer your question?

     

    Thanks,

     

    Bob

    Monday, May 5, 2008 4:32 PM

All replies

  • You should be fine to run PAS and SQL on the same server.  The general concern for running both on the same server would be the resources (or lack thereof) available for each of the processes compared with how many concurrent users are accessing PAS and in what ways they are manipulating the views published to the PAS site, if at all.

     

    Hope this helps,

     

    Bob

     

    Wednesday, April 30, 2008 2:00 PM
  • Thanks but my issue was more with the ability to use windows authentication when PAS and SQL are on the same server and OLAP security is being used.  I wondered why you can't use windows authenication for this setup?

     

    Thanks.

     

    Monday, May 5, 2008 7:41 AM
  • You can use integrated authentication in both situations: where PAS resides on the same server as SQL/SSAS or where PAS resides on another server.  The issue that arises when PAS is on a different machine is that Kerberos has to be configured to delegate the logged in user credentials from the client browser to the cube, so that the user is allowed to read cube data.  I suspect that you may have gotten around this step by setting the automatic authentication for internal sites option.  The document that you refer to in your initial post is likely referring to having some prompt for the user to enter credentials, which would be considered more secure than the automatic option.  If SQL/SSAS and PAS are on the same server, then you shouldn't experience any issues using integrated authentication at all.  Does this answer your question?

     

    Thanks,

     

    Bob

    Monday, May 5, 2008 4:32 PM
  • Yes, I did set automatic authentication on internal sites.  Thanks, that answers my question, cheers!

    Tuesday, May 6, 2008 8:40 AM