Analysis Services and “Double Hop” Authentication
Working with Microsoft® SQL Server 2005 Analysis Services can be a challenge in a secure environment. For whatever reason, Microsoft® has chosen to not fully integrate Analysis Services and Kerberos out of the box, which means that administrators of Analysis Services must do a bit of work to get it to play nice when there are intermediate hosts, such as Windows SharePoint Portal Server or Internet Information Server involved. In Analysis Services, a "Double Hop" occurs when the client is not directly connected to the Analysis Services Server, such as when remotely browsing a SharePoint site that is configured to retrieve data from Analysis Services (Like a Dashboard page with KPI indicators that get their data from a cube hosted on a remote Analysis Services instance). In order to correctly deal with double hop authentication, Kerberos (The underlying authentication mechanism used by Active Directory) must be able to properly pass the user's credentials to Analysis Services. In order to accomplish this, Analysis Services must be configured to utilize Kerberos properly, which is not done automatically when installing Analysis Services. The steps to configure Analysis Services to utilize Kerberos are detailed in Microsoft KB Article 917409, which can be read here: http://support.microsoft.com/kb/917409/en-us , however a quick overview of the process is: If you go through the above steps, Analysis Services should be configured to use Kerberos and should be able to participate in double-hop authentication. As more Analysis Services applications come online, this will be something that everyone has to worry about, so hopefully this article has helped alleviate the problem.Double Hop Authentication
Configuring Analysis Services for use with Kerberos
No comments:
Post a Comment