BusinessObjects OLAP Intelligence XI€¦ · Intelligence XI and its web components use the...

BusinessObjects OLAP Intelligence XI

Configuring Microsoft Analysis Services Security

Overview BusinessObjects OLAP Intelligence XI allows users to connect to and design custom applications against OLAP data sources. OLAP Intelligence XI and its web components use the Microsoft security system to regulate data access for each user when connecting to a Microsoft Analysis Services OLAP cube.

This document discusses how the different OLAP Intelligence components work with the Microsoft security system to regulate data access, as well as how to configure these components for a specific security model and server environment.

Contents INTRODUCTION............................................................................................3 MICROSOFT ANALYSIS SERVICES SECURITY.................................................3

Security roles ...............................................................................................3 Database roles.................................................................................................. 3 Cube roles ........................................................................................................ 3

Authentication.............................................................................................4 Passing local user accounts............................................................................ 4 Passing user accounts across domains ......................................................... 4

MICROSOFT ANALYSIS SERVICES SECURITY AND THE OLAP INTELLIGENCE DESKTOP DESIGNER ...................................................................................5

Requirements ...............................................................................................5 Adding a server connection .........................................................................5

CONFIGURING MICROSOFT ANALYSIS SECURITY FOR THE BUSINESSOBJECTS ENTERPRISE ENVIRONMENT .........................................................................6 VIEWING OLAP INTELLIGENCE REPORTS WITH THE ACTIVEX INTERACTIVE VIEWER ......................................................................................................7

Requirements ...............................................................................................7 Benefits ........................................................................................................8 Limitations...................................................................................................8

8/26/2005 1:17:00 PM Copyright © 2005 Business Objects. All rights reserved.

BusinessObjects OLAP Intelligence XI Microsoft Analysis Services Security

VIEWING OLAP INTELLIGENCE REPORTS USING THE DHTML INTERACTIVE VIEWER ......................................................................................................9

Setting data source logon option in the Central Management Console.....10 Logon using Web Component Adapter credentials................................. 10 Passing credentials from a Java web application server.......................... 11 Passing credentials from Internet Information Services .......................... 12

Secondary logon for each application.........................................................13 Logon using specific credentials ................................................................15

CONFIGURING THE WEB COMPONENT ADAPTER FOR DELEGATION ..............15 Prerequisites ..............................................................................................15 Enabling Kerberos security support on the Web Component Adapter ......15 Configure Active Directory account settings ............................................16

Web Component Adapter account ............................................................. 16 Target user accounts..................................................................................... 16

Configuring DCOM components..............................................................17 Configuring DCOM for IIS on Windows 2000.......................................... 17 Configuring DCOM for Internet Information Services 6 and Windows 2003 ................................................................................................................. 18

Verifying that WCA delegation is working ...............................................19 FINDING MORE INFORMATION .....................................................................20

Supported platforms ..................................................................................20 Improving performance and scalability .....................................................20 Configuring web application servers .........................................................20


bo_olapi_xi_configuring_analysis_services_security.docpdf


Introduction This document is intended for users who design reports with BusinessObjects OLAP Intelligence XI, and distribute them with BusinessObjects Enterprise XI. This document discusses how the different OLAP Intelligence components work with the Microsoft security system to regulate data access, as well as how to configure these components for a specific security model and server environment.

Microsoft Analysis Services security

Security roles Microsoft Analysis Services allows an OLAP Intelligence administrator to restrict access to cubes, dimensions, members, or cells based on the logon credentials supplied by the client application. The OLAP administrator does this by creating security roles in the Analysis Services Manager. A security role defines a set of Microsoft Windows NT 4, Windows 2000, and Windows 2003 user accounts and groups that have the same access to SQL Server 2000 Analysis Services data. OLAP Intelligence supports two types of security roles: database and cube. Database roles Database roles are defined at the Analysis Services database level, and are maintained in the Database Role Manager. A database role can be assigned to multiple cubes and is used to limit access to specific cubes and their dimension members. Cube roles Cube roles are created at the cube level when a database role is assigned to a cube. They are maintained in the Cube Role Manager (Figure 1) and apply to a single cube. Defaults in a cube role are derived from the database role of the same name, but some of these defaults may be overridden in the cube role. A cube role contains additional options, such as cell security, that are not contained in a database role.

IMPORTANT

A security role must be defined for a cube in order for users to access it from a client application such as OLAP Intelligence. If no roles are defined for a cube, then only users who belong to the OLAP administrators group on the Analysis Services server will be able to access it.




Figure 1 – Cube Role Manager

Authentication To connect to an Analysis Services server on which role security is enabled, a user must first be successfully authenticated. Once the user’s identity has been established, the Analysis Services server evaluates its security roles and then restricts or grants access to cube objects and data, accordingly. Security roles contain Windows NT 4, Windows 2000, or Windows 2003 user accounts and groups. Consider the following situations where the end user account fails to be authenticated by the Analysis Services server:

Passing local user accounts Local user accounts may be created on any computer running a Windows NT 4, Windows 2000, Windows 2003, or Windows XP operating system. These accounts are recognized only on the computer on which they were created. If a client application attempts to pass the credentials of a local user account to an Analysis Services server running on a remote computer, the local user account will fail to authenticate. Passing user accounts across domains The ability to authenticate user accounts across domains depends on the Security Support Provider Interface (SSPI). According to Microsoft documentation, if the provider is NTLM (NT LAN Manager), access to an Analysis Services server requires an end user to be a member of the same domain as the user account with which the Analysis Services server is installed, or to be a member of a trusted domain. By default, OLAP Intelligence is configured to use the NTLM provider.

IMPORTANT A user account that fails to authenticate on the Analysis Services server might still be granted access to cubes. On Windows 2000, if a security role that includes the Everyone group has been defined for an Analysis Services cube, then even unknown or anonymous users may access the cube data. On Windows 2003, however, anonymous connections are not permitted.




Microsoft Analysis Services security and the OLAP Intelligence Desktop Designer

This section discusses using Microsoft Analysis Services security with the OLAP Intelligence Desktop Designer.

Requirements Pivot Table Services Service Pack 3 must be installed locally on the

client computer before you are able to create an OLAP Intelligence report that connects to a Microsoft Analysis Services cube.

If Microsoft Analysis Services is running on a remote server, you must log on to the client computer, on which OLAP Intelligence is installed, using a domain account. This domain account must belong to a security role that has been defined and enabled for the target cube.

Adding a server connection When setting up a new connection to the OLAP server in the Connection Properties dialog, use the values in Table 1. Field Value

Server Type Type the appropriate provider for the version of your Microsoft OLAP data source: Microsoft OLE DB Provider for OLAP Services

(for Microsoft SQL Server 7 OLAP cubes) Microsoft OLE DB Provider for OLAP Services

8 (for Analysis Services 2000 (and earlier versions) OLAP cubes)

Caption Type a caption for the server connection as it appears in the Crystal OLAP Connection Browser.

Server Type the computer name or IP address of the Analysis Services server.

Table 1 – Connection Properties

NOTE Leave the user name and password boxes blank if you are connecting to Analysis Services cubes on a remote server.

The user name and password values are only used if the OLAP Intelligence Desktop Designer and the Microsoft Analysis Services server are installed on the same computer.

If the user name and password boxes are left blank, OLAP Intelligence passes the Windows credentials of the currently logged on user to the Analysis Services server for authentication. This is the account with which the application process has been started. In certain situations, the




current user’s Windows credentials may not be sufficient to access the Analysis cubes on the server. Refer to the previous section about Microsoft Analysis Services Security for more information. If you do not wish to pass the credentials of the currently logged on user, you have the option of changing the credentials that are passed. To change the credentials, complete these steps: 1. Create a shortcut to the file Olapi.exe.

2. Right-click the shortcut and click Properties.

3. Select the Run as a different user check box. When you start the OLAP Intelligence Desktop Designer, you are prompted to run the program as a different user. OLAP Intelligence then logs on to the Analysis Services server using these credentials.

Configuring Microsoft Analysis Security for the BusinessObjects Enterprise environment

In order to manage published OLAP Intelligence reports in the BusinessObjects Enterprise Administration Launchpad, you must install the Microsoft Analysis Services OLEDB Providers on the web application or IIS server. You can obtain these drivers by installing the Pivot Table Services package from the SQL Server 2000 Service Pack 3 for Analysis Services. The previous section describes the authentication process when you create a new report in the OLAP Intelligence Desktop Designer. After you publish the report to a BusinessObjects Enterprise system, you can specify how credentials are passed to the Microsoft Analysis Services server when a user makes a request to view it in a web browser. To specify how the credentials are passed, complete these steps: 1. In the Central Management Console (CMC), navigate to the

published OLAP Intelligence report.

2. View its properties.

3. On the Data Source Logon tab, click one of the following three options:

Logon using Web Component Adapter credentials

Secondary logon for each application

Logon using specific credentials




The option that you should select here depends on the following three factors:

• The viewer that your end users use to display published OLAP

Intelligence reports in their browsers.

• The security roles that have been defined on the Analysis Services server.

• Whether the Web Application server and Microsoft Analysis Server reside on the same or separate computers.

Viewing OLAP Intelligence reports with the ActiveX Interactive Viewer

Figure 2 below illustrates the workflow of authenticating to the Microsoft Analysis Server from the ActiveX Interactive Viewer. Like the OLAP Intelligence Desktop Designer, the Viewer is based on thick-client architecture. The Viewer authenticates directly to the Analysis Services server by passing the Windows credentials of the user who is logged on to the client computer. Essentially, the requirements for the Viewer are the same as those for the Application Designer.

ActiveX Viewer Plug-in

Figure 2 - Authenticating to Analysis Server from thActiveX Interactive Viewer

Requirements Pivot Table Services must be installed locally on the clie

before an OLAP Intelligence report is viewed for the firActiveX Interactive Viewer.



Pivot TableServices

Microsoft Analysis Server

Web Applicationserver

Web ComponentAdapter

e

nt computer st time in the


The end user must be logged on to the ActiveX Interactive Viewer computer with a domain account. The domain account must also belong to a security role that has been defined and enabled for the target cube.

On the Data Source Logon tab for the OLAP Intelligence report, the Logon using Web Component Adapter credentials check box must be selected. If another option is enabled, authentication will fail when the report is viewed in the ActiveX Interactive Viewer.

Benefits The OLAP Intelligence ActiveX Interactive Viewer is ideal for a security model that restricts access to data on the Analysis Server based on the identity of the requesting user. Another benefit is that the authentication process is invisible to the user. As long as the user is logged on to the client computer with a Windows account that has the necessary permissions to access the cube, the user will not be prompted to supply additional logon information when viewing a report.

Limitations The OLAP Intelligence ActiveX Interactive Viewer cannot be used to authenticate directly to the Analysis Services server if any of the following conditions apply: End users log on to their client computers with a local computer user

account or a domain account that is not trusted by the Analysis Services server.

End users view OLAP Intelligence reports on computers that are not registered on the intranet. The client computer must be able to resolve the IP address of the Analysis Services server in order to authenticate.

End users authenticate to the Analysis Services server by passing the credentials of a different Windows account (not the credentials that they used to log on to the client computer).

If any of these limitations apply, the DHTML interactive viewer can be used instead to view published OLAP Intelligence reports.

IMPORTANT If any of these limitations apply, but you still want to use the ActiveX Interactive Viewer to view OLAP Intelligence reports, a possible workaround is to connect to the Analysis Server using HTTP authentication. Consult Microsoft documentation for details on how to set up HTTP authentication in Internet Information Services.




Viewing OLAP Intelligence Reports using the DHTML Interactive Viewer

Figure 3 illustrates the workflow for authenticating a user on the Analysis Services server when a report is viewed in the OLAP Intelligence DHTML Interactive viewer. Because the DHTML Interactive viewer is a thin client, the work of connecting to and retrieving data from the Analysis Services server is performed by the Web Component Adapter (WCA) application on the web application server. The Microsoft connectivity components, Pivot Table Services, must be installed on the web application server computer.

The web servhosts the Busapplication ssupported bypasses requethe requests t

Figure 3 -

Web Component

Adapter

Pivot Table Services

Web Application server

(Java or IIS)

• To proce

• To suppoManagemIntelligen

NOTE In Crystal Enteserver is handl

In BusinessObapplication serplatforms.

8/26/2005 1:17:00 PM Copyright © 2005

bo_olapi_xi_configuri

Analysis Server

er communicates directly with the applicationinessObjects Enterprise SDK. The WCA runs werver and provides all services that are not dire the BusinessObjects Enterprise SDK. The web

sts directly to the application server, which theo the WCA. The WCA has two primary roles:

Authenticating to the Analysis Server from thViewer

ss ASP.NET (.aspx) and Java Server Pages (.jsp

rt Business Objects applications such as the Ceent Console (CMC), Crystal report viewers, ace DHTML Interactive Viewer.

rprise 10, the communication between the web server anded by the Web Connector and Web Component Server (W

jects Enterprise XI, the web server communicates directly ver. The WCA handles the WCS functionality on the Wind

Business Objects. All rights reserved.

ng_analysis_services_security.docpdf

DHTML Viewer in

Web Browser

server that ithin the ctly server n forwards

e DHTML

) files.

ntral nd the OLAP

the application CS).

with the ows and UNIX


Setting data source logon option in the Central Management Console When viewing OLAP Intelligence reports in the ActiveX Interactive Viewer, only the Logon using Web Component Adapter Credentials option on the Data Source Logon tab (Figure 4) is applicable.

If you are using the DHTML Interactive Viewer, you can set this option to one of three properties that are described in the following sections.

Figure 4 – Data Source Logon Tab

Logon using Web Component Adapter credentials The Logon using Web Component Adapter Credentials option is selected by default when you publish an OLAP Intelligence report to a BusinessObjects Enterprise system. It is appropriate only when all users require generic access to the cube data. Since users who request to view OLAP Intelligence reports are always authenticated with the same WCA account credentials, they will all have access to the same data.

The WCA application is loaded by the web server application process that hosts it. See Table 2 for a matrix of the main supported web application servers and their corresponding process names:

Web Application Server Process Name

Internet Information Services 5 Aspnet_wp.exe

Internet Information Services 6 W3wp.exe

Apache Tomcat 5 Tomcat5.exe

Table 2 – Web Application Server Process Names




The web application server process always runs under a specific Windows account. When a user makes a request to view a report with the DHTML Interactive Viewer, the WCA launches an out-of-process component. This component loads the data connectivity layer and then attempts to connect to the Analysis Services server by passing its process identity for authentication. Using an out-of-process server component has the following advantages:

• Increased flexibility in terms of the identity used (IIS only).

• Added security because an additional process hop makes it more difficult for an attacker to access the data on the Analysis Services server.

• Increased scalability to handle a large number of users. After a certain number of requests, the WCA launches another instance of the component to handle new incoming requests.

By default, the out-of-process component is run using the same identity as the web application server. The Windows account under which the out-of-process component runs must belong to a security role on the Analysis Server or else authentication will fail.

Web application server processes typically run under local computer accounts such as Local System, Network Service (Windows 2003), or ASPNET (Windows 2000). These local accounts work well if the web application server and the Analysis Services server are running on the same computer. If the web application server and Analysis Services server are running on different computers, however, the out-of-process component must pass the credentials of a Windows domain account. Computer accounts local to the web application server are not recognized on the remote Analysis Services server.

Passing credentials from a Java web application server If you use a Java web application server that has been started as a Windows service, you can change the account that it starts with to a domain account from the Microsoft Management Console. Consult the vendor documentation of the specific web application server product that you are running for more information.

Figure 5 illustrates how Windows credentials are presented to the Analysis Services server when the WCA is loaded by a Java application server, specifically Apache Tomcat. The WCA launches an out-of-process CORBA component called olapworker.exe that runs under the same identity as the Tomcat service.




Web Server

Figure 5 - Passing credentials to the Analysis Server when the WCA is loaded by Apache Tomcat Server

Passing credentials from Internet Information Services Figure 6 illustrates how credentials are passed to the Analysis Services server when the WCA has been deployed on an Internet Information Services server. The WCA launches an out-of-process DCOM component called olapsessions.exe. By default, the DCOM component runs under the same identity as the ASP.NET application process (w3wp.exe).

Figure 6 - Passing credentials to the Analysis Server when the WCA is loaded by

IIS

Running as domain user “MyServAccount”

Java Web Application Process (Tomcat5.exe)

Remote Computer Web Component

Microsoft Analysis Services Adapter

CORBA Component (olapworker.exe)

Launches out of process CORBA component Presents credentials for domain user

“MyServAccount”

IIS Web Server Running as domain

user “MyServAccount” ASP.NET Application Process (w3wp.exe)

Remote Computer Web Component

Microsoft Analysis Services Adapter

DCOM Component (olapsessions.exe Presents credentials for domain

user “MyServAccount”

Launches out of process DCOM component




There are several ways to modify the account with which the DCOM component olapsessions.exe is launched.

The simplest approach is to modify the account that runs the ASP.NET application process (w3wp.exe). The DCOM component, olapsessions.exe, automatically launches under the same identity as the application process that calls it. There are several ways to modify the identity of the ASP.NET application process:

• Configure a new application pool in IIS 6 to run under a specific account and then add the InfoView application to the application pool.

• Impersonate a specific identity by setting user name and password attributes for the <identity> element in the web.config file. This file is located in the root directory of the InfoView application.

Consult Microsoft documentation for more information about changing the ASP.NET application process account.

Changing the identity of the application process could reduce the security of your web application, as in the case where the application must be set to run under a domain account in order to access a network resource. A more secure and flexible approach is to configure the launching identity of the DCOM component directly. You can configure the DCOM component olapsessions.exe to run under an account that is different from the web application server process that launches it. This allows you to isolate privileged access for a network resource to only the DCOM component that needs to use it.

For more information on how to configure the identity of the DCOM component directly, refer to the section Configuring DCOM components.

Secondary logon for each application

The Secondary Logon for each Application option for each application should be enabled if you have a more complex role security model that restricts access to cube data based on the identity of the user making the request.

For example, an OLAP Intelligence administrator has defined different security roles for sales managers in Region 1 and Region 2 and wishes to restrict their read access to only the data that applies to their region. The data that is presented in the OLAP Intelligence report will change depending on the identity of the user who makes the request. When the credentials of the requesting user are passed to the Analysis Services server for authentication, the server determines which user’s security roles and subsequently returns the corresponding data.




When the Secondary Logon for each Application option for an OLAP Intelligence report is enabled, whenever a user makes a request to view a report in the DHTML Interactive Viewer, a logon screen appears. Instead of passing its own process credentials, the WCA sends the credentials supplied by the user (through the Secondary Logon dialog box) to the Analysis Server for authentication (Figure 7).

Web Server

Figure7 - Passing secondary logon credentials to a remote Analysis Services

server.

The WCA passes the credentials through a process known as impersonation. Impersonation is the ability of a thread to execute in a different security context from the context of the process that owns the thread. In this case, the user account “MyServAccount” impersonates the user “MyUserAccount”.

Various levels of impersonation are supported by Microsoft operating systems. The following two are relevant when configuring OLAP Intelligence reports to use secondary logon:

The Impersonate level is sufficient for secondary logon to work when the WCA and the Analysis Services server are running on the same computer. No additional configuration is required aside from enabling the Secondary Logon for each Application option.

The Delegate level is required if the Analysis Services server runs on a remote server, as shown in Figure 5, because the WCA must be able to impersonate at this level to successfully pass secondary logon credentials.

Enabling secondary logon for an OLAP Intelligence report in a distributed server environment requires additional configuration,

Launches out-of-process component that runs under “MyServAccount”

Running as domain user “MyServAccount”

Web Application server Process

Remote Computer Web

Component Adapter

Microsoft Analysis Services

Impersonates domain user “MyUserAccount”

Out-of-process serviced component

Secondary Logon Dialog User enters own account credentials “MyUserAccount”




specifically enabling Kerberos for the WCA. For the detailed steps, refer to the section Configuring the Web Component Adapter for delegation.

Logon using specific credentials The technical requirements for enabling the option Logon Using Specific Credentials are identical to those for enabling the option Secondary logon for Each Application. When this option is enabled, instead of prompting the end user to provide credentials, the WCA passes the credentials that have been stored for the report on the Data Source Logon tab.

This option is suitable when you need to restrict access to cube data for different groups of users at the report level. You may, for example, have a report that shows total sales. Sales managers from each region normally do not have access to all data in the Sales Reporting cube. By setting this report to log on with the credentials of a super user that does have this access, regional sales managers are able to view this report that shows total sales for all regions.

As with secondary logon, the WCA has to impersonate the specific user account that has been stored for the report on the Data Source Logon tab. To use this option in a distributed environment, where the WCA and Analysis Server are running on separate computers, proceed to the next section.

Configuring the Web Component Adapter for delegation

Prerequisites The following are the prerequisites for configuring the WCA for delegation:

• The computers hosting the WCA and Analysis Server must be running Windows 2000 or later in an Active Directory domain.

• The Analysis Services server must be configured to use Kerberos authentication. To use Kerberos authentication, you must install Analysis Services Service Pack 3 (SP3) or later on the Analysis Services server computer. Search for knowledge base article number 828280 on the Microsoft support site for additional information.

Enabling Kerberos security support on the Web Component Adapter By default, the WCA uses NTLM as the authentication method to connect to the Analysis Services server. NTLM, however, does not support delegate level impersonation. To configure the WCA to use Kerberos for the authentication method, you must manually add a registry value as follows:




1. On the computer where the WCA is installed, start the Registry Editor and create the following registry subkey:

HKLM\Software\Business Objects\Suite 11.0\OLAP Intelligence\OCCA(o)\SOFA\ODBO\MSOLAP

2. Add a registry entry to the MSOLAP subkey called SecurityPackage. The SecurityPackage entry can contain one of the text string values in Table 3.

Value Description

NTLM Use the NTLM security protocol. This is the default and is used when the registry subkey is not present.

Kerberos Use the Kerberos security protocol.

Negotiate Kerberos if supported, otherwise NTLM.

Table 3 - Values for SecurityPackage Registry Entry

3. Set the value of the SecurityPackage registry entry to “Kerberos”.

Configure Active Directory account settings Use the Active Directory Users and Computers management console to configure permissions for the relevant accounts.

Web Component Adapter account The WCA runs under the identity of the web application server process. This is the user account that impersonates other user accounts. The policy for this user account must be enabled with Account is trusted for delegation. You can modify user account policies in the Active Directory Users and Computers snap-in for the Microsoft Management Console.

The web application server does not necessarily have to run under a domain user account. If the web application server process runs under the Local System account, then enable the Trust computer for delegation option. This option provides the Local System account on the computer where the web application server is installed the ability to perform impersonation at the delegate level.

Target user accounts The target user accounts are the user accounts that are passed to the WCA for impersonation. For the Enable Secondary logon for each Application option, the target account is entered by the requesting user at run time on the Secondary Logon window. For the Logon using specific credentials option, the target account is hard-coded by the administrator on the Data Source Logon tab in the Central Management Console. Target user account policies must not have the Active Directory Account is sensitive and cannot be delegated option enabled.




Configuring DCOM components You only need to configure DCOM components if you are running your application in the ASP.NET framework with IIS.

In an ASP.NET environment, the WCA launches a DCOM component out-of-process. As described in the section Passing credentials from Internet Information Services, the WCA, running inside the ASP.NET worker process, launches an out-of-process DCOM component called olapsessions.exe. This component must be configured to launch under an account that has been trusted for delegation in order to use secondary logon.

Configuring DCOM for IIS on Windows 2000 Windows contains a tool that allows you to configure installed DCOM components. The following steps describe how to configure IIS 5 and Windows 2000 to launch the DCOM component process, olapsessions.exe, under a specific account:

1. On the Start menu, click Run.

2. Type “dcomcnfg.exe” in the Run box and then click OK. The Distributed COM Configuration Properties dialog box appears.

NOTE If a dialog box appears with the following text, click Yes for the Ringleader Manager Component to be added to the list of configurable DCOM components:

The CLSID {E8049D01-EEC4-40AF-AADC-2F191BC5E927}, item “C:\Program Files\Business Objects\OLAP Intelligence 11\DHTML Components\olapsessions.exe” and title Ringleader Manager has the named value AppId, but is not recorded under \\HKEY_CLASSES_ROOT\AppId. Do you wish to record it?

3. On the Applications tab, click Ringleader Manager, and then click the Properties button. The Ringleader Manager Properties dialog box appears.

4. On the Security tab, click Use Custom Access Permissions, and then click the Edit button. The Registry Key Permissions dialog box appears.

5. Click Add. The Add users and Groups dialog box appears.

6. Type the account name under which the ASP.NET worker process runs for your application. On Windows 2000, the worker process launches by default with a local account called ASPNET. If you have modified your application to start with a different account, specify that account instead.

7. Ensure that Allow Access appears in the Type of Access list and then click OK.

8. Click OK on the Registry Key Permissions dialog box.




9. Click Use custom launch permissions on the Ring Leader Properties window and then click the Edit button.

10. Repeat steps 5 to 8.

11. On the Identity tab, click This user, and then type the user name and password of the account that was marked Account is trusted for delegation in the Active Directory Users and Computers management console.

12. Click the OK button.

Configuring DCOM for Internet Information Services 6 and Windows 2003 These steps demonstrate how to configure IIS 6 and Windows 2003 to launch the DCOM component process, olapsessions.exe, under a specific account:

1. On the Start menu, click Run, type “dcomcnfg.exe” in the Run box, and then click OK.

2. Expand Component Services > Computers > My Computer > DCOM Config.

3. Right-click OlapSessions and click Properties.

4. On the Security tab, click Customize in the Access Permissions area, and then click the Edit button. The Access Permission dialog box appears.

5. Click Add and type the name of the account that the ASP.NET worker process runs under for your application. On Windows 2003, the worker process launches by default with a local account called Network Service. If you have modified your application to start with a different account, specify that account instead.

6. Ensure that the Access Permission box is selected under the Allow column and then click OK.

7. Click OK to return to the OlapSesssions Properties dialog box.

8. In the Launch Permissions area, click Customize, click the Edit button, and then repeat steps 5 to 7.

9. Go to Component Services > Computers > My Computer > DCOM Config > Ringleader Manager.

10. Right-click Ringleader Manager and click Properties.

11. For the launch and access permissions, add the account under which the ASP.NET worker process runs.




12. On the Identity tab, click This user and enter the username and password of the account that has been marked Account is trusted for delegation in the Active Directory Users and Computers management console. Click on the OK button.

13. On the Identity tab, click This user, and then type the user name and password of the account that was marked Account is trusted for delegation in the Active Directory Users and Computers management console.

14. Click the OK button.

Verifying that WCA delegation is working You can now verify whether the Secondary Logon or Logon Using Specific Credentials options are working as expected. The WCA should be passing the credentials of the account specified in the Secondary Logon dialog box or the Data Source logon tab rather than passing the credentials of the web application server process. As illustrated in Figure 5, the WCA passes the credentials for “MyUserAccount” to the Analysis Services server.

You can also verify that the correct account is being passed by the WCA by turning on logging for the Microsoft Analysis Services server, as follows:

1. Start the registry editor on the computer where Microsoft Analysis Services is running.

2. Navigate to the following registry subkey:

HKLM\Software\Microsoft\OLAP Server\CurrentVersion

3. Change the value of the AuditEvents registry entry from 13 to 15 (decimal).

4. Restart the Analysis Services server.

After modifying this registry value, all authentication attempts are logged to the Event Viewer.




Finding more information

Supported platforms For more information on BusinessObjects Enterprise XI supported platforms, refer to the document boe_xi_supported_platforms.pdf.

Improving performance and scalability For more information on how to improve the performance and scalability of your BusinessObjects OLAP Intelligence XI installation, refer to the document bo_olap_xi_improving_performance_scalability.pdf.

Configuring web application servers For more information on how to configure web application servers to work in conjunction with BusinessObjects OLAP Intelligence XI, refer to the document bo_olapi_xi_configuring_web_application_servers.pdf

For more information and resources, refer to the product documentation and visit the support area of the web site at

http://www.businessobjects.com/

www.businessobjects.com No part of the computer software or this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from Business Objects. The information in this document is subject to change without notice. Business Objects does not warrant that this document is error free. This software and documentation is commercial computer software under Federal Acquisition regulations, and is provided only under the Restricted Rights of the Federal Acquisition Regulations applicable to commercial computer software provided at private expense. The use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth in subdivision (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at 252.227-7013. The Business Objects product and technology are protected by US patent numbers 5,555,403; 6,247,008; 6,578,027; 6,490,593; and 6,289,352. The Business Objects logo, the Business Objects tagline, BusinessObjects, BusinessObjects Broadcast Agent, BusinessQuery, Crystal Analysis, Crystal Analysis Holos, Crystal Applications, Crystal Enterprise, Crystal Info, Crystal Reports, Rapid Mart, and WebIntelligence are trademarks or registered trademarks of Business Objects SA in the United States and/or other countries. Various product and service names referenced herein may be trademarks of Business Objects SA. All other company, product, or brand names mentioned herein, may be the trademarks of their respective owners. Specifications subject to change without notice. Not responsible for errors or omissions. Copyright © 2005 Business Objects SA. All rights reserved.



BusinessObjects OLAP Intelligence XI€¦ · Intelligence XI and its web components use the...

Documents

Transcript of BusinessObjects OLAP Intelligence XI€¦ · Intelligence XI and its web components use the...