ReportPortal
ReportPortal
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 ReportPortal General Forum
 Report Portal General Issues
 xmla connection question
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Z0n3R

28 Posts

Posted - 03/02/2012 :  17:26:21  Show Profile  Reply with Quote
In order for the xmla connection to work after switching to windows authentication, I had to set the xmla IIS folder to basic authentication. I'm wondering, is this a security risk? Is there a better way to it?

Thanks!

admin

1643 Posts

Posted - 03/02/2012 :  17:41:53  Show Profile  Reply with Quote
Microsoft recommends using HTTPs when using basic authentication. So you should consider installing SSL certificate on your production web site.

In any case, Basic authentication is safer than Anonymous authentication.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/07/2012 :  09:58:03  Show Profile  Reply with Quote
Good morning,

The XMLA connection seems to have stopped working. It's either prompting a server login dialog box or giving an error whenever I test the connection from Admin/Connections. What I get is based on the XMLA Proxy setting...See below.

---IIS
Integrated Windows -> Report Portal Virtual Directory
Integrated Windows -> Login.aspx
Basic -> XMLA Virtual Directory

---Admin/Settings/Security
Enable pass-through authentication = Checked
Sync Windows Groups at Login = Checked
Windows Domain Name is set
Security Authenticaion Mode = Windows

---Admin/Settings/OLAP Reports
XML Analysis for Security = Checked
XMLA Proxy =
when "Used for External XMLA Service" I get the server login box
when "Always" the server login box goes away but I get the following error when I test the connection: "XML Parsing Error: Invalid at the top level of the document at line 1 position 1")

Any ideas? Thanks!
Go to Top of Page

admin

1643 Posts

Posted - 03/07/2012 :  11:17:53  Show Profile  Reply with Quote
Please make sure the following setting settings checked:
Admin > Settings > OLAP Report > Other > “XML for Analysis Security Enabled”

Go to Top of Page

Z0n3R

28 Posts

Posted - 03/07/2012 :  11:33:03  Show Profile  Reply with Quote
It's checked. Could this be an issue on the server?

Does it matter what the XML Proxy is set to?
Go to Top of Page

admin

1643 Posts

Posted - 03/07/2012 :  13:40:15  Show Profile  Reply with Quote
Has your password changed? Please reenter it via Design > Other > Update User Info.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/07/2012 :  15:49:53  Show Profile  Reply with Quote
My password hasn't changed. We are using windows authentication only.

The problem is ocurring for all users at the moment. The dialog box reads:
quote:
The server XXXXXX at XXXXXX requires a username and password.

Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).

-----Now if you DO log in, the XMLA connection will work until you close the browser. When you close and reopen, the login dialog box appears again.

Thanks,

Edited by - Z0n3R on 03/07/2012 15:50:21
Go to Top of Page

admin

1643 Posts

Posted - 03/07/2012 :  17:38:02  Show Profile  Reply with Quote
Still, please try to update Windows User Name and Password via Design > Other > Update User Info.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/07/2012 :  17:52:44  Show Profile  Reply with Quote
Yes, I tried this. I even tried setting my NtPassword value to NULL in the database and then logging in again and it still didn't work.

Thanks
Go to Top of Page

admin

1643 Posts

Posted - 03/07/2012 :  20:03:55  Show Profile  Reply with Quote
Please try to add domain name to the Windows user name like

Domain1\user2
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/08/2012 :  08:52:52  Show Profile  Reply with Quote
Correction....Sorry, this did not work. I think I logged in prior to adding the domain name in front of my username and that's why it worked initially and I believed had solved the issue.

Edited by - Z0n3R on 03/08/2012 11:53:25
Go to Top of Page

admin

1643 Posts

Posted - 03/08/2012 :  21:10:45  Show Profile  Reply with Quote
This is very puzzling. Can you please try using Fiddler to see which windows user id and password OLAP report is sending? You can download Fiddler here:
http://fiddler2.com/fiddler2/

If you like we can setup a WebEx meeting to go over this problem. Please send an email to support@ReportPortal.com if you are interested.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/13/2012 :  12:02:06  Show Profile  Reply with Quote
Good day,

Here is what I've found. If the user doesn't log in intially with the full domain in front of their username "domain_name/username" the OLAP report will NOT send the domain in the authorization---UNTIL they close their browser and reopen it. In other words, if they login with JUST their username and password...they must close/reopen their browser for the OLAP report work.

This still brings us back to our original problem. Avoiding having to sign in AT ALL. It would appear that single sign on doesn't work until the NtPassword column is set in the AppUser table. Can we please confirm that it's NOT possible to avoid an initial login for single sign on?

Thanks!

One other quick note: I noticed that I can bypass the initial sign on by loading the NtPassword column with bogus data. It works! Even though the password is bogus. However, since OLAP reports require basic authentication it tries to use the password from the AppUser table instead of AD and fails.

Edited by - Z0n3R on 03/13/2012 13:27:44
Go to Top of Page

admin

1643 Posts

Posted - 03/13/2012 :  20:45:05  Show Profile  Reply with Quote
Please try the hot fix below. It will add the domain name in font of the Windows user name.

1) Download and unzip: http://www.reportportal.com/download/rp_178_domain.zip
2) Backup old file to an external folder and copy the new file to: "C:\inetpub\wwwroot\ReportPortal\bin\ReportPortal.dll"

Yes, to avoid the initial login please:
1) Go to Admin > Settings and check "Enable the pass-through authentication".
2) Make sure that the Windows group the user belongs to is imported as application role. Insure that the role is marked to be Windows based.
3) Set ReportPortal virtual directory to Windows only
4) If “XML for Analysis Security Enabled” option is checked, “Security Authentication Mode” has to be set to Application.

However, note that this method will not set Windows Password for your user because Windows authentication encrypts and hides passwords from IIS.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/15/2012 :  16:25:08  Show Profile  Reply with Quote
Hi, OK the hotfix corrected the problem with the initial login. Now I'm trying to get single sign on working without an initial login.

I made the following changes:
1) Unchecked the XML for Analysis Security Enabled
2) Set XMLA Proxy to: Always Used
3) Set the XMLA Virtual Directory AND ReportPortal virtual directory to Intregrated Windows Security.

The single sign did work without initial login--however, I'm getting the following error when I try to run OLAP reports:
quote:
Unknown server error: XML Parsing Error: Invalid at the top level of the document. at line 1 at position 1
XML Parsing Error: Invalid at the top level of the document. at line 1 at position 1


I tried setting the XMLA directory to anonymous and digest access and received the same error message.

We're getting closer. Any thoughts? Thanks!

Edited by - Z0n3R on 03/15/2012 16:25:34
Go to Top of Page

admin

1643 Posts

Posted - 03/15/2012 :  19:32:04  Show Profile  Reply with Quote
XMLA virtual directory can have Anonymous or Basic authentication but it cannot have Windows authentication. IIS prevents the identity to be passed from IE to IIS and to SSAS. This is called double hop security problem. One solution to the problem is to use Kerberos. However, Kerberos is very hard to setup.

http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

You should set Basic authentication on XMLA virtual directory and:
1) Let users enter their password initially
2) Or let users enter the password when opening first report

And of course, you can also use Anonymous authentication on XMLA virtual directory.
Go to Top of Page

Z0n3R

28 Posts

Posted - 03/16/2012 :  11:31:05  Show Profile  Reply with Quote
Aha...this makes complete sense. I'll have to run this by the client and see which direction they want to go. An easier solution might be to simply install ReportPortal on the same server as the cube--which currently has SSRS already setup and running.

I appreciate all of the help you've provided. Thanks a million!
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
ReportPortal © 2000-2002 Snitz Communications Go To Top Of Page