Author |
Topic  |
|
Z0n3R
28 Posts |
Posted - 03/02/2012 : 17:26:21
|
In order for the xmla connection to work after switching to windows authentication, I had to set the xmla IIS folder to basic authentication. I'm wondering, is this a security risk? Is there a better way to it?
Thanks! |
|
admin
1643 Posts |
Posted - 03/02/2012 : 17:41:53
|
Microsoft recommends using HTTPs when using basic authentication. So you should consider installing SSL certificate on your production web site.
In any case, Basic authentication is safer than Anonymous authentication. |
 |
|
Z0n3R
28 Posts |
Posted - 03/07/2012 : 09:58:03
|
Good morning,
The XMLA connection seems to have stopped working. It's either prompting a server login dialog box or giving an error whenever I test the connection from Admin/Connections. What I get is based on the XMLA Proxy setting...See below.
---IIS Integrated Windows -> Report Portal Virtual Directory Integrated Windows -> Login.aspx Basic -> XMLA Virtual Directory
---Admin/Settings/Security Enable pass-through authentication = Checked Sync Windows Groups at Login = Checked Windows Domain Name is set Security Authenticaion Mode = Windows
---Admin/Settings/OLAP Reports XML Analysis for Security = Checked XMLA Proxy = when "Used for External XMLA Service" I get the server login box when "Always" the server login box goes away but I get the following error when I test the connection: "XML Parsing Error: Invalid at the top level of the document at line 1 position 1")
Any ideas? Thanks! |
 |
|
admin
1643 Posts |
Posted - 03/07/2012 : 11:17:53
|
Please make sure the following setting settings checked: Admin > Settings > OLAP Report > Other > “XML for Analysis Security Enabled”
|
 |
|
Z0n3R
28 Posts |
Posted - 03/07/2012 : 11:33:03
|
It's checked. Could this be an issue on the server?
Does it matter what the XML Proxy is set to? |
 |
|
admin
1643 Posts |
Posted - 03/07/2012 : 13:40:15
|
Has your password changed? Please reenter it via Design > Other > Update User Info. |
 |
|
Z0n3R
28 Posts |
Posted - 03/07/2012 : 15:49:53
|
My password hasn't changed. We are using windows authentication only.
The problem is ocurring for all users at the moment. The dialog box reads:
quote: The server XXXXXX at XXXXXX requires a username and password.
Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection).
-----Now if you DO log in, the XMLA connection will work until you close the browser. When you close and reopen, the login dialog box appears again.
Thanks, |
Edited by - Z0n3R on 03/07/2012 15:50:21 |
 |
|
admin
1643 Posts |
Posted - 03/07/2012 : 17:38:02
|
Still, please try to update Windows User Name and Password via Design > Other > Update User Info. |
 |
|
Z0n3R
28 Posts |
Posted - 03/07/2012 : 17:52:44
|
Yes, I tried this. I even tried setting my NtPassword value to NULL in the database and then logging in again and it still didn't work.
Thanks |
 |
|
admin
1643 Posts |
Posted - 03/07/2012 : 20:03:55
|
Please try to add domain name to the Windows user name like
Domain1\user2
|
 |
|
Z0n3R
28 Posts |
Posted - 03/08/2012 : 08:52:52
|
Correction....Sorry, this did not work. I think I logged in prior to adding the domain name in front of my username and that's why it worked initially and I believed had solved the issue.
|
Edited by - Z0n3R on 03/08/2012 11:53:25 |
 |
|
admin
1643 Posts |
Posted - 03/08/2012 : 21:10:45
|
This is very puzzling. Can you please try using Fiddler to see which windows user id and password OLAP report is sending? You can download Fiddler here: http://fiddler2.com/fiddler2/
If you like we can setup a WebEx meeting to go over this problem. Please send an email to support@ReportPortal.com if you are interested. |
 |
|
Z0n3R
28 Posts |
Posted - 03/13/2012 : 12:02:06
|
Good day,
Here is what I've found. If the user doesn't log in intially with the full domain in front of their username "domain_name/username" the OLAP report will NOT send the domain in the authorization---UNTIL they close their browser and reopen it. In other words, if they login with JUST their username and password...they must close/reopen their browser for the OLAP report work.
This still brings us back to our original problem. Avoiding having to sign in AT ALL. It would appear that single sign on doesn't work until the NtPassword column is set in the AppUser table. Can we please confirm that it's NOT possible to avoid an initial login for single sign on?
Thanks!
One other quick note: I noticed that I can bypass the initial sign on by loading the NtPassword column with bogus data. It works! Even though the password is bogus. However, since OLAP reports require basic authentication it tries to use the password from the AppUser table instead of AD and fails. |
Edited by - Z0n3R on 03/13/2012 13:27:44 |
 |
|
admin
1643 Posts |
Posted - 03/13/2012 : 20:45:05
|
Please try the hot fix below. It will add the domain name in font of the Windows user name.
1) Download and unzip: http://www.reportportal.com/download/rp_178_domain.zip 2) Backup old file to an external folder and copy the new file to: "C:\inetpub\wwwroot\ReportPortal\bin\ReportPortal.dll"
Yes, to avoid the initial login please: 1) Go to Admin > Settings and check "Enable the pass-through authentication". 2) Make sure that the Windows group the user belongs to is imported as application role. Insure that the role is marked to be Windows based. 3) Set ReportPortal virtual directory to Windows only 4) If “XML for Analysis Security Enabled” option is checked, “Security Authentication Mode” has to be set to Application.
However, note that this method will not set Windows Password for your user because Windows authentication encrypts and hides passwords from IIS. |
 |
|
Z0n3R
28 Posts |
Posted - 03/15/2012 : 16:25:08
|
Hi, OK the hotfix corrected the problem with the initial login. Now I'm trying to get single sign on working without an initial login.
I made the following changes: 1) Unchecked the XML for Analysis Security Enabled 2) Set XMLA Proxy to: Always Used 3) Set the XMLA Virtual Directory AND ReportPortal virtual directory to Intregrated Windows Security.
The single sign did work without initial login--however, I'm getting the following error when I try to run OLAP reports: quote: Unknown server error: XML Parsing Error: Invalid at the top level of the document. at line 1 at position 1 XML Parsing Error: Invalid at the top level of the document. at line 1 at position 1
I tried setting the XMLA directory to anonymous and digest access and received the same error message.
We're getting closer. Any thoughts? Thanks! |
Edited by - Z0n3R on 03/15/2012 16:25:34 |
 |
|
admin
1643 Posts |
Posted - 03/15/2012 : 19:32:04
|
XMLA virtual directory can have Anonymous or Basic authentication but it cannot have Windows authentication. IIS prevents the identity to be passed from IE to IIS and to SSAS. This is called double hop security problem. One solution to the problem is to use Kerberos. However, Kerberos is very hard to setup.
http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx
You should set Basic authentication on XMLA virtual directory and: 1) Let users enter their password initially 2) Or let users enter the password when opening first report
And of course, you can also use Anonymous authentication on XMLA virtual directory. |
 |
|
Z0n3R
28 Posts |
Posted - 03/16/2012 : 11:31:05
|
Aha...this makes complete sense. I'll have to run this by the client and see which direction they want to go. An easier solution might be to simply install ReportPortal on the same server as the cube--which currently has SSRS already setup and running.
I appreciate all of the help you've provided. Thanks a million! |
 |
|
|
Topic  |
|