cross domain with msmdpump.dll and Analysis Services

Question

I have two domains A and B.

Users sit on domain A and IIS, SSAS is on domain B. There is no trust between the domains.

Users shall be able to access data through the msmdpump on the IIS to access the SSAS server. It would be nice if they could do this seamless without authentication using in integrated windows security

Everything works fine if I allow anonymous users on the IIS and on SSAS. But then users are not authenticated.

One of the problems is msmdpump is a bit of a black box. You need access to it from the IIS but once Excel uses it i think it contacts SSAS directly using the credentials in the odc connection string.

Have anyone had a smilair problem and how did you solve it?

Answer 1

Integrated security doesn't work this way and msmdpump is really a blackbox ;) We have had similar problem in a scenario where we have a website with users that login and download excel reports with a predefined connection string. Unfortunately to avoid the user to have to type the password when he opens excel we have to store it in the excel file (and it is plain text). So our solution which might not be the best was to add ANOTHER proxy between the user and the SSAS which would take care about security. So the excel file instead of pointing to the MSDPUMP points to our proxy with some session token that gives permission to access reports.

In our case that proxy was part of the website and used the user session (if he is authenticated to the website currently he can open the excel report) and the SSAS password in the connection string was the real SSAS active directory password but it was not a security breach because SSAS was not accessible outside the internal the network. So the chain was:

User with excel file -> Our proxy that handles security -> IIS with msdpump -> SSAS

I am not sure it is the best solution but after lots of discussions and investigation we couldn't come up with something better and it works in the end ;)