In order to connect a front-end client to my cube, I use msmdpump.dll which permit to connect anyone to ssas over http.
But I have a security issue because the dll access in IIS is anonymous. So, anyone who find the URL of the dll can connect to my cube, because no login/pass is required. We use this solution because the local username and domains are transmit to IIS when the user connect to the website.
The architecture is this :
- One website on a IIS server (the name of the Domain is AA)
- The cube on SSAS on a second server (the name of the Domain is AA - so the same domain as IIS server)
- Allow users are in Active Directory (in the Domain AA)
- xxx users connect to the website (local user and local domain on each computer)
In order to avoid the Anonymous mode, I would like to do something like this :
- The user go to the website
- The website ask credentials to user
- User put his username and password from the Active Directory in any form of the website and submit informations
- IIS recognize him and identify the user as the user of the domain
This is an example of my description :
- I have an account on AD "AA" Domain
- This account is AA\toto and my password is 1234
- This user is allowed to connect to ssas
- I'm from home (without the domain AA), and I go to the cube website
- A form appears asking me my login and password
- I put AA\toto and 1234
- IIS allow me to go to another page with credentials of my AD account
Anybody knows if it's possible ?
If anybody knows which authentification mode Excel use in ODC file in order to connect the SSAS, maybe it would be a good start point.
EDIT : I tried to put "Basic authentication" in IIS on DLL Website. If I put an account which not exist on the domain, the access is denied on Excel. But if I put the good account, Excel success to connect to ssas. I think I'm close to the solution. I will try to make a login page and seee if the connexion works.
