I'm trying to connect to Azure Analysis Service databases (which isn't owned and managed by me) with Adomd client library.
I can connect to them with Power Query connector using Microsoft account, but I couldn't find the correct connection string to prompt me to login with my Microsoft account then use that credential to connect in Adomd. Using the connection string in here https://learn.microsoft.com/en-us/azure/analysis-services/analysis-services-connect
"Provider=MSOLAP;Data Source=<Azure AS instance name>;"
leads to this error
Authentication failed: User ID and Password are required when user interface is not available?
Is it doable with Adomd client?
Turn out pythonnet prevents interactive login. I makes it work by using the client library in C#.
Related
I'm having a server with power-bi reporting service installed and configured on it, and from my front-end that hosts the application, i've got angular 7 with proper power-bi components installed.
Since the report is on the server and it needs authentication to login, i get a user and password fill-in prompt in my website whenever i try to access this report, and after logging in, i can see the data of my report.
I'm wondering how to use Kerberos authentication so that i can set-up that username and password to login automatically without asking the user to enter them every time.
What i've done so far :
I've made and set a few SPN in my active directory, made a user in Active Directory Users and Computer and in it's Delegation tab, i've set it to Use any authentication protocol and added MSOLAPDisco and MSOLAPSvc.3 to it. i've added the user account credentials that i've made to service account and execution account in power bi Report server then i modified the rsreportserver config file to use the RSNegotiate before NTLM.
After trying to solve the issue with the mentioned above methods, i still get a NTLM method in network monitor which is installed in the Active Directory.
Any suggestions how to solve this issue? Thanks in advance.
I developed a webapplication Example1:7575 which uses FBA. Now, I deployed these WSP's to a new server Production:2525 to get the same functionality of my previous server's webapplication. However, I was not able to fetch the data from sql server and I'm getting the following error: A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.
Actually, I have manually entered the same membership and role providers of my previous server's central admin, security service token & web application's web.config entries to this new web.configs and matched them.
Can someone help me with where I might be doing wrong. Any help would be greatly appreciated.
If you can't fetch data from SQL Server there's probably an issue with permissions to the database. Check the database connection string that FBA is using. It likely uses Windows authentication to connect - in which case it will be connecting as the user assigned to the app pool for the web application and the secure token service. Check that the configured app pool identities have permissions to access the sql server databases.
I have a problem about IIS configuration, so at least I think.
I have two different servers, in one of them are installed Microsoft Dynamics CRM 2011, on the second server I have ASP.NET application who talks with Microsoft Dynamics CRM 2011 web service. The problem is there, that I can't configure ASP.NET application.
Application has needed to work in the following:
I open ASP.NET Application who are enabled windows authorization
I login with Active Directory user, which at the same time, is user in Dynamics CRM 2011 system
When I am logged in, application start sending requests to Dynamics CRM web service with the same credentials that I am logged in
Now my configuration is that - enabled Windows authorization, enabled ASP.NET impersonation, application pool run as network service.
Problem is that when I open this application on ASP.NET server by adress localhost they automaticali get credentials with what I am logged in to this server, it's ok, but when I try to open application by address some-hostname.com they requre login, that is also ok, but when I logged in and application start send requests to Dynamics CRM web service. CRM web service response with 401 unauthorize,infer from this that there are problems with credentials who came from IIS.
I try to install and configure this ASP.NET application on the same server where hosts CRM server, there everything works fine.
What you're seeing is the double hoprestriction.
The credentials of the client cannot be forwarded from your ASP.NET application web server to CRM Server unless you configure delegation. For this your AD must already be set up for Kerberos authentication.
Your code will be attempting to connect to CRM using the Application Pool identity. You could configure this as a user within CRM and then use CRM impersonation (nothing to do with Kerberos or AD) by setting the CallerID on the proxy to the guid of the originating user (you'd have to make a call into CRM to get this). There's information about how to do this in the SDK docs.
For an ASP.NET app to impersonate a logged in user, especially from a fully-qualified domain name, you'll need to configure two things.
The App Pool identity for your ASP.NET application. Is this running as Network Service or as a specific user? The identity running the application must be "enabled for delegation." This is an option in Active Directory for that user account. If your application is running as Network Service, you'll want to enable delegation on the Computer account in AD instead of an user account.
The SPN (service principal name) for the application domain. A SPN is kind of like DNS for authentication, and is required for impersonation. If you are just using the machine name (e.g. http://server/app) AND you are using Network Service as the identity, you won't need to configure a SPN because one is set up by default for you when the server joins Active Directory. However, if you use a specific user account for the ASP.NET identity OR you want your users to use a fully qualified domain name (e.g. http://www.server.com), you'll need to tell Active Directory about this, and you do that using a SPN. Your Active Directory administrator should be familiar with SPNs and the setspn.exe command.
Please note that you may need to add a SPN for your CRM server as well, since it is just another ASP.NET application too. You should only need to do this if your internal CRM site is using a user account as the Identity OR you access the internal CRM using a fully-qualified domain name, just like your custom ASP.NET app.
Hope that helps!
Basically I have a C++ app which login to oracle db using OCI.
DB is configured to authenticate users from windows domain user accounts.
At the moment when my client log in, I pass user name and password to OCI in order to login by setting OCI_ATTR_PASSWORD and OCI_ATTR_USERNAME attributes in user session handle.
What should I do in the code to make OCI take windows credencials directly instead of me providing them through the code?
See Oracle Call Interface Programmer's Guide - OCISessionBegin()
The second type of credentials
supported are external credentials. No
attributes need to be set on the user
session handle before calling
OCISessionBegin(). The credential type
is OCI_CRED_EXT. This is equivalent to
the Oracle7 'connect /' syntax. If
values have been set for
OCI_ATTR_USERNAME and
OCI_ATTR_PASSWORD, then these are
ignored if OCI_CRED_EXT is used.
We're having a hard time figuring how these credentials objects work. In fact, they may not work how we expected them to work. Here's an explanation of the current issue.
We got 2 servers that needs to talk with each other through webservices. The first one (let's call it Server01) has a Windows Service running as the NetworkService account. The other one Server02 has ReportingServices running with IIS 6.0. The Windows Service on Server01 is trying to use the Server02 ReportingServices WebService to generate reports and send them by email.
So, here's what we tried so far.
Setting the credentials at runtime (This works perfectly fine):
rs.Credentials = new NetworkCredentials("user", "pass", "domain");
Now, if we could use a generic user all would be fine, however... we are not allowed to. So, we are trying to use the DefaultCredetials or DefaultNetworkCredentials and pass it to the RS Webservice:
rs.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
Or:
rs.Credentials = System.Net.CredentialCache.DefaultCredentials
Either way won't work. We're always getting 401 Unauthrorized from IIS. Now, what we know is that if we want to give access to a resource logged as NetworkService, we need to grant it to DOMAIN\MachineName$ (http://msdn.microsoft.com/en-us/library/ms998320.aspx):
Granting Access to a Remote SQL Server
If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.
We assumed that granting access the same way with IIS would work. However, it does not. Or at least, something is not set properly for it to authenticate correctly.
So, here are some questions:
We've read about "Impersonating Users" somewhere, do we need to set this somewhere in the Windows Service ?
Is it possible to grant access to the NetworkService built-in account to a remote IIS server ?
Thanks for reading!
All details you need are included in this very old article
In short, when you find it confusing to troubleshoot issues like this, you should first review the technical details behind ASP.NET impersonation carefully.
Here are some things you could check out:
- set an SPN (Service Principal Name) for the reporting service; you can find good examples in google;
- Allow delegation (ClientCredentials.Windows.AllowImpersonationLevel)
Is the problem that you're failing to authenticate to IIS, or failing to authenticate to SSRS? The DOMAIN\MachineName$ account may need to be granted permission in SSRS to run the report you're trying to automate.
SSRS usually does a pretty good job of getting IIS configured correctly, so you shouldn't need to mess with those settings. I double-checked my installation (which is SSRS 2005, things may have worked differently in SSRS 2000 and you didn't say which version you're running), and it's set to use Windows authentication and has impersonation enabled. That means IIS should basically just be authenticating your credentials (validating a correct username/password), not authorizing (determining whether that user has permission to run the report in question). IIS then passes the credentials on to SSRS, which has its own settings for determining what accounts have permission to view reports.
Also, you can automate sending reports on a scheduled basis directly in SSRS, so you may not need the Windows service at all if your scheduling is fairly basic (i.e., daily, weekly, etc.).