Jaa


As 2005/AS 2008 /Vista/win7/win2k8/SSPI=Anonymous behaves differently

I hope that you are doing well.  I have found out that when using SSPI=Anonymous keyword in connection string to connect Analysis Services which is hosted on Vista or later versions like Windows 7, Windows 2008 etc.., you get following error message:

Either the user, NT AUTHORITY\ANONYMOUS LOGON, does not have access to the test database, or the database does not exist.

Problem description

===============================

When you move your analysis services 2005 to windows 2008 machine. After this stage, your application (which uses anonymous logon access) may start to throw following exception.

Either the user, NT AUTHORITY\ANONYMOUS LOGON, does not have access to the test database, or the database does not exist.

Although  NT AUTHORITY\ANONYMOUS LOGON account is added  to roles of Database. Require Client Authentication is set to false as well. (like described in following article (https://msdn.microsoft.com/en-us/library/ms174933.aspx )

For now as a workaround, he is using http access to analysis services and I have seen that when he configures http access, it uses IUSR account (not anonymous logon account).

 

Work done so far:

===============================

Basically Here are steps to reproduce problem:

-Create UDL file and change your connection string to following ( of course your own server name and catalog name) :

Provider=MSOLAP;Persist Security Info=False;Initial Catalog=Analysis Services Project1;Data Source=win2k3sql05\sql2005;SSPI=Anonymous

-Try to connect Analysis Services 2005 instance on Windows 2008 machine ( you can try it locally as well if you think that authentication might be issue)

-Run profiler trace and you will get exactly same error message.

-If you follow same instructions  AS 2005 on windows 2003 machine and you will get success result.

We have been investigating this scenario and have found that it appears that there is a new part to the windows security model for vista and windows 2008 that did not exist in windows 2003 or xp.

This is described further in this article:

https://msdn.microsoft.com/en-us/library/bb625963.aspx Windows Integrity Mechanism Design

This change is causing Analysis Services to fail to authenticate anonymous logon user

Workaround: I would suggest you to use http access and setting  web site identity to particular domain account which has permission in AS Databases or adding IUSR_ account to roles in Database.

 

Please let me know if you have any questions

Kagan

Comments