Authentication Methods in IT Analytics 7.1
IT Analytics 7.1 uses pass-through authentication whenever a user accesses either reports or cubes. When a user accesses a cube their credentials are passed to the Analysis Service to authenticate his connection. This also applies to accessing reports; with the added requirement to authenticate to the Report Server. So how does this work in your environment?
Cube access is always based on the user’s logged in Windows credentials. The credentials are passed from the Windows workstation to the Symantec Management Platform then to the Analysis Server. Kerberos is required on the Symantec Management Platform if the Analysis Server is on a separate computer.
You have the choice of using Windows Integrated Authentication or Stored Credentials. The difference is that when a user accesses a report through the SMP console Windows Integrated Security uses the logged in user’s credentials. The Stored Credentials option sends a pre-determined set of credentials and all users have the same access to reports.
Kerberos is required on the Symantec Management Platform if the Report Server is on a separate computer. If the Report Server, Analysis Server and Symantec Management Platform are all on separate servers authentication is a three step process and requires Kerberos on both the Symantec Management Platform and the Analysis Server to make the three step connection from the Windows computer to the Symantec Management Platform to the Report Server and finally to the Analysis Server.
Authenticating in a Workgroup Environment
Note: This method is not officially supported. It may not work in your environment.
Be aware that Analysis Services requires Windows authentication. It does not allow SQL authentication. This can present problems for those companies that don’t use Active Directory. To use Windows credentials in a Workgroup environment you will need to create a set of user credentials on each server that a user accesses. It must have the same user name and password on all servers. Windows then allows users to authenticate using their credentials to logon to servers in the Workgroup.
You will also need to add the user to a role in Analysis Server and grant them rights to view reports. This can be done manually from SQL Server Management Studio and Report Server or by adding the user to a role in the Symantec Management Platform. That user will be the user from the server on which the Analysis Server resides. For example, if the Analysis Server resides on VMMSSQL001 and the user is drussell then the user added to the role would be VMMSSQL001\drussell.
This can be an issue in environments where the user is required to change the password periodically as there is no convenient way to change the password on all servers. To ease administration use Stored Credentials so that you only have one account to maintain.