Get Free Trial
  1. API reference
Connecting to Data Source
  1. Supported data sources
  2. Connecting to other data sources
Configuring the component
  • Documentation for older versions
  • Table of contents

    Configuring the authentication process

    This tutorial explains how to manage the authentication process when working with SQL Server Analysis Services (SSAS).

    We support three different approaches:

    1. Using roles from Analysis Services – this approach is the easiest and it works for both XMLA and the Accelerator.
    2. Using Windows authentication:
    3. Using custom authorization – works for the Accelerator, recommended for those who already have an ASP.NET portal that handles authorization.

    1. Using roles from Analysis Services

    In SQL Server Analysis Services, access rights are provided based on roles. More information about role configuration can be found in this tutorial from Microsoft.

    After roles are configured in Analysis Services, they can be specified in Flexmonster reports by using the roles property. This property is available for both XMLA and the Accelerator. The following sample demonstrates how to specify roles:

    dataSource: { 
        type: "microsoft analysis services", 
        /* URL to msmdpump.dll */
        proxyUrl: "http://localhost/OLAP/msmdpump.dll", 
        catalog: "Adventure Works DW Standard Edition", 
        cube: "Adventure Works", 
        /* roles from SSAS, you can add multiple
           roles separated by comma */
        roles: "Sales Manager US" 
    }

    Open the example on JSFiddle.

    2.1. Using Windows authentication for XMLA

    Starting from version 2.8.2, Windows authentication is available when connecting to SSAS via XMLA.

    Follow the steps below to configure Windows authentication for the XMLA connection.

    Step 1. Configure XMLA access to the cube

    Skip this step if you already have XMLA configured. Otherwise refer to this article: how to set up an HTTP endpoint for accessing an Analysis Services instance.

    Step 2. Allow the OPTIONS request

    In CORS, the browser sends the OPTIONS preflight request to the server. This request determines which request methods and headers the server allows.

    The OPTIONS preflight request cannot contain any credentials, so Windows Integrated Authentication will reject this request and ask for authentication. Thus, the server should always accept the preflight request. To allow the OPTIONS request, see the following guide: CORS tutorial.

    Step 3. Configure the data source on the client

    Windows authentication should be allowed on the client side as well. To enable the authentication on the client, set the withCredentials property of the DataSourceObject to true:

    var pivot = new Flexmonster({
        container: "pivotContainer",
        toolbar: true, 
        report: {
            dataSource: {
                type: "microsoft analysis services",
                proxyUrl: "http://localhost/OLAP/msmdpump.dll",
                catalog: "Adventure Works DW Standard Edition",
                cube: "Adventure Works",
                withCredentials: true
            }
        }
    });

    After applying the configurations, the requests to Microsoft Analysis Services will be performed using your current Windows user.

    2.2. Using Windows authentication for Flexmonster Accelerator

    Starting from version 2.8.5, Windows authentication is supported for Flexmonster Accelerator. 

    Follow the guides below to configure Windows authentication for your type of the Accelerator.

    Accelerator as a Windows Service

    Step 1. Enable authentication on the server

    Windows authentication on the server side can be enabled in the flexmonster.config file. To open this file, go to Flexmonster Accelerator Manager and click the Config button.

    In flexmonster.config, set the WINDOWS_AUTH property to true to enable the authentication:

    WINDOWS_AUTH=true

    Step 2. Specify origins from which requests should be accepted

    When enabled, the authentication requires certain origins to be defined in the Access-Control-Allow-Origin header. Origin is a domain that sends requests to Flexmonster Accelerator (e.g., http://localhost:8080 or https://example.com). To allow the origin to send requests to the Accelerator, specify the ALLOW_ORIGIN property in the flexmonster.config file:

    ALLOW_ORIGIN=http://localhost:8080

    Several origins can be defined as follows:

    ALLOW_ORIGIN=http://localhost:8080, https://example.com

    To apply new configs, restart the Accelerator using Flexmonster Accelerator Manager: click the Stop button and then click Start.

    Step 3. Configure the data source on the client

    Windows authentication should be allowed on the client side as well. To enable the authentication on the client, set the withCredentials property of the DataSourceObject to true:

    var pivot = new Flexmonster({
        container: "pivotContainer",
        toolbar: true, 
        report: {
            dataSource: {
                type: "microsoft analysis services",
                proxyUrl: "http://localhost:50005",
                catalog: "Adventure Works DW Standard Edition",
                cube: "Adventure Works",
                binary: true,
                withCredentials: true
             }
        }
    });

    To apply the configurations, restart Flexmonster Accelerator. You can check if the Accelerator is up and running by navigating to its URL in the browser (http://localhost:50005 by default).

    Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.

    If the page with Flexmonster Pivot is opened in the Incognito browser window, the pop-up window prompting to enter your login and password should appear. After you log in with your Windows user credentials, Flexmonster Accelerator should successfully connect to the data source.

    Accelerator as a DLL

    This guide contains the following sections:

    Run the sample project with Windows authentication

    To illustrate how Windows authentication can be configured in an Accelerator DLL project, we added the windows-authentication branch to our sample GitHub application.

    To run the sample project, complete these steps:

    Step 1. Download the .zip archive with the windows-authentication branch or clone it from GitHub with the following command:

    git clone -b windows-authentication https://github.com/flexmonster/pivot-accelerator-dll

    Step 2. Open the sample project in Visual Studio using the Flexmonster Accelerator MVC.sln solution file.

    Step 3. Update the NuGet packages if needed:

    1. Right-click the project name in Solution Explorer and select Manage NuGet Packages in the context menu.
    2. Go to the Updates tab and check the Select all packages checkbox.
    3. Click the Update button.

    Step 4. Open the FlexmonsterConfig.cs file and specify your data source (e.g., localhost):

    public static void Register()
    {
      Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
      .ConnectionString = "Data Source=yourDataSource";
      // Other configurations
    }

    Step 5. Now go to the Index.cshtml view and set your values for the catalog and cube properties:

    dataSource: {
        dataSourceType: "microsoft analysis services",
        proxyUrl: "/api/accelerator/",
        catalog: "Your Catalog",
        cube: "Your Cube",

        binary: true,
        withCredentials: true
    }

    Step 6. Run the sample project by clicking the IIS Express button on the toolbar:

    The IIS Express button on the toolbar

    To see the result, open http://localhost:55158/ in your browser. Flexmonster Accelerator will automatically use your current Windows user to perform impersonated requests to Microsoft Analysis Services.

    Configure Windows authentication in your application

    Now let’s see which configurations you should set to enable Windows authentication in your project:

    Step 1. Enable authentication on the Accelerator’s side in the FlexmonsterConfig.cs file:

    public static void Register()
    {
    	// Other configurations
    	Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
    	.AuthEnabled = true;
    	Flexmonster.Accelerator.Controllers.FlexmonsterProxyController
    	.Impersonator = new WindowsImpersonatorFactory();
    	// Other configurations
    }

    Step 2. In the Web.config file, specify the <security> element to define authentication configurations for the server:

    <system.webServer>
    	<!-- Other tags -->
    	<security>
    		<authentication>
    			<anonymousAuthentication enabled="true" />
    			<windowsAuthentication enabled="true" />
    		</authentication>
    		<authorization>
    			<remove users="*" roles="" verbs=""/>
    			<add accessType="Allow" users="?" verbs="OPTIONS"/>
    			<add accessType="Deny" users="?" verbs="GET,PUT,POST,DELETE"/>
    			<add accessType="Allow" roles="Users" />
    		</authorization>
    	</security>
    	<!-- Other tags -->
    </system.webServer>

    Learn more about the <security> element in the Microsoft documentation.

    Step 3. In the pivot-accelerator-dll/.vs/Flexmonster Accelerator MVC/config/applicationhost.config file, find the anonymousAuthentication element and set its enabled attribute to true. Then do the same for the windowsAuthentication element:

    <authentication>
    	<anonymousAuthentication enabled="true" userName="" />
    	<!-- Other configs -->
    	<windowsAuthentication enabled="true">
    		<!-- Other configs -->
    	</windowsAuthentication>
    </authentication>

    Note that the .vs/ folder appears after opening the project in Visual Studio, and it is hidden by default. See the Microsoft documentation for guidance on displaying hidden folders.

    Step 4. Set the dataSource.withCredentials property to true in your .cshtml page (e.g., Index.cshtml):

    dataSource: {
    	dataSourceType: "microsoft analysis services",
    	proxyUrl: "/api/accelerator/",
    	catalog: "Your Catalog",
    	cube: "Your Cube",
    	binary: true,
    	withCredentials: true
    },

    Now you can use Windows authentication in your Accelerator DLL project.

    3. Using custom authorization

    If you already have an ASP.NET portal that handles users and an authorization process, the most convenient option is to embed the Accelerator into that system. For this purpose, we recommend referencing the Accelerator as a DLL and integrating a Web API endpoint. Endpoint access is fully controlled by the ASP.NET portal so you can manage security in any way you want. The overall process is described in the diagram below. For more details regarding referencing the Accelerator as a DLL please read our tutorial.

    customAuthorization

    What’s next?

    You may be interested in the following articles: