Configure HTTP Access to SQL Server Analysis Services on IIS 7.0
after learning to Configure HTTP Access to SQL Server Analysis Services on windows server 2003 ,i will continue how to Configure HTTP Access to SQL Server Analysis Services on IIS 7.0引自:http://msdn.microsoft.com/en-us/library/gg492140.aspx
You can enable HTTP access to Analysis Services by configuring MSMDPUMP.dll,an ISAPI extension that runs in Internet Information Services (IIS) and pumpsdata to and from client applications and an Analysis Services server. Thisapproach provides an alternative means for connecting to Analysis Services whenyour OLAP solution calls for the following capabilities:
[*] Client access is over Internet or extranet connections, with restrictions onwhich ports can be enabled. Or, client connections are from non-trusted domainsin the same network.
[*] Client runs in a network environment that allows HTTP but not TCP/IPconnections.
[*] Authentication methods other than Windows integrated security are required.IIS supports Anonymous connections and Basic authentication. ConfiguringAnalysis Services for HTTP access lets you use these alternative authenticationmethods with Analysis Services.
[*] Client applications cannot use the Analysis Services client libraries (forexample, a Java application running on a UNIX server). If you cannot use theAnalysis Services client libraries for data access, you can use SOAP and XML/Aover a direct HTTP connection to an Analysis Services instance.
This topic explains how to set up HTTP access to an Analysis Servicesinstance using IIS 7.0. These instructions are valid for any supported versionor edition of an Analysis Services OLAP instance that interfaces with IIS 7.0,including SQL Server 2008 R2, SQL Server 2008, and SQL Server 2005.
This topic includes the following sections:
Overview
Copy the MSMDPUMP.dll to a folder on the Webserver
Create an application pool and virtualdirectory in IIS
Configure IIS authentication and add theextension
Edit the MSMDPUMP.INI file to set the targetserver
Test your configuration
Overview
MSMDPUMP is an ISAPI extension thatloads into IIS and provides redirection to an Analysis Services instance that ison the same computer or a remote computer within the same domain. You mustcreate and configure one virtual directory, each with its own set of MSMDPUMPfiles, for each Analysis Services instance you want to connect to. Theconfiguration file in each set of MSMDPUMP files specifies the name of theAnalysis Services server instance used for each HTTP endpoint.
On IIS, MSMDPUMP connects to AnalysisServices using the Analysis Services OLE DB provider over TCP/IP. Both AnalysisServices and IIS must be in the same domain or in trusted domains in order forthe native connection to succeed.
When MSMDPUMP connects to AnalysisServices, it does so under a Windows user identity. This account will either bethe Anonymous account if you configured the virtual directory for anonymousconnections, or a Windows user account. The account must have the appropriatedata access rights on the Analysis Services server and database.
Note Remember to unblock the ports in Windows Firewall to allow client connectionsto a remote Analysis Services server. For more information, see Configure WindowsFirewall for Analysis ServicesAccess.
The following table lists additionalconsiderations when you enable HTTP access for different scenarios.
Scenario
Configuration
IIS and Analysis Services on the same computer
This is the simplest configuration because it allows you to use the defaultconfiguration (where the server name is localhost), the local Analysis ServicesOLE DB provider, and Windows integrated security with NTLM. Assuming that theclient is also in the same domain, user authentication is transparent to theuser, with no additional work on your part.
IIS and Analysis Services on different computers
For this topology, you must install the Analysis Services OLE DB provider onthe web server. You must also edit the msmdpump.ini file to specify the locationof Analysis Services instance on the remote computer.
This topology adds a double-hop authentication step, where credentials mustflow from the client to the web server, and on to the backend Analysis Servicesserver. If you are using Windows credentials and NTLM, you will get an errorbecause NTLM does not allow delegation of client credentials to a second server.The most common solution is to use Basic authentication with Secure SocketsLayer (SSL), but this will require users to provide a user name and passwordwhen accessing the MSMDPUMP virtual directory. A more straightforward approachmight be to enable Kerberos and configure Analysis Services constraineddelegation so that users can access Analysis Services in a transparentmanner.
Consider which ports to unblock in Windows Firewall. You will need to unblockports on both servers to allow access to the web application on IIS, and toAnalysis Services on a remote server.
Client connections are from a non-trusted domain or an extranetconnection
Client connections from a non-trusted domain introduce further restrictionson authentication. By default, Analysis Services uses Windows integratedauthentication, which requires users to be on the same domain as the server. Ifyou have Extranet users who connect to IIS from outside the domain, those userswill get a connection error if the server is configured to use the defaultsettings.
Workarounds include having Extranet users connect through a VPN using domaincredentials. However, a better approach might be to enable Basic authenticationand SSL on your IIS web site.
Copy the MSMDPUMP.dll to a folder on the Webserver
In this section, you copy the MSMDPUMPexecutable, configuration file, and resource files from the Analysis Servicesprogram folders to an OLAP virtual directory folder that you create on the filesystem.
The drive must be formatted for the NTFSfile system. The path to the folder that you create must not contain anyspaces.
[*] On the web server, create the following folder:<drive>:\inetpub\wwwroot\olap
[*] Copy the contents of the ISAPI folder on the Analysis Services computer tothe \inetpub\wwwroot\olap folder you just created.
The ISAPI folder can be found at <drive>:\Program Files\Microsoft SQLServer\<instance>\OLAP\bin\isapi. It contains the following files andfolder: MSMDPUMP.DLL, MSMDPUMP.INI, and a Resources folder that contain languageresource files.
Note Note that the format of the instance name has changed in recent releases ofSQL Server. If you are using SQL Server 2008 R2, the default instance name isMSAS10_50.MSSQLSERVER. If you are using earlier versions of SQL Server, theinstance names are created sequentially by installation order, where MSSQL.1 isthe first service installed, MSSQL.2 is the second service, and so on. You mightneed to open the instance folders to determine which one has the AnalysisServices program files.
[*] Verify that the \inetpub\wwwroot\olap\isapi folder on your web servercontains the following: MSMDPUMP.DLL, MSMDPUMP.INI, and a Resourcesfolder.
Create an application pool and virtual directoryin IIS
Configuring HTTP access starts withcreating an application pool and virtual directory that provides an endpoint tothe pump.
Create anapplication pool
[*] Start IIS Manager. Click Start, point to Run, and then type Inetmgr.
[*] Right-click Application Pools and then click Add Application Pool. Create an application pool named OLAP, using .NET Framework v2.0.50727, with Managed pipelinemode set to Classic.
[*] By default, IIS creates application pools using Network Service as thesecurity identity. To change the identity of the application pool you justcreated, right-click OLAP, and then select Advanced Settings.
[*] In Identity, click the built-in account that IIS specified. Depending on theversion of Windows that you are using, this is either NetworkService (shown in the screenshot) or ApplicationPoolIdentity. Click the Change button for this property to replace the built-inaccount with the custom account you want to use.
[*] By default, on a 64-bit operating system, IIS sets the Enable 32-bit Applications property to false. If you copied msmdpump.dll from a 64-bit installationof Analysis Services, this is the correct setting for the MSMDPUMP extension ona 64-bit IIS server. If you copied the MSMDPUMP binaries from a 32-bitinstallation, set it to true. Check this property nowto ensure it is set correctly.
Create avirtual directory
[*] In IIS Manager, open Sites, right-click Default Web Site (or whatever web site you are using toaccess the pump), and then click Add Virtual Directory.
[*] In Alias, type OLAP.
[*] In Physical Path, click the browse button and navigate toC:\inetpub\wwwroot\olap. Click OK.
[*] Right-click the OLAP virtual directory you justcreated, and then click Convert to Application. Acceptall of the default values. Click OK to convert theapplication.
Configure IIS authentication and add theextension
In this section, you further configurethe OLAP virtual directory you just created. You will specify an authenticationmethod and then add a script map. For more information about authenticationmethods, see IISAuthentication Methods.
[*] In IIS Manager, open Sites, open Default Web Site, and then select the OLAP virtual directory.
[*] Double-click Authentication in the IIS section ofthe main page.
[*] Enable Windows Authentication if you are usingWindows integrated security.
This is the most secure and recommended mode, but it requires that IIS beable to access user domain credentials, using Microsoft Active Directory® oranother mechanism. If Analysis Services and IIS are on different computers, youwill need to enable Kerberos and configure Analysis Services for constraineddelegation. It is beyond the scope of this topic to discuss all the possibleconfigurations.
[*] Enable Anonymous Authentication if you aresupporting connections through IUSR_<computername>. Otherwise, you shoulddisable this authentication method. If you enable Anonymous Authentication, IISwill always use it first, even if you enable other authentication methods.
If you do enable Anonymous Authentication, be sure that theIUSR_<computername> account on your web server has the appropriate dataaccess permissions on the Analysis Services database.
When this mode is selected, the pump (msmdpump.dll) runs using thecredentials of IUSR_<computername>. Therefore, every connection toAnalysis Services is opened as IUSR_<computername> user. When this mode isselected, there is no distinction between which user is connecting to IIS andwhich to Analysis Services. This mode is most likely found in an extremelycontrolled environment, where users are given or denied access by way of accesscontrol lists on the virtual directory.
[*] Enable Basic Authentication if your client andserver applications are in different domains. This mode requires the user toenter a user name and password. The user name and password are transmitted overthe HTTP connection to IIS. IIS will try to impersonate the user using theprovided credentials. Please note that it is imperative for anyone building asystem where the password is transmitted to have ways of securing thecommunication channel. IIS provides a set of tools that help you secure thechannel. For more information, see How to Set Up SSL on IIS7.
Basic authentication is useful when you want to collect user credentials fromthe client, giving users a way to access the Web site using credentials that aredifferent from their personal Windows login account. When you select Basicauthentication, IIS reads the HTTP header of each request for a username andpassword. If it doesn't find the proper credentials, IIS sends a response to theclient asking for a username and password. The client prompts the user forcredentials and then uses Base64 encoding to send the username and password tothe server. Although the credentials are encoded, they are not encrypted and aretherefore not secure. This is why it’s strongly recommended that Web sites use acombination of Basic authentication and SSL to encrypt the credentials that theclient sends to the server.
[*] Click the OLAP virtual directory to open the mainpage. Double-click Handler Mappings.
[*] Right-click anywhere on the page and then select Add ScriptMap. In the Add Script Map dialog box, specify *.dll as the request path, specifyc:\inetpub\wwwroot\olap\msmdpump.dll as the executable, and type OLAP as the name.
[*] Click Request Restrictions.
[*] On the Verbs tab, verify that All verbs is selected.Click OK, and then click OKagain to finish adding the script mapping.
[*] When prompted to allow the ISAPI extension, click Yes.
Edit the MSMDPUMP.INI file to set the targetserver
Open the msmdpump.ini file located infolder C:\inetpub\wwwroot\OLAPand take a look at the contents of this file. Itshould look like the following:
Copy
<ConfigurationSettings> <ServerName>localhost</ServerName> <SessionTimeout>3600</SessionTimeout> <ConnectionPoolSize>100</ConnectionPoolSize> </ConfigurationSettings> If the Analysis Services instance forwhich you are configuring HTTP access is located on the local computer andinstalled as a default instance, there is no reason to change this setting.Otherwise, you must specify the server name (for example,<ServerName>ADWRKS-SRV01</ServerName>).
By default, Analysis Services listens onTCP/IP port 2838. If you installed Analysis Services as the default instance,you do not need to specify any port in <ServerName> because AnalysisServices knows how to listen on port 2838 automatically. However, you do need toallow inbound connections to that port in Windows Firewall. For moreinformation, see Configure WindowsFirewall for Analysis Services Access.
If you configured a named or defaultinstance of Analysis Services to listen on a fixed port, you must add the portnumber to the server name (for example,<ServerName>AW-SRV01:55555</ServerName>) and you must allow inboundconnections in Windows Firewall to that port.
Test your configuration
The connection string syntax forMSMDPUMP is the URL to the MSMDPUMP.dll file.
If the web application is listening on afixed port, append the port number to the server name or IP address (forexample, http://my-web-srv01:8080/olap/msmdpump.dll orhttp://123.456.789.012:8080/olap/msmdpump.dll.
To quickly test the connection, you canopen a connection using SQL Server Management Studio. In the Connect to Serverdialog box, select Analysis Services as the servertype. In Server name, enter the HTTP address of the msmdpump extension: http://localhost/olap/msmdpump.dll.
Be sure to follow-up with more rigoroustesting by using an actual client computer that runs in the network environmentfrom which the connections will originate. Remember to grant the appropriatepermissions on the Analysis Services server (either IUSR_<computername> ifyou enabled Anonymous connections or the Windows identities of the users who areconnecting to MSMDPUMP by way of IIS).
页:
[1]