2/28/2012 10:08:58 AM
Ritesh Medhe -
This white paper will navigate you through the process of exposing SSAS cubes over port 80
SSAS server must have IIS installed (if both the servers are different you might need to setup kerberos authentication between IIS + SSAS server for MSOLAP)
For IIS 6.0 (http://technet.microsoft.com/en-us/library/cc917711.aspx)
Port 80 must be open for outgoing on client machine and incoming/Outgoing on SSAS server
For IIS 7.0
Microsoft® SQL Server™ 2008 Analysis Services use the same architecture for providing HTTP access as SQL Server 2005 Analysis Services.
The pump component is loaded into IIS (Internet Information Services) and serves as an ISAPI extension, pumping data from the client to an Analysis Services server and back.
This white paper walks you through the process of setting up HTTP access to Analysis Services using Microsoft Windows Server™ 2008.
Figure 1 provides a high-level overview of the component architecture.
Copy the contents of the <SQL instllation folder>\OLAP\bin\isapi directory into the folder that would be the base for the virtual directory in IIS.
In this example, we are going to copy all the files from the C:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\bin\isapi folder into the C:\inetpub\wwwroot\olap directory.
Make sure you also copy resource files. Also ensure that IIS user has proper access to it.
Notes: To take advantage of the full set of security settings, it is important to make sure that the base folder for the virtual directory is located on the drive formatted for the NTFS file system.
Due to IIS limitations, the path to your directory should not contain spaces.
If you are planning to run the HTTP pump on a different than the SSAS server, please make sure that you also install OLEDB for Analysis Redistributable package.
Creating an application pool
To create an application pool:
To open the Computer Management console, open Control Panel, then Administrative Tools, then Computer Management.
(Or, right-click the My Computer icon and select Manage on the shortcut menu.)
In the Computer Management console, expand the Roles node and then the Web Server (IIS) and Internet Information Services node.
If you can’t find the Internet Information Services node, IIS is probably not installed on your machine. To install it, open Add or Remove Programs in Control Panel. Select Add/Remove Windows Components. Then add IIS to Windows.
Right-click the Application Pools to open the shortcut menu and select Add Application Pool...
Name the application pool. In this example, we call it OLAP. (See Figure 2.)
Setting up an application
To use the application pool:
Right-click the OLAP directory in your Web site to open the shortcut menu and select Convert to Application. Choose the application pool as one you’ve just created. (See Figure 3.)
Setting up directory properties
To set properties for the directory:
Click your virtual directory node and select Handler Mappings from the menu. (See Figure 4.)
Make sure the directory has Read and Script permissions. This can be checked by clicking the "Edit Feature Permissions..." in
the top right corner of the Handler Mappings screen as shown in Figure 5.
In the top right corner of the Handler Mappings screen click the option " Add Script Map...".
Enter *.dll in the Request path text box.
In the Executable option, enter the full path name to msmdpump.dll. In this example, it would be: C:\wwwroot\olap\msmdpump.dll
Name the Script Map. In this example, we call it OLAP.
Your screen should look something like the dialog box shown in Figure 6.
Click the OK button to accept the settings.
When you hit OK to add the script mapping you will be prompted if you want to enable the ISAPI extension. (See Figure 7.)
Click the Yes button to accept the settings.
The configuration of this decision can be found under ISAPI and CGI Restrictions of the server. (See Figure 8.)
Search for your extension and name it as shown in Figure 9.
Selecting security settings
To select security settings:
Click your virtual directory node and select Autentication from the menu. (See Figure 10.)
You are presented with three options. Choose one of them. (See Figure 11)
This section briefly describes these options, citing the advantages, disadvantages, and security concerns of each one. All other options are not discussed in the paper. You can use Help for IIS to read more about it.
When this mode is selected, the pump (msmdpump.dll) is running with credentials; in our case, these are the credentials of IUSR_MACHINENAME user. Therefore, every connection to Analysis Services is opened as IUSR user. When this mode is selected, there is no distinction between which user is connecting to IIS and which to Analysis Services. There is no way to distinguish between users.
This mode is to be used when the security infrastructure does not take advantage of the security functionality of Analysis Services. This is most likely an extremely controlled environment, where users are given or denied access to the virtual directory.
This is the most secure and the recommended mode.
It requires that IIS Server be able to access user domain credentials. This could be done using Microsoft Active Directory® or another mechanism. It is beyond the scope of this paper to discuss all the possible configurations.
This mode requires that the user enter a user name and password. The user name and password are transmitted over the HTTP connection to IIS. IIS will try to impersonate the user using the provided credentials.
Please note that it is absolutely imperative for anyone building a system where the password is transmitted to have ways of securing the communication channel. IIS provides a great set of tools for setting up and requiring that all communications be encrypted using HTTPS protocol.
For configuring anonymous authentication right-click Anonymous Authentication and then click Edit. You will see a dialog box similar to the one in Figure 12 Here you can configure a specific account which will be used to logon SSAS.Figure 12
Selecting the target Analysis Services server
As you can see in the architectural diagram in Figure 1, every pump component uses its own configuration file.
Open the msmdpump.ini file located in your folder and take a look at the contents of this file. It should look like the following:
The only setting you are interested in at this point is <ServerName>.
If the Analysis Services instance that you need to provide access to is located on the local machine and installed as a default instance, there is no reason to change this setting. Otherwise, you need to specify the machine name and instance name ( mymachine\inst1).
It is also possible to specify a pointer to the virtual directory on another IIS server that is set up for HTTP access to Analysis Services.
For example, you could have <ServerName>http://secondmachine/olap/msmdpump.dll</ServerName>
This will let end user access cube by inputing servername as "http://secondmachine/olap/msmdpump.dll" (in excel/OLAP Browser)
Getting it all together
At this point you should have configured your HTTP pump and should be ready to connect from your application.
If your application provides you with a way to specify the server name, all you need to do is to substitute your server name with the path to your virtual directory concatenated with “msmdpump.dll”.
As in SQL Server 2005 Analysis Services, the MSOLAP OLEDB provider will understand that the server name includes an URL path and will automatically start using HTTP protocol.
For example, to connect to “MyMachine” from the MDX sample application, you should be able to connect to the Analysis Services server using “http://MyMachine/olap/msmdpump.dll” as a server name.
Ritesh Medhe (Member since: 3/31/2011 11:34:25 AM)
Ritesh Medhe is a Microsoft Certified DBA & a BI professional with over 8 years of experience.
Expertise: Performance optimization & SQL Server Administration
View Ritesh Medhe 's profile
If you could add a screen shot of what the sample web-site (connected to OLAP data) would look like that would have been a great value add too
How to apply Claims based authentication on SSAS
its always better to check for port availability using netstat command and decide the port. I had lot of clients who had the same issue as it was done on default port.
Leave a comment