Authentication of Direct Connections
The Analysis server authenticates end users when they attempt to connect directly to the server. These connections are characterized by:
- Connection strings containing a Data Source property value equivalent to an Analysis server name.
- Use of Transport Control Protocol/Internet Protocol (TCP/IP).
When an end user attempts to connect directly to an Analysis server, Microsoft® SQL Server™ 2000 Analysis Services attempts to authenticate the end user based on the credentials the end user was granted in the operating system when the end user logged on to the domain. Analysis Services automatically detects a connecting end user's credentials. If, in the connection string, the end user specifies a user name and password that is different from his or her logon user name and password, the specified user name and password are ignored. If the end user's credentials allow the end user to access the Analysis server computer from the network, authentication on the Analysis server is successful, and the end user is allowed to connect to the Analysis server. If the end user's credentials do not allow the end user to access the Analysis server computer from the network, authentication on the Analysis server is unsuccessful, and the end user is not allowed to connect to the Analysis server.
For authentication, Analysis Services uses Security Support Provider Interface (SSPI) as the interface to Microsoft Windows NT® 4.0 or Windows® 2000 security. Analysis Services supports Kerberos, NTLM Security Support Provider, and other providers that use SSPI. You can select the provider by setting the SSPI property in the connection string. For more information, see SSPI Property.
If the provider is NTLM Security Support Provider, access to an Analysis server requires an end user to be a member of the same domain as the user account under which the Analysis server was installed, or to be a member of a trusted domain. An end user is denied access if the end user's account cannot be authenticated against one of these domains.
Another type of connection, which is through Internet Information Services (IIS), can also be attempted. For more information, see Authentication of Connections.