Establishing Secure Connections in ADOMD.NET
When you use a connection in ADOMD.NET, the security method that is used for the connection depends on the value of the ProtectionLevel property of the connection string used when you call the Open method of the AdomdConnection.
The ProtectionLevel property offers four levels of security: unauthenticated, authenticated, signed, and encrypted. The following table describes these various security levels.
Note
If you choose to use database connection pooling, the database will not be able to manage security. This is because database connection pooling requires that the connection string be identical to pool connections. Therefore, you must manage security elsewhere.
Security Level |
ProtectionLevel Value |
---|---|
|
None |
|
Connect |
|
Pkt Integrity or PktIntegrity |
|
Pkt Privacy or PktPrivacy |
However, not all levels of security are available for all kinds of connections:
A TCP connection can use any one of the four levels of security. In fact, a TCP connection, when you use it with Windows Integrated Security, offers the securest method of connecting to an analytical data source.
An HTTP connection can only be an authenticated connection. Therefore, the ProtectionLevel property must be set to Connect.
An HTTPS connection can only be an encrypted connection. Therefore, the ProtectionLevel property must be set to Pkt Privacy or PktPrivacy.
Securing TCP Connections
For a TCP connection, the ProtectionLevel property supports all four levels of security, as shown in the following table.
ProtectionLevel Value |
Use with TCP Connection? |
Results |
---|---|---|
None |
Yes |
Specifies an unauthenticated connection. A TCP stream is requested from the provider, but there is no form of authentication performed on the user who is requesting the stream. |
Connect |
Yes |
Specifies an authenticated connected. A TCP stream is requested from the provider, and then the security context of the user who is requesting the stream is authenticated against the server:
After authentication succeeds or fails, the security context that is used to authenticate the connection is disposed. |
Pkt Integrity or PktIntegrity |
Yes |
Specifies a signed connection. A TCP stream is requested from the provider, and then the security context of the user who is requesting the stream is authenticated against the server:
|
Pkt Privacy or PktPrivacy |
Yes |
Specifies an encrypted connection.
Note
You can also specify an encrypted connection by not setting the ProtectionLevel property in the connection string.
A TCP stream is requested from the provider, and then the security context of the user requesting the stream is authenticated against the server:
|
Using Windows Integrated Security for the Connection
Windows Integrated Security is the securest way of establishing and securing a connection to an instance of Analysis Services. Windows Integrated Security does not reveal security credentials, such as a user name or password, during the authentication process, but instead uses the security identifier of the currently running process to establish identity. For most client applications, this security identifier represents the identity of the currently logged-on user.
To use Windows Integrated Security, the connection string requires the following settings:
For the Integrated Security property, either do not set this property or set this property to SSPI.
Note
Windows Integrated Security is only available for TCP connections because HTTP connections must use the Basic setting for the Integrated Security property.
For the ProtectionLevel property, set this property to Connect, Pkt Integrity, or Pkt Privacy.
Securing HTTP Connections
HTTPS and Secure Sockets Layer (SSL) can be used to externally secure HTTP communications with an analytical data source.
Because an XMLA provider only uses secure HTTP, an HTTP connection in ADOMD.NET must be a signed connection, as shown in the following table.
ProtectionLevel Value |
Use with HTTP or HTTPS |
---|---|
None |
No |
Connect |
HTTP |
Pkt Integrity or PktIntegrity |
No |
Pkt Privacy or PktPrivacy |
HTTPS |
For more information, see Configuring HTTP Access to SQL Server Analysis Services on Microsoft Windows XP on the Microsoft Web site.
Opening a Secure HTTP Connection
The following example demonstrates how to use ADOMD.NET to open an HTTP connection for the AdventureWorksAS sample Analysis Services database:
Public Function GetAWEncryptedConnection( _
Optional ByVal serverName As String = "https:\\localhost\isapy\msmdpump.dll") _
As AdomdConnection
Dim strConnectionString As String = ""
Dim objConnection As New AdomdConnection
Try
' To establish an encrypted connection, set the
' ProtectionLevel setting to PktPrivacy.
strConnectionString = "DataSource=" & serverName & ";" & _
"Catalog=AdventureWorksAS;" & _
"ProtectionLevel=PktPrivacy;"
' Note that username and password are not supplied here.
' The current security context is used for authentication
' purposes.
objConnection.ConnectionString = strConnectionString
objConnection.Open()
Catch ex As Exception
objConnection = Nothing
Throw ex
Finally
' Return the encrypted connection.
GetAWEncryptedConnection = objConnection
End Try
End Function