Connections in ADOMD.NET - Establishing Secure Connections

When you use a connection in ADOMD.NET, the security method that is used for the connection depends on the value of the ProtectionLevel property of the connection string used when you call the Open method of the AdomdConnection.

The ProtectionLevel property offers four levels of security: unauthenticated, authenticated, signed, and encrypted. The following table describes these various security levels.

Note

If you choose to use database connection pooling, the database will not be able to manage security. This is because database connection pooling requires that the connection string be identical to pool connections. Therefore, you must manage security elsewhere.

Security Level ProtectionLevel Value
unauthenticated connection
An unauthenticated connection does no form of authentication. This kind of connection represents the most widely supported, but least secure, form of connection.
None
authenticated connection
An authenticated connection authenticates the user who is making the connection, but does not secure additional communications. This kind of connection is useful in that you can establish the identity of the user or application that is connecting to an analytical data source.
Connect
signed connection
A signed connection authenticates the user who is requesting the connection, and then makes sure that transmissions are not modified. This kind of connection is useful when the authenticity of the transferred data must be verified. However, a signed connection only prevents the content of the data packet from being modified. The content can still be viewed in transit.



Note that a signed connection is only supported by the XML for Analysis provider supplied by MicrosoftSQL ServerAnalysis Services.
Pkt Integrity or PktIntegrity
encrypted connection
An encrypted connection is the default connection type used by ADOMD.NET. This kind of connection authenticates the user who is requesting the connection, and then also encrypts the data that is transmitted. An encrypted connection is the securest form of connection that can be created by ADOMD.NET. The content of the data packet cannot be viewed or modified, thereby protecting data during transit.



An encrypted connection is only supported by the XML for Analysis provider supplied by SQL ServerAnalysis Services.
Pkt Privacy or PktPrivacy

However, not all levels of security are available for all kinds of connections:

  • A TCP connection can use any one of the four levels of security. In fact, a TCP connection, when you use it with Windows Integrated Security, offers the securest method of connecting to an analytical data source.

  • An HTTP connection can only be an authenticated connection. Therefore, the ProtectionLevel property must be set to Connect.

  • An HTTPS connection can only be an encrypted connection. Therefore, the ProtectionLevel property must be set to Pkt Privacy or PktPrivacy.

Securing TCP Connections

For a TCP connection, the ProtectionLevel property supports all four levels of security, as shown in the following table.

ProtectionLevel Value Use with TCP Connection? Results
None Yes Specifies an unauthenticated connection.

A TCP stream is requested from the provider, but there is no form of authentication performed on the user who is requesting the stream.
Connect Yes Specifies an authenticated connected.

A TCP stream is requested from the provider, and then the security context of the user who is requesting the stream is authenticated against the server: If authentication succeeds, no other action is taken. If authentication fails, the AdomdConnection object disconnects from the multidimensional data source and an exception is thrown.

After authentication succeeds or fails, the security context that is used to authenticate the connection is disposed.
Pkt Integrity or PktIntegrity Yes Specifies a signed connection.

A TCP stream is requested from the provider, and then the security context of the user who is requesting the stream is authenticated against the server:



If authentication succeeds, the AdomdConnection object closes the existing TCP stream and opens a signed TCP stream to handle all requests. Each request for data or metadata is authenticated by using the security context that was used to open the connection. Additionally, each packet is digitally signed to make sure that the payload of the TCP packet has not been changed in any way.



If authentication fails, the AdomdConnection object disconnects from the multidimensional data source and an exception is thrown.
Pkt Privacy or PktPrivacy Yes Specifies an encrypted connection.



Note that you can also specify an encrypted connection by not setting the ProtectionLevel property in the connection string.



A TCP stream is requested from the provider, and then the security context of the user requesting the stream is authenticated against the server:



If authentication succeeds, the AdomdConnection object closes the existing TCP stream and opens up an encrypted TCP stream to handle all requests. Each request for data or metadata is authenticated by using the security context that was used to open the connection. Additionally, the payload of each TCP packet is encrypted by using the highest encryption method supported by both the provider and the multidimensional data source.



If authentication fails, the AdomdConnection object disconnects from the multidimensional data source and an exception is thrown.

Using Windows Integrated Security for the Connection

Windows Integrated Security is the securest way of establishing and securing a connection to an instance of Analysis Services. Windows Integrated Security does not reveal security credentials, such as a user name or password, during the authentication process, but instead uses the security identifier of the currently running process to establish identity. For most client applications, this security identifier represents the identity of the currently logged-on user.

To use Windows Integrated Security, the connection string requires the following settings:

  • For the Integrated Security property, either do not set this property or set this property to SSPI.

    Note

    Windows Integrated Security is only available for TCP connections because HTTP connections must use the Basic setting for the Integrated Security property.

  • For the ProtectionLevel property, set this property to Connect, Pkt Integrity, or Pkt Privacy.

Securing HTTP Connections

HTTPS and Secure Sockets Layer (SSL) can be used to externally secure HTTP communications with an analytical data source.

Because an XMLA provider only uses secure HTTP, an HTTP connection in ADOMD.NET must be a signed connection, as shown in the following table.

ProtectionLevel Value Use with HTTP or HTTPS
None No
Connect HTTP
Pkt Integrity or PktIntegrity No
Pkt Privacy or PktPrivacy HTTPS

Opening a Secure HTTP Connection

The following example demonstrates how to use ADOMD.NET to open an HTTP connection for the AdventureWorksAS sample Analysis Services database:

Public Function GetAWEncryptedConnection( _  
    Optional ByVal serverName As String = "https:\\localhost\isapy\msmdpump.dll") _  
    As AdomdConnection  
  
    Dim strConnectionString As String = ""  
    Dim objConnection As New AdomdConnection  
  
    Try  
        ' To establish an encrypted connection, set the   
        ' ProtectionLevel setting to PktPrivacy.  
        strConnectionString = "DataSource=" & serverName & ";" & _  
            "Catalog=AdventureWorksAS;" & _  
            "ProtectionLevel=PktPrivacy;"  
  
        ' Note that username and password are not supplied here.  
        ' The current security context is used for authentication  
        ' purposes.  
  
        objConnection.ConnectionString = strConnectionString  
        objConnection.Open()  
    Catch ex As Exception  
        objConnection = Nothing  
        Throw ex  
    Finally  
        ' Return the encrypted connection.  
        GetAWEncryptedConnection = objConnection  
    End Try  
End Function