Professional Documents
Culture Documents
Introduction
There are several possible combinations of authentication when setting up Executive Viewer. This article
gives an overview which ways of authentication are possible.
Overview
http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 2 sur 4
Note: Executive Viewer Explorer can be exchanged by any portal implementation which uses the
WebService.
When your Executive Viewer Server installation or a portal environment is configured for Integrated Windows
Authentication) or Basic Authentication, your first authentication point is IIS on that server.
When the client accesses from inside the same (or a trusted) domain, Internet Explorer handles the
authentication for you and no logon dialog will be shown.
When the client accesses over the internet running under an account known in the domain and the site
is in the Trusted Sites group, no logon dialog will be shown.
When the client is outside the domain, Internet Explorer displays a logon dialog.
2. Basic Authentication
Internet Explorer displays always a logon dialog. The credentials are transferred to the server (IIS) and a
logon is performed with those credentials.
Executive Viewer Explorer or a portal implementation use the WebService. This means they perform calls to
the WebService and receive responses from it.
http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 3 sur 4
The URL API is a one call mechanism for displaying the Executive Viewer Client. The URL API is nested in
the WebService.
When Executive Viewer Explorer uses the WebService, the WebService must be able to authenticate
Executive Viewer Explorer. The standard installation of Executive Viewer Explorer will authenticate with
the user who logged on to Executive Viewer Explorer.
As of version 6.0.2.2 Executive Viewer Explorer can perform Basic Authentication on the Webservice if
Executive Viewer Explorer is configured for Basic authentication.
When using WIA a security token (Kerberos, NTLM) is passed to the server.
When using Basic authentication the credentials are transferred.
2. URL API
The URL API has the same authentication scheme as the WebService, because the URL API is nested in
the WebService.
The first point of authentication on the server (IIS) is accessing the URL API.
When Executive Viewer Client is shown, take into account the following authentication features:
1. HTTP(S) Tunneling
The Executive Viewer Client can only perform an automatic logon using WIA, or no authentication at all.
Any situation which would result in a Logon dialog being displayed is not handled by the Executive Viewer
Client and will result in an exception message being displayed: 'Cannot connect to server ‘<server>’ using
HTTP(S) port <port>. The server is either not started or too busy'.
Note: You can test this by calling the '<Protocol>://<ServerName>/Executive Viewer Server/TUNNEL'
directly in Internet Explorer from the client machine.
If a Logon dialog is displayed, Executive Viewer Client is not authenticated.
If Executive Viewer Client is not authenticated, a File Download dialog is displayed. Cancel the download.
2. Session ID
There are several ways Executive Viewer Client can be used. Depending on the way of usage the
following situations exist:
with a Session ID which has been created on Executive Viewer Server or;
without a Session ID. When no Session ID is present Executive Viewer Client has to authenticate on
Executive Viewer Server.
Note: this is the Executive Viewer Server and not the one in IIS.
When possible authentication via WIA is used. Otherwise the Executive Viewer Client displays a logon
dialog for accessing Executive Viewer Server.
3. Datasource
Depending on the type of datasource and its permissions, it is possible Executive Viewer Client has to
supply extra credentials in order to access a specific OLAP database from which Executive Viewer Client
retrieves the data. Executive Viewer Client displays a logon dialog in these occasions.
http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 4 sur 4
The authentication settings you need depend on the task you have to perform. The key turning point is the
authentication scheme used for Executive Viewer Server virtual directory in IIS, because this is the place
where tunneling, the WebService and the URL API interact.
You are allowed duplicate this virtual directory and adapt it to your specific needs.
Tunneling
Since the accessed virtual directory is fixed, the options are limited. You can either use WIA or Anonymous.
WebService
The authentication scheme that is needed for the WebService, depends on the choice of the Security
Provider. Only when you have to impersonate a user, you shall authenticate that user. Currently this is only
possible with the Windows Security Provider. In this case you have to choose WIA or Basic Authentication.
If you need Anonymous during tunneling, you need an additional virtual directory for your WebService, with
the appropriate authentication scheme on it.
URL API
You can create an additional virtual directory for the URL API if:
In general, you will not use more then two separate virtual directories.
Additional Notes
1. When using Basic Authentication for accessing either Executive Viewer Explorer or the URL API over the
internet, consider using HTTPS to prevent interception of the clear text user name / password which are
inherent to Basic Authentication protocol.
2. When using tunneling Executive Viewer Client connects to <Server>\EVServer\TUNNEL. The TUNNEL
folder is a non existing folder which is used to intercept tunneling requests.
3. Internet Explorer 6.0 has a setting prompt for user name and password. If this setting is selected,
Executive Viewer Client will not be able to connect to Executive Viewer Server using tunneling when
Executive Viewer Server is configured using WIA.
The setting can be in IE 6.0 set via: Tools - Internet Options - Security - Internet (or Local intranet) -
Custom Level - User Authentication - Logon.
4. You need a correct Kerberos setup in a multi-hop scenario. In a multi-hop scenario credential information
is delegated from server to server.
http://support.temtec.com/evkb/ev0090.htm 11/12/2006