INFO - EV Authentication Page 1 sur 4

INFO - Executive Viewer Authentication

The information in this article applies to:

Executive Viewer Server, Executive Viewer Client, WebService, URL API

Introduction

There are several possible combinations of authentication when setting up Executive Viewer. This article
gives an overview which ways of authentication are possible.

Overview

Authentication between Executive Viewer Explorer and Executive Viewer Server

Executive Viewer Executive Viewer Authenticaton Remark

Explorer Server possible?
WIA * WIA Yes
WIA Basic No Message: 'HTTP Status 401:
Access Denied'.
WIA Anonymous Yes Cannot use the logon type
WIA as a security provider in
Executive Viewer.
An anonymous identity cannot
perform an impersonation.
Basic WIA Yes
Basic Basic Yes As of version 6.1.2.0 and
6.2.0.0
Basic Anonymous Yes The logon type WIA is never
used, in spite of the
configuration.
Anonymous WIA Yes Cannot use the logon type
WIA as security provider in
Executive Viewer.
Anonymous Basic No In case the logon type
Forms is used as a
security provider in
Executive Viewer, a
message is displayed:
'HTTP Status 401: Access
Denied'.
In case the logon type WIA
is used as a security
provider in Executive
Viewer, the authentication
fails because the
impersonation is not
possible while not being
authenticated.
Anonymous Anonymous Yes In case the logon type WIA is
used as a security provider in
Executive Viewer, the
authentication fails because

http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 2 sur 4

the impersonation is not

possible while not being
authenticated.

* Windows Integrated Authentication

Note: Executive Viewer Explorer can be exchanged by any portal implementation which uses the
WebService.

Authentication of Executive Viewer Client using the URL API

Executive Viewer Authenticaton Remark

Server possible?
WIA Yes The session is automatically impersonated.
Basic Yes As of version 6.0.2.2 authentication is possible
based on credentials supplied through Basic
authentication
Anonymous Yes Authentication is only possible when a user name
and a password are specified in the parameters.

Authentication of Executive Viewer Client using HTTP(S)

Executive Viewer Authenticaton Remark

Server possible?
WIA Yes
Basic No Message: 'Cannot connect to server ‘<server>’
using HTTP(S) port <port>. The server is either
not started or too busy.'
Anonymous Yes

How does the authentication takes place?

Executive Viewer Explorer or a similar portal

When your Executive Viewer Server installation or a portal environment is configured for Integrated Windows
Authentication) or Basic Authentication, your first authentication point is IIS on that server.

1. Integrated Windows Authentication

When the client accesses from inside the same (or a trusted) domain, Internet Explorer handles the
authentication for you and no logon dialog will be shown.
When the client accesses over the internet running under an account known in the domain and the site
is in the Trusted Sites group, no logon dialog will be shown.
When the client is outside the domain, Internet Explorer displays a logon dialog.

A security token (Kerberos, NTLM) is passed to the server.

2. Basic Authentication

Internet Explorer displays always a logon dialog. The credentials are transferred to the server (IIS) and a
logon is performed with those credentials.

WebService or URL API

Executive Viewer Explorer or a portal implementation use the WebService. This means they perform calls to
the WebService and receive responses from it.

http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 3 sur 4

The URL API is a one call mechanism for displaying the Executive Viewer Client. The URL API is nested in
the WebService.

1. Executive Viewer Explorer (or a portal implementation)

When Executive Viewer Explorer uses the WebService, the WebService must be able to authenticate
Executive Viewer Explorer. The standard installation of Executive Viewer Explorer will authenticate with
the user who logged on to Executive Viewer Explorer.
As of version 6.0.2.2 Executive Viewer Explorer can perform Basic Authentication on the Webservice if
Executive Viewer Explorer is configured for Basic authentication.

When using WIA a security token (Kerberos, NTLM) is passed to the server.
When using Basic authentication the credentials are transferred.

2. URL API

The URL API has the same authentication scheme as the WebService, because the URL API is nested in
the WebService.
The first point of authentication on the server (IIS) is accessing the URL API.

Executive Viewer Client

When Executive Viewer Client is shown, take into account the following authentication features:

1. HTTP(S) Tunneling

When tunneling is used Executive Viewer Client:

tries to connect to '<Protocol>://<ServerName>/Executive Viewer Server/TUNNEL' (this is the default

folder where the WebService is located) and;
has to comply with the configured authentication scheme in IIS.

The Executive Viewer Client can only perform an automatic logon using WIA, or no authentication at all.
Any situation which would result in a Logon dialog being displayed is not handled by the Executive Viewer
Client and will result in an exception message being displayed: 'Cannot connect to server ‘<server>’ using
HTTP(S) port <port>. The server is either not started or too busy'.

Note: You can test this by calling the '<Protocol>://<ServerName>/Executive Viewer Server/TUNNEL'
directly in Internet Explorer from the client machine.
If a Logon dialog is displayed, Executive Viewer Client is not authenticated.
If Executive Viewer Client is not authenticated, a File Download dialog is displayed. Cancel the download.

2. Session ID

There are several ways Executive Viewer Client can be used. Depending on the way of usage the
following situations exist:

with a Session ID which has been created on Executive Viewer Server or;
without a Session ID. When no Session ID is present Executive Viewer Client has to authenticate on
Executive Viewer Server.
Note: this is the Executive Viewer Server and not the one in IIS.
When possible authentication via WIA is used. Otherwise the Executive Viewer Client displays a logon
dialog for accessing Executive Viewer Server.

3. Datasource

Depending on the type of datasource and its permissions, it is possible Executive Viewer Client has to
supply extra credentials in order to access a specific OLAP database from which Executive Viewer Client
retrieves the data. Executive Viewer Client displays a logon dialog in these occasions.

Different ways of authentication

http://support.temtec.com/evkb/ev0090.htm 11/12/2006
INFO - EV Authentication Page 4 sur 4

The authentication settings you need depend on the task you have to perform. The key turning point is the
authentication scheme used for Executive Viewer Server virtual directory in IIS, because this is the place
where tunneling, the WebService and the URL API interact.

You are allowed duplicate this virtual directory and adapt it to your specific needs.

Tunneling

Since the accessed virtual directory is fixed, the options are limited. You can either use WIA or Anonymous.

WebService

The authentication scheme that is needed for the WebService, depends on the choice of the Security
Provider. Only when you have to impersonate a user, you shall authenticate that user. Currently this is only
possible with the Windows Security Provider. In this case you have to choose WIA or Basic Authentication.

Note: Basic Authenticaton is available as of version 6.1.2.0 and 6.2.0.0.

If you need Anonymous during tunneling, you need an additional virtual directory for your WebService, with
the appropriate authentication scheme on it.

URL API

You can create an additional virtual directory for the URL API if:

you intend to use the URL API and,

the authentication scheme(s) on the Executive Viewer Server virtual directory(s) do not fit your needs.

In general, you will not use more then two separate virtual directories.

Additional Notes

1. When using Basic Authentication for accessing either Executive Viewer Explorer or the URL API over the
internet, consider using HTTPS to prevent interception of the clear text user name / password which are
inherent to Basic Authentication protocol.

2. When using tunneling Executive Viewer Client connects to <Server>\EVServer\TUNNEL. The TUNNEL
folder is a non existing folder which is used to intercept tunneling requests.

3. Internet Explorer 6.0 has a setting prompt for user name and password. If this setting is selected,
Executive Viewer Client will not be able to connect to Executive Viewer Server using tunneling when
Executive Viewer Server is configured using WIA.
The setting can be in IE 6.0 set via: Tools - Internet Options - Security - Internet (or Local intranet) -
Custom Level - User Authentication - Logon.

4. You need a correct Kerberos setup in a multi-hop scenario. In a multi-hop scenario credential information
is delegated from server to server.

Article ID: EV0090

Last reviewed on 19 October 2006 by MMA

Copyright© Applix Inc.

Information provided in this document is provided 'as is' without warranty of any kind, either express or implied. This text has been
provided as information for users of Executive Viewer. No rights can be taken from this document.

http://support.temtec.com/evkb/ev0090.htm 11/12/2006