win AD authentication and impersonation on CE10

[lyu]

My company uses windows AD authentication and single sign on for CE10. But then we find that the database server will attempt to authenticate the report using the account under which the Crystal Server is running. This is not what we want. We want impersonation, i.e, to authenticate the database using user's logon credentials, but at the same time we want to keep single sign-on feature.

Is it possible? My boss insists that it can be done this way, but I have spend many days digging the documentation of CE, no results.... Please help me! //Bow

 

[Turkbear]

Hi,
What database?

In general, the database logins/passwords set when the report is published are separate from the CE login/password so it should not be a conflict..
If, however, you are using a database that requires file system/Operating System permissions in order to be used ( Like Access or SqlServer) then the CE service has to be running under an account that has that access.
The CE users do not access the database files, just the services.

 

[lyu]

I am using SQL Server. All reports in our company are created using windows authentication (Integrated Security), and inside the background stored procedure, we do somthing to limit what a user is allowed to see based on the current user who runs the stored procedure.

This works fine on my desktop Crystral Report.
But when we move all the reports on crystal enterprise, we find that no matter who logs onto CE, all procedure inside the reports are run under the account under which CE Server is running. This causes us problems, since we can no longer limit user access based on who he is.

Please help, Thanks again

 

[Turkbear]

Hi,
AFAIK,there is no way to change the fact that it is the CE server that actually reads the data..

There are some products ( like BObj's Business Views) that let you restrict the data returned, based on the CE User that requests the report.( On in your case the AD account)

Or, perhaps you could code something that passed the user id to the SP .

That way, the server would still be the one accessing the physical database, but the logical effect would be as if it were the User account.

 

[synapsevampire]

I know that you can do this using NT Authentication, perhaps this will help:

http://support.businessobjects.com/library/kbase/articles/c2014042.asp

-k

 

[lyu]

Thanks synapsevampire, I already found this link before posting my question here. but this is not single sign on method as stated in the article. we need SSO and impersonation at the same time.

 

[synapsevampire]

Yeah, I asssumed as much, perhaps BO can help.

-k

 

[lyu]

what is BO? //shame...

 

[KingfisherINC]

BO = Business Objects

AFAIK this feature is only available in XI

Kingfisher [CECP]

 

[ashok66]

HI,lyu
How did you setup Windows AD integraion and single sign on with CE10?

I followed all the steps exactly as per documentation, but It is still not working for me.

 

[cmmrfrds]

lyu, you can do as turkbear suggests and pass the AD login name from CE10 instead of picking up from sql server. I am guessing you have a table of the user login names that you link in the Views or stored procedures probably equaling suser_sname(). See thread782-1053304 for a little more explanation for an alternate way passing the AD login name in the Report.