<![CDATA[Dundas Support Zone - Using Windows Impersonation]]>http://support.dundas.com/Dashboard5.WindowsImpersonation.ashxWed, 17 Jun 2020 19:16:04 GMTScrewTurn Wiki RSS Feed Generator<![CDATA[Using Windows Impersonation]]>http://support.dundas.com/Dashboard5.WindowsImpersonation.ashxDocumentation | Installing and Administering Dundas Dashboard


By default, when Dundas Dashboard queries for data through a data connector, it does so using the Windows credentials of the user (account) that is running IIS. But often, this user may not have sufficient privileges to access your databases, which results in permission errors when performing operations such as previewing a data structure using the data connector.

The above problem can be resolved by using the Connect As option at the data connector stage, which allows you to hardcode the Windows credentials (⪚ your own) to use in place of the IIS account.

There is also another option available called Windows Impersonation. If this option is enabled, queries for data will be executed using the Windows credentials of the person who is using Dundas Dashboard on the client computer. The primary purpose of Windows Impersonation is to allow you to set up your virtual tables, KPIs and dashboards so that your end-users see only the data that is applicable to them when viewing a dashboard.

Note: Connect As settings take precedence over Windows Impersonation (⪚ Connect As credentials, if present, will always be used in place of the end-user's Windows credentials when accessing data).

Enabling Windows Impersonation

The Windows Impersonation option is controlled via a key in the Dundas Dashboard Configuration File.

To turn on Windows Impersonation:

  1. Locate the UseWindowsImpersonation key in the Dundas Dashboard Configuration File. Make sure the key is not commented out and set its value to True.
  2. Restart the Dundas Dashboard website.

Tip: Windows Impersonation is typically used in conjunction with Windows Authentication, which is controlled via another configuration file key, authenticationMode. See this article for more details: Using Windows Authentication to Access Dundas Dashboard.


Example: SQL Server view

In this scenario, you have a SQL Server database table containing records for all users. The table has an Employee column where the values are Windows user names prefixed with their Windows domain name.

The SalaryData table.

The SalaryData table.

Additionally, there is a database view that filters the records based on the value returned by the SYSTEM_USER function in SQL. If a user is logged into SQL Server via Windows Authentication, this function returns the Windows login identification name with the format: DOMAIN\user_login_name.

A database view that filters records based on SYSTEM_USER.

A database view that filters records based on SYSTEM_USER.

To access the filtered data from Dundas Dashboard, follow these steps:

  1. Make sure Windows Impersonation is turned on via the configuration file as shown in the previous section.
  2. Create a new data connector for your SQL Server database without using the Connect As option but with Windows Integrated security.
  3. Create a new virtual table based on the database view.
  4. Preview the virtual table and verify that it returns records filtered according to your Windows identity.

You can now design KPIs and dashboards based on this virtual table which returns data filtered according to the Windows user.


Important notes to consider when Windows Impersonation is enabled in Dundas Dashboard:

  • If you have multiple users working with the same data connector, each user may see different results when performing a discovery of data structures using the data connector. This can happen if the users have different access rights for the underlying database. For example, in the case of a SSAS data connector, one user may have access to one set of SSAS cubes whereas another user has access to a completely different set of cubes. Although this discovery behavior is entirely expected, it is important to note that when a user opens an existing data connector from the Design Explorer, the list of data structures (⪚ tables, cubes) shown is the static list which was most recently discovered, and not necessarily the list of structures immediately accessible to that user. For example, the list of data structures may have been discovered by another user who is working with the same data connector but has different access rights to the underlying database.
  • When Dundas Dashboard queries for your business data, and non-descriptive errors (such as those indicating that Anonymous users don't have access) occur, this may be the result of a “double-hop” scenario. Possible solutions in this case are:
    • Make sure your business database and Dundas Dashboard are installed on the same server.
    • Or, install and configure Kerberos.


There are limitations to be aware of when using Windows Impersonation in Dundas Dashboard:

  • All users accessing Dundas Dashboard will need to have a Windows identity (⪚ account).
  • Connection to SSAS will fail if you are using the SSAS Impersonation (&ie; Connect using Dashboard Groups) option and Windows Impersonation is enabled. To work-around this, do one of the following:
    • Ensure that your Windows users are added as members of an appropriate SSAS role.
    • Use the Connect As option in the SSAS data connector (which effectively overrides Windows Impersonation).

Additionally, various functionality in Dundas Dashboard involving scheduling or unattended operation will not work when Windows Impersonation is in effect (because there is no Dundas Dashboard user to impersonate):

Note: In Dundas Dashboard 5.0.2 Revision 2 or later, existing link-only scheduled reports will be delivered even when Windows Impersonation is enabled.

Related topics

Click to return to: Documentation | Installing and Administering Dundas Dashboard

Steve C. (stevec@dundas.com)Thu, 27 Mar 2014 16:22:08 GMT7F8E8D8C61D1C79D0C8D004F9224A78A