WCF webservices access to Analysis Services (SSAS)

I have WCF WebService which is accessing cube data using AdomdConnection. Service is hosted inside Sharepoint Server 2010.

I also have ASCX webservice which calls WCF service and is called from client (using javascript). Everything works fine, but there is an issue with authentication. Both services (ASCX & WCF) are hosted inside Sharepoint.

I get an exception from WCF service while accessing cube data:

Either the user, NT AUTHORITY\IUSR, does not have access to the GMS1106 database, or the database does not exist.

This is how I'm calling the WCF webservice from asmx:

var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
var endpoint = new EndpointAddress(SPContext.Current.Web.Url + GmsConfigurationReader.Current.GetParameter("OlapWebserviceEnpoint"));
var channelFactory = new ChannelFactory<IDataAccessService>(binding, endpoint);
channelFactory.Credentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.I开发者_如何学Pythonmpersonation;
channelFactory.Credentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
var client = channelFactory.CreateChannel();
hyperlink = client.GetFacilityHyperlink("Quarter 2 2011", "Center/Eastern Europe", "Cracow", "Machine Time Utilization");

Sharepoint appool runs using Identity that have permissions to cube.

To sum up:

• This is how I access WCF service: JavaScript (client) -> ASCX -> WCF -> CUBE - and there is no problem (everything is hosted inside Sharepoint 2010)
• WCF for some reason uses built in account instead of user credentials

I've checked, and if I grant NT AUTHORITY\IUSR permissions to cube, everything works fine, but I don't really want to do this.

It sounds like it has to do with IIS. Two options that might work are,

Turn anonymous authentication off and turn windows authentication on (this would only work with kerberose, unless the webservice is deployed on the same box as SSAS, and the user would have to have access to the cube).

Turn anonymous authentication off and turn impersonation on. This will only work if the apppool has access to the cube.