docs: Fix runas command and add NTLM auth configuration to check_sql_auth

igorlukanin · igorlukanin · commit 7f27269a1e2a · 2025-07-31T13:48:58.000+02:00
diff --git a/docs/pages/product/auth/methods/ntlm.mdx b/docs/pages/product/auth/methods/ntlm.mdx
@@ -33,10 +33,10 @@ In the following example, Power BI Desktop is launched under the `cube` user:
 
 ```bash
 # Run Power BI Desktop as the `cube` user
-runas /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe"
+runas /netonly /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe"
 
 # Run a specific report in Power BI Desktop as the `cube` user 
-runas /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe \"C:\Users\Administrator\Desktop\Dashboard.pbix\""
+runas /netonly /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe \"C:\Users\Administrator\Desktop\Dashboard.pbix\""
 ```
 
 __This flow should only be used for testing purposes.__ Note that, when Power BI Desktop
diff --git a/docs/pages/product/configuration/reference/config.mdx b/docs/pages/product/configuration/reference/config.mdx
@@ -1256,6 +1256,61 @@ module.exports = {
 Check [this recipe](/product/auth/recipes/sql-api-ldap) for an example of
 using `check_sql_auth` to authenticate requests to the SQL API with LDAP.
 
+You can also check for the protocol and the authentication method as follows. This can
+be useful for handling the [NTLM][ref-ntlm] authentication in the [DAX API][ref-dax-api]
+and the [MDX API][ref-mdx-api]:
+
+<CodeTabs>
+
+```python
+from cube import config
+import os
+
+@config('check_sql_auth')
+def check_sql_auth(req: dict, user_name: str, password: str) -> dict:
+  # Handle NTLM authentication:
+  # - for Power BI `runas` command
+  # - for Power BI gateway
+  if req['protocol'] == 'xmla' and req['method'] == 'ntlm':
+    if (user_name == os.environ.get('CUBEJS_SQL_USER')):
+      return {
+        'password': os.environ.get('CUBEJS_SQL_PASSWORD'),
+        'securityContext': {}
+      }
+    
+    return {
+      'password': os.environ.get('CUBEJS_SQL_PASSWORD'),
+      'securityContext': {}
+    }
+
+  raise Exception('Access denied')
+```
+
+```javascript
+module.exports = {
+  checkSqlAuth: (req, user_name, password) => {
+    // handle ntlm auth scenarios (PBI "runas" command + PBI gateway auth)
+    if (req.protocol === 'xmla' && req.method === 'ntlm') {
+      if (user_name === process.env.CUBEJS_SQL_USER) {
+        return {
+          password: process.env.CUBEJS_SQL_PASSWORD,
+          securityContext: {}
+        }
+      }
+      
+      return {
+        password: process.env.CUBEJS_SQL_PASSWORD,
+        securityContext: {}
+      }
+    }
+
+    throw new Error('Access denied')
+  }
+}
+```
+
+</CodeTabs>
+
 ### `can_switch_sql_user`
 
 Used in the [SQL API][ref-sql-api]. Default implementation depends on
@@ -1484,4 +1539,7 @@ If not defined, Cube will lookup for environment variable
 [ref-dap-roles]: /product/auth/data-access-policies#data-access-roles
 [ref-auth-integration]: /product/auth#authentication-integration
 [ref-ldap-roles-mapping]: /product/workspace/sso#user-roles-mapping
-[ref-ldap-integration]: /product/workspace/sso#ldap-integration
+[ref-ldap-integration]: /product/workspace/sso#ldap-integration
+[ref-dax-api]: /product/apis-integrations/dax-api
+[ref-mdx-api]: /product/apis-integrations/mdx-api
+[ref-ntlm]: /product/auth/methods/ntlm
