A question that came up and there is no definitive documentation at Microsoft.
When you run Report Server Config manager and set the service account, ie a Domain account.
the process adds the account to the needed DB's and Role, but leaves the default account as master.
Should it be changed to the ReportServer database?
Related
I've got an ssrs report server setup and the data sources are set to use the user's windows login. However when I try to setup a subscription it says it can't because the credentials aren't stored in the data source. Is there no way to have a subscription that uses a generic account but when run interactively it uses Windows username
I use a database account for running all of the reports. You'll have to set this up in each database. Then I have report folder permissions associated to Active Directory groups. I also use a domain service account for deploying the reports and setting up the subscriptions. That way if a member of the BI team leaves the company and their account is deactivated the subscription will still run.
Data Source Example:
Q1: why would I want to have an Unattended Execution Account?
Q2: if I don't use an Unattended Execution Account, which account is used to run the reports?
Q3: if i get the following error message when running a report:
"The report server has encountered a configuration error. Logon failed for the unattended execution account. (rsServerConfigurationError) Log on failed. Ensure the user name and password are correct. (rsLogonFailed) Logon failure: unknown user name or bad password".
I understand that the Unattended Execution Account user name and/or password is wrong. But, where is that user name and password used? I mean, should the Unattended Execution Account be added in SQL Server or is the user name and password stored in the report? Even if a change the user name and password in SSRS Configuration Tool, the report doesn't run. So, the old account information seem to be stored somewhere?
I've been googling around but I don't get the big picture.
Thanks!
The MSDN article has pretty detailed information about this.
From that the answers to your questions are:
Q1: You should set the Unattended Execution Account if you don't want to set credentials for data sources and want the data source to work even when users are not able to enter their credentials (subscriptions or other scheduled executions.)
From the linked MSDN article:
The unattended report processing account is used primarily to connect
to external servers, and not as a login to database servers. If you
want to use the account credentials to log in to a database, you must
specify credentials in the connection string. You can specify
Integrated Security=SSPI if the database server supports Windows
integrated security and the account used for unattended report
processing has permission to read the database.
Most SSRS installations do not need the Unattended Execution Account. They use the "Credentials stored securely in the report server" option in the data sources.
Q2: I'm not sure what "run the reports" means, but the SSRS Service account is always responsible for the rendering and delivery of the reports, whether an Unattended Exec Account is set or not. The connections to the data sources will use the credentials specified in the data source. Unattended Exec Account will only be used if the data source is set to "Credentials are not required."
Q3: This account may not be used at all, but SSRS still checks the credentials with the domain. If none of your data sources are set to "Credentials are not required" then I recommend you remove the account from the SSRS configuration.
Your questions are probably answered by this MSDN article. For Q1 "Why?":
Send connection requests over the network for reports that use database authentication...
Retrieve external image files that are used in report...
On question 2: the Unattended Execution Account doesn't determine who runs the report. It just determines the above two things. The report is executed by the Report Server, and that process is running under its own account you configured.
On question 3: see the "How Account Information is Stored" section in the linked question. I'm not sure why a change in the Config Tool wouldn't be immediately effective, you may have to debug that seperately (try to restart things once or twice, etc). If you can't figure that one out be sure to start a new SO question with the details on your situation.
I'm installing Windows Server AppFabric in a Windows 2008 R2 SP1 that is part of my domain. On the Configure Hosting Service, I would like to configure each AppFabric service on a separate Domain account. I've created the 3 necessary databases on a separate database server that is also part of my domain, and 3 domain users, and I've given each domain user db_owner privilege on it's respective database.
When I'm installing Windows Server AppFabric, and I try to set the monitoring configuration, and on the AppFabric Event Collection service account, I'm trying to use the domain user, but it keeps giving me Logon Failure: Unknown username or bad password, but the user and password are valid! On the same server, if I do a runas with the same domain user and password, I open any application I want.
Is there a restriction on using domain accounts for this? I've placed all 3 accounts as local admin and on AS_Administrators, to see if it helped, but it's no good.
After a LOT of troubleshooting, I found out how to configure it. Before the Windows Server AppFabric Configuration Wizard is opened, go to the Services, and configure the 3 services (AppFabricCachingService, AppFabricEventCollectionService and AppFabricWorkflowManagementService) with the domain users you want. Then, you open the Wizard, and the correct domain users will already be configured, and all you need to do is configure the database.
The post https://stackoverflow.com/questions/4733348/configuring-appfabric-with-remote-database also helped, along with the article http://msdn.microsoft.com/en-us/library/ff637739.aspx
I have a SQL 2008 developer edition with SSRS and the report manager is only available from the local machine. If I try to access it from any other machine I get challenged for my domain u/name and pwd 3 times and then the screen stays blank.
I have made changes to some config files (originals copied out) in order to get a 3rd party application to run but that is now uninstalled and the config files are all back to vanilla (originals copied back in)
I feel its something to do with authentication but am stuck ...
any suggestions welcomed
Jonathan
I have just stumbled on the answer.
I changed the Report Server Service Account to use the built-in Local System account and its all accessible from remote browsers.
Anyone any ideas why?
You may need to change the SSRS Configuration (through the GUI) (Start - Microsoft SQL Server 2008 - Configuration Tools - Reporting Services Configuration Manager) and set it to allow connections from outside the box it is on.
Also don't forget that it's using domain credentials / local machine credentials, so if you're not on a domain, you'll have to provide credentials to log onto that machine (i.e. MACHINE1 where SSRS is installed, from MACHINE2, log on with MACHINE1\username and password for MACHINE1).
Or you may need to open up your SQL Server instance to permit connections from other boxes.
I have a problem about the credential in reporting service..
When I choose option windows authentication for a report in SQL Server Reporting Services, only the administrator can view the report. The other users can't view the report. But when I set credential stored securely in the report server and enter the username and password, all users can view the report but some data of the report is not showing.
For your information, I have created the user in SQL Server and I have set the role and user mapping.
What should i do?
Based off of what you are saying I would guess that you have not added the users windows credentials to the proper group on the reporting server. The admin would have access as by default that role is already given permission in the proper groups.
Here is an article from Microsoft that explains this process.
http://msdn.microsoft.com/en-us/library/aa274425%28SQL.80%29.aspx
This is a good article on setting up role based security.
http://odetocode.com/articles/215.aspx
If I understand your question properly, you want to use your end-users' windows credentials from end-to-end with your reports. You do not want to specify a specify set of windows or SQL credentials to connect to your data source, you want to use the end users' credentials instead.
In order to accomplish this, you will need to grant the end-users rights to access your reports in SSRS as well as granting them rights to run the needed SQL on the underlying database.
Finally, if your SSRS instance is not running on the same server as your database, you may run into security delegation issues. You can read more about this topic by visiting http://support.microsoft.com/default.aspx?scid=kb;en-us;810572