If I have an on-premise SSRS instance on the same domain as my Azure AD, can I configure SSRS to connect to Azure SQL and pass through credentials so that I can determine (at the database) who has logged in and is running the report (for row level security)?
In other words, can I connect from SSRS to Azure SQL as you would using SSMS AD universal or integrated authentication to flow credentials?
You can, if you have the following:
SSRS 2016 or later
The Active Directory Authentication Library for SQL Server (ADALSQL) (https://www.microsoft.com/en-us/download/details.aspx?id=48742) installed on the report server
ADFS to federate across on-premises AD and Azure AD
Kerberos Constrained Delegation (KCD) configured from the report server to the ADFS server
Then you can configure the report/data source to authenticate to Azure SQL Database "as the user viewing the report" and the other components should do the rest.
Related
I'm having a hard time figuring out how to connect to an Azure Analysis Services using Azure AAD account with MFA.
I've installed the SSAS latest drivers.
I have Microsoft SQL Server Analysis Services (AdomdClient) as the data source type and I'm able to test the connection (it prompts for Okta MFA)
I'm able to create a dataset and use the query designer.
When previewing the report in VS, it returns this error:
The server did not provide a meaningful reply. This might be caused by a contract mismatch, a premature session shutdown or an internal server error.
If I change the data source to prompt for credentials, I receive this error:
Authentication failed: User ID and password are required when user interface is not available
Visual Studio 2019 16.10. Latest version of SSRS extension (2.6.11). Including power bi tag since it might be relevant too.
We faced a similar issue.
Ensure the user whose credentials you insert within the datasource are excluded from MFA within Azure AD policy.
I'm trying to wrap my head around the SSRS login. Here is my test setup.
SSRS 2016 installed on hostname: Testrs16
ReportServer Database installed on hostname: Server2
I'm launching ReportBuilder on Server2 and trying to connect and login to the report server (see screenshot). What login it typically used in this case? Thanks!
ssrs login
Authentication to your Report Server database is configured via the Report Server Configuration Manager. This will be the same for all users connecting to the Report Server.
Note: This is not the source of your data in your reports, but is where SSRS stores catalog information, user settings, and other internal components
Authentication Types for users connecting to the portal, web api, or soap endpoints are defined in your RSReportServer.config file as either RSWindowsNTLM (default), RSWindowsNegotiate, RSWindowsBasic, or Custom.
Once the user is authenticated (who are they?), then the authorization (what can they do) is defined in the folder management for catalog item security by assigning roles to users or groups.
The other authentication that is required for rendering a report is authenticating to your report's data source. This is defined in either the Report's Data Source or in a Shared Data Source. Either of these can be configured in the data source management page on the portal.
I have installed Microsoft SQL Server Developer Edition in my local machine for my own development use with a Windows Authentication. I have been able to connect to DB Engine, SSAS (Multidimensional Model) Engine, SSIS Engine, SSAS (Tabular Model Engine using another instance).
I was able to connect to SSRS engine (Native Mode) a few weeks earlier. Recently I installed CheckPoint SSL VPN to access our client Remote Desktop. After this installation, whenever I connect to SSRS either using SSMS or Report Server or Report Manager, even though the SSRS Services is running (I have been able to verify from SQL Server Configuration Manager as well as Reporting Services Configuration Manager). I even tried to add the SSRS Report Server link in the SSMS for the SSRS Engine, but still not successful.
I get the following:
TITLE: Connect to Server
Cannot connect to LAPTOPNAME\SQL2012DEV.
ADDITIONAL INFORMATION:
Unable to connect to the server at LAPTOPNAME\SQL2012DEV. The specified URL might not be valid or there might be a problem with the report server version or configuration. Specify a different URL, or contact your
server administrator to verify that the report server runs SQL Server 2008 or later. Additionally, if you are trying to connect to a SharePoint-integrated report server, verify that SharePoint is installed on the server
and that the report server uses SharePoint integrated mode. (Microsoft.SqlServer.Management.UI.RSClient)
BUTTONS:
OK
Could this be due to some permission issues ? I have restarted the SSRS services many times, though it is running, I am not able to connect. Should some Admin privileges be given to my Windows account ? If so, can you guide me how ?
Information from SQL Server Configuration Manager (for SSRS service):
Log on As: NT Service\ReportServer$SQL2012DEV
Information from Reporting Serivces Configuration Manager:
Service Account is built-in: ReportServer$SQL2012DEV
Should I change built-in account to Local Service, Network Service, Local System ?
Open "Reporting Services Configuration Manager" in "Web Service URL" OR "Web Portal URL" tab check your IP and Port access & use the link in URLs to be sure. I think your new application changed this settings.
We are planning to deploy reporting service using Microsoft Reporting Server 2012. As I understand it, there will be three components;
Database (SQL Server)
SSRS (Reporting Server)
IIS (Web front end) - SharePoint (alternate Front end)
In setting up the Proof-of-Concept, the dev installed SSRS and SQL Server on same box (let's call it the DB server) and is redirecting client browser to a URL on DB Server from web front end.
Is it possible to architect the solution so that the web front end is the only destination for client browsers, SSRS lives on its own dedicated server separate from both the Web server and the DB Server?
How will authentication work in this scenario? We are using integrated authentication using Enterprise AD.
Configurations I have used in the past are these:
SQL Server on one server; SSRS native on another server. Users accessed reports via the SSRS Report Manager web UI that comes with SSRS.
SQL Server on one server; SSRS install in SharePoint Hosting mode on another server. Users accessed reports via SharePoint.
I am not 100% sure what you mean by “web front end is the only destination for client browsers”. If you mean that the end user only hits a web server, and not the database server to get reports, then either one of the above will work. If you have an existing intranet site that you want to host reports in, you can do so via web parts, if you are using MS technologies. You will still need SSRS setup somewhere so you can deploy reports, and the web part would read from it. Or, you can continue the redirect to either Report Manager or SharePoint if you go that route.
As far as authentication: the authentication between SSRS and SQL Server is usually done via an AD (Active Directory) user/service account that SSRS runs under, and also has access to the databases is uses on the SQL Server.
The authentication that allows users to browse and execute reports is usually done via AD as well. You can add all users to a central AD group and give that group Browser permissions on the SSRS server. This authentication would still apply if you use web parts to host reports outside of SSRS Report Manager.
The authentication that SSRS uses to pull the data that ends up showing in reports is usually SQL Server authentication, or whatever authentication that your data source supports where you can send a user name and password (which is stored within a shares data source on SSRS).
More Info
I have an SQL Express 2008 R2 instance running under the "Local System" account. I have written a windows service that also runs under the "Local System" account. The windows service uses the following connection string to connect to the sql server.
Data Source=.\sqlexpress;Initial Catalog=mydatabase;Integrated Security=True
When the application is installed I create the database with a simple SQL script which does not set any permissions or roles...it just creates the database and tables.
How does my windows service running as "Local System" manage to access the database? What rights is it getting in the SQL database? How is it getting these rights?
Andrew
If you expand the tree on the left (Object Explorer) in SSMS to Security, then Logins, you will see "NT AUTHORITY\SYSTEM". By default provisioning after installing SQL Server 2008 R2 Express, this account is added to the sysadmin role.
FYI - Your service running as Local System + Integrated Security means it is authenticating with SQL Server as the Windows account NT AUTHORITY\SYSTEM.
http://msdn.microsoft.com/en-us/library/ms188659.aspx
sysadmin
Members of the sysadmin fixed server role can perform any activity in the server.
Some of the rights granted to the Local System account are determined by the roles it has been assigned to.
If you login through Microsoft SQL Server Management Studio, expand Security folder, right click on NT AUTHORITY\SYSTEM, and select Properties, you should be able to see the roles assigned to the Local System user in the Server Roles section.
You can read more about each role at, Server-Level Roles document by Microsoft.
Hope this helps!