In SQL 2005 Reporting services we were able to spoof a user when calling a report. This doesn't seem to work in 2008 and the technet articles that appear relevant seem to be implying that you need to create a seperate security extension( Technet Article )if you're wanting to expose reports to the internet. Is this what people are using in production? Or is this simpler than I'm makint it out to be?
Not sure what you mean by "spoof a user".
Every version of SSRS to date has used Windows Authentication as the default (and in fact the only "out of the box") authentication scheme. If you wanted to do Forms Authentication you have always had to write your own Custom Authentication Module.
I have done both in Production environments depending on the situation, and their sample is a very good place to start building your own custom auth module
Simple Solution
in the rsreportserver.config add in the the Windows Basic Authentication:
Install apache >= 2.2 in the same machine (use other port than 80 for ReportServer) or on a other machine
activate mod_prox_http
Create a Browser User for Reporting service (for example "reportusr" with password "this#yourMachinepassw0rd")
define in http.conf
ProxyPass http:///ReportServer
ProxyPassReverse http:///ReportServer
AuthBasicFake reportusr this#yourMachinepassw0rd
Order deny allow
Allow from all
Now you can access the reportserver and all Reports over the apache Webserver with no authentication, because always the AuthBasicFake user connects to the reportServer with BasicAuthentication
Related
Let me first describe the actual situation: We want to build a new SQL Server enviroment based on SQL Server 2016. AS you may know, in SQL Server 2016 the mobile reports from Datazen are integrated. So far so good. The Problem: In our current Enviroment, there is one internal Datazen Server and one external server. The external Datazen server exists only to read data from the internal one. So there is no direct Data Access (to Data Sources), the administration part is disabled and only the needed Services (to read from internal server) are installed. We want to build that same archtiecture in SQL Server 2016 Reporting Services. Do you know any way to do that?
I thought the best solution was a second SQL Server with Reporting Services but only read access on the other SQL Server (didn't found any setting like this).
We don't want the internal server to be accessible over the web beacause of security.
interesting question, but not sure i understand correctly ;) what do you mean with "the external datazen Server exists only to read data from the internal one"? How does this configuration look like? Do you have a sale out Deployment where the external Servers hosts "Web Application" and "Share Cache Instance" while internal Server hosts "Data Acquisition" and the same roles as the external Server?
In SSRS you can also Scale out web frontends, but all Servers will act as "data acquisition server" to stay in datazen terminology. Do you have security concerns with this topology? Whats the difference to have the data "read only" in DMZ or connect from DMZ/external Server to internal datasources? One Option would be to do a secure Application Publishing of internal SSRS Server with a Firewall like Microsoft ISA Server
I'm trying to configure Reporting Services on a dev server so we can use it for development, but it is not working out for me. When I try to access the Reports page, I get the following error:
User 'ServerName/UserName' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
I'm not sure what I need to do to fix this, does Reporting Services need a virtual directory? If so, does anybody have a link on how to configure it? When I created the ReportingServices database, it made me a dbo by default, I'm a sysadmin on sql Server, so the permissions should be good.
I'm running sql server 2008 R2
I figured this out by going to the report manager on the server hosting reporting services by using the link http://localhost/reports. Once I was there then I clicked on home and configured the permissions.
Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
If you are running IE on the server on which you installed SSRS, make sure that you right click and run IE as administrator.
Have you tried this from other machines? IF you are getting the same results from multiple machines, then go through the steps in Start -> All Programs -> Microsoft SQL Server 2008 R2 -> Configuration Tools -> Reporting Services Configuration Manager. Here you can reset most of the basic SSRS configuration.
You don't need a virtual directory: SSRS no longer uses IIS: it is built directly on http.sys.
I have few ssrs 2008 reports.I have created group of users and gave all required permissions to that group.
Now when I am running those reports I am getting strange error.
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'
I don't know from where it came.
I got suggestion that its a issue related to Kerberos authentication. Please some one knows how to solve this let me know.
Or some one knows to solve this kerberos issue also tell me in steps if possible.
Thanks
Vik
Are your reports using pass-through integrated authentication, defined user integrated authentication, or sql user authentication? I suspect the first, in which case you're dealing with the difference between impersonation and delegation.
When connecting to a web server using integrated authentication, behind the scenes you are actually using NTLM or Kerberos. Both allow the process running your web server to act as you. NTLM's impersonation via security token prevents the server from connecting to yet another server as you (that is, to the DB server) and there acting as you again—this is the "double-hop" problem. Kerberos instead uses delegation, passing a ticket around that each server can check for validity and allow.
To get Kerberos working there are several requirements.
If you're connecting to the web server using a name other than its main DNS name (using as an alias) you have to register the alias as valid for the machine with SetSPN. You can have problems with the SPN (Service Principal Name) even without this. Check the SPN on your servers carefully to see if it matches what you expect.
The server you initially connect to must be "trusted for delegation" in your domain policy.
The user that your web server is running under must be "trusted for delegation" as well.
You can work around all this stuff by just making your reports have stored credentials of some sort rather than using pass-through authentication.
The difference between dev and test could be the IIS user, or the data source.
Now, I am assuming here that you're not using SharePoint and are just doing a normal SSRS web install. So if that is not correct please say so.
I have a SQL 2008 developer edition with SSRS and the report manager is only available from the local machine. If I try to access it from any other machine I get challenged for my domain u/name and pwd 3 times and then the screen stays blank.
I have made changes to some config files (originals copied out) in order to get a 3rd party application to run but that is now uninstalled and the config files are all back to vanilla (originals copied back in)
I feel its something to do with authentication but am stuck ...
any suggestions welcomed
Jonathan
I have just stumbled on the answer.
I changed the Report Server Service Account to use the built-in Local System account and its all accessible from remote browsers.
Anyone any ideas why?
You may need to change the SSRS Configuration (through the GUI) (Start - Microsoft SQL Server 2008 - Configuration Tools - Reporting Services Configuration Manager) and set it to allow connections from outside the box it is on.
Also don't forget that it's using domain credentials / local machine credentials, so if you're not on a domain, you'll have to provide credentials to log onto that machine (i.e. MACHINE1 where SSRS is installed, from MACHINE2, log on with MACHINE1\username and password for MACHINE1).
Or you may need to open up your SQL Server instance to permit connections from other boxes.
How do I configure SSRS/Windows Server 2003, so that I can setup email delivery via a remote SMTP server that requires username and password.
I can configure SSRS with an SMTP address and other parameters, but nowhere is it possible to configure it with smtp username and password.
I have hunted around, but can only find vague reference to setting up some sort of relay, to cover up the bizarre lack of smtp functionality that SSRS has out of the box.
Any ideas?
Here are the steps to set this up using only Microsoft SSRS/Windows Server 2003 components.
1) Install SMTP server in Add/Remove programs / App Server / IIS
In IIS Manager:
2) add the domain (as a remote type) you will be sending as such as yourwebsite.com
3) Under Default SMTP Virtual Server properties / delivery tab / advaced button, add your remote smtp server in the smart host field.
4) Under Default SMTP Virtual Server properties / delivery tab / Outbound security button, choose Basic Authentication, user name = SMTP user name, password = SMTP password
In the rsreportserver.config file (sql drive:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer):
5) Populate <SMTPServer>x.x.x.x</SMTPServer> with the IP of the machine where you just setup the SMTP server.
6) Populate <From>you#yourwebserver.com</From>
7) Change this one to false <SendEmailToUserAlias>False</SendEmailToUserAlias>
8) Lastly, make sure you setup the domain as a permitted host such as this:
<PermittedHosts> <HostName>yourwebsite.com</HostName></PermittedHosts>
As far as why SMTP basic authenication isn't supported directly in SSRS seems to be by design. The best explaination I could find was here on this MSDN forum:
As one poster here mentions, there is a Microsoft Connect ticket open for people who are requesting this functionality.
For sure you have already solved this issue, but let me put here an additional information so others that have this same problem, like me, can solve it by following this how to that Tom Willwerth post.
To solve this issue of SMTP relay just follow the steps above, but be sure to do an additional step, that can be called:
4-a) On Access tab, choose Relay and select "All except the below" on Select which computer may relay through this virtual server:
This will allow all connections to send through this smtp, but be aware that the smtp server will relay anyone who connects to it. If you want to restrict this relay, than you choose "Only the list below" and add the machine you want to relay on.
For more detailed information on this, you can see the source where i found this information on:
http://businessintelligencechronicles.blogspot.com/2010/08/configure-reporting-services-to-use.html
And another thing, the step 8) isn't necessary .
Hope it can be helpful to others and thank you for the information, it helps and now i think one can solve this issue just by following this steps on this link.
Regards
Ps: sorry for the mistakes
This might help you a little: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\rsreportserver.config contains all of the configurations settings in the . I don't see exactly what you want so you'll probably have to perform some relay tricks.