I'm trying to set up SSRS 2008 on my desktop machine for development purposes.
The following is working fine:
Report deployment on local server
Previewing the report in BIDS
Access to htpp://localhost/Reports panel
But when I point the ASP.NET Reportviewer to the Report URL, I get the following error:
The permissions granted to user 'NT-AUTHORITY\NETWORKSERVICE' are insufficient for performing this operation. (rsAccessDenied)
How can I get around this error? Is there any dialog where I can grant SSRS access rights to certain forms authentication roles? I've googled quite a bit on this, but what I have found so far was either outdated or quite confusing.
Edit: Several users of my web app are going to have access to the same database, so I need the UserID build-in field (User!UserID) to reflect the user's Forms authentication ID. I guess the only way to achieve this is making SSRS work with forms auth?
You web application is running as Network Service so that is the user you are trying to connect to Report Server as. You have several options. One, you can grant Network Service permission to execute the report you are trying to run. Two you can have your web application impersonate a windows user and give the correct users permission to the report. Three you can impersonate impersonate a different user when connecting to RS. I believe to do the last one you will have to write some extension code for the viewer to tell it how to impersonate before connecting, but for the other two there would be no code change.
You could also look into using Report Server in Forms auth mode if your web site is not an internal site, but this is more complicated.
EDIT for 2nd Question:
Yes, you will need each user to be unique when they access RS so you will need to use Forms Auth or windows auth or write your own custom authentication extension.
Related
My company just finish set up a reporting services server 2017.
The service run under a domain name.
At the same server, an IIS has been setup to run a web application in ASP.NET which will server the report from a report viewer. The IIS is currently running with default App Pool.
GOAL : We want client to be able to access the report from the web application without having to fill in the username and password from anywhere be it on intranet or internet.
Before this, we have ssrs 2008 with similar setup but for authentication we go with anonymous authentication, which is what we want, they can view report from anywhere.
But from microsoft site, they stated that authentication isn't supported anymore in the latest version, and we have tried doing it which results in error 401: Unauthorized.
Currently, I'm trying to do a kerberos authentication,
Things that I have done :
SPN for reporting services account.
Delegation for reporting services account.
Web application web.config I've added authentication mode="Windows" identity impersonate="true"
On IIS, I've enabled windows authentication and impersonate.
But when I try to request a report from the web application, I still got the prompt for username and password, when I fill in my domain and password, I still got the same error 401: Unauthorized.
Am I doing something wrong? Is Kerberos really suitable for my GOAL?
Thanks in advance.
EDIT : Sorry, If I am posting in the wrong section. I don't know where is the correct section for this question.
When you are planning to deploy the reporting service on the internet its batter to use the custom authentication instead of the windows authentication. Creating a custom authentication extension requires custom code and expertise in ASP.NET security.
If you do not want to code a custom authentication extension, you can use Microsoft Active Directory groups and accounts, but you should greatly reduce the scope of a report server deployment. The following guidelines describe how to support this scenario:
Create a low-privileged domain user account with read-only permissions. The account must have access to the computer hosting the report server. Provide a custom Web form so that users can log on using the low-privileged domain account.
Create role assignments that map the user account to specific items in the report server folder hierarchy. You can limit access to read-only operations by choosing as the role assignment the Browser predefined role.
Configure reports to use stored credentials to get data for the report. This approach is useful if you want to query the external data source using an account that is different from the account that allows access to the report server.
you could refer to the below links for more detail:
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2005/bb283249(v=sql.90)?redirectedfrom=MSDN#configuring-authentication-for-extranet-and-internet-access
https://learn.microsoft.com/en-us/sql/reporting-services/security/authentication-with-the-report-server?view=sql-server-ver15
https://forums.asp.net/t/2095478.aspx?401+Unauthorized+SSRS+authentication+from+NET+IIS
https://forums.asp.net/t/1273411.aspx?Setting+up+Reporting+Services+with+IIS+Access+Denied+Error
I work for a large company with an intranet and Windows AD logins for everyone. We have a number of internal SQL Server databases which allow us to log in using Windows authentication, one of which I'm trying to connect to through an ASP.NET Core application. I can connect to this database through SQL Server Management Studio and query the tables fine.
I've followed the tutorial for an ASP.NET Core app using an existing database as closely as I possibly could, and created a single model class to test with to see if I could read data from the database. When debugging with IIS Express in Visual Studio, I can read data from the database when accessing the auto-generated controller and views.
Everything seems fine when debugging, but when publishing to IIS, I receive the following error:
SqlException: Login failed for user '<DOMAIN>\<COMPUTERNAME>$'.
Where domain is my domain and computername is my computer's name. This is expected, since my computer itself doesn't have access to the database. But it shouldn't be trying to connect using that system account (with the dollar sign), it should be trying to connect with my windows account: <DOMAIN>\<USERNAME>.
What's weirder, the app does seem to recognize my Windows credentials in some capacity - when I access the home page, I get the familiar "Hello, <DOMAIN>\<USERNAME>!" message in the nav bar. So the Windows credentials are definitely getting passed through to the app, but for some reason not getting passed through when trying to connect to the database through DbContext.
Am I missing something obvious here?
My Code
I started with Visual Studio's ASP.NET Core Web Application template.
In launchSettings.json, I have:
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": false,
"iisExpress": {
"applicationUrl": "http://localhost:60686",
"sslPort": 44336
}
},
In appsettings.json, I have:
"ConnectionStrings": {
"MyDB": "Server=<servername>;Database=<dbname>;Trusted_Connection=True;"
},
In Startup.cs, I have the following line in ConfigureServices
services.AddDbContext<MyContext>(options => {
options.UseSqlServer(Configuration.GetConnectionString("MyDB"));
});
And from there, I have scaffolded an MVC controller with views using Entity Framework.
IIS has Windows authentication set to Yes and anonymous authentication set to No. My application pool is set to No Managed Code with ApplicationPoolIdentity.
Edit: The problem
To state the actual problem I'm trying to solve, I have a SQL Server database on a remote intranet server which allows access to a subset of the whole company via Windows authentication. If I want to create an ASP.NET application to provide an API to that database, hosted by IIS, what's the best way to do this? Assuming:
I don't want to have to manage permissions myself or have to duplicate them in some way
The people who have access to the database directly should have access to the API, the people who don't should not.
If they're accessing it from within the intranet while logged in to Windows, they shouldn't have to log in again.
I assumed I could just pass their windows credentials from IIS through the app to SQL server but I'm starting to wonder if that's actually the case.
After learning more about .NET and what Windows auth actually does on IIS, I'm going to say that what I was trying to do is not recommended. There is a difference between passing windows credentials to a .NET app in order to read from them, vs. actually executing a secondary process as that user. The latter case is what I was trying to do, but instead should set up my app pool in IIS with a user who can log in to the database, and use the windows credentials to verify against the list of users who have access.
You are using Entity-Framework for SqlServer and EF is using ADO.NET SqlClient. Therefore Trusted_Connection=yes; does not work.
Add Integrated Security=true; instead and it should be fixed.
Here some resources to read about it
https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-string-syntax
Not to dig up an old thread, but this is a function that should work as long as Identity Impersonate = True is set. Here's some stuff being worked on.
GitHub Doc
I'll add my answer because this is how I fixed this issue.
The reason a "$"-sign is added to the login name/user must have something to do with the IIS that the application is being hosted on.
I'm not an expert on any of this, so I can't really go in-depth, but I've added the IIS user to the Logins and then it works.
USE [master]
GO
CREATE LOGIN [IIS APPPOOL\'name'] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [securityadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [serveradmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [setupadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [processadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [diskadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [dbcreator] ADD MEMBER [IIS APPPOOL\'name']
GO
ALTER SERVER ROLE [bulkadmin] ADD MEMBER [IIS APPPOOL\'name']
GO
You have to change 'name' to your IIS hosted application name. So for example if you app/site's name in ISS is "My-Backend-App" you should do:
CREATE LOGIN [IIS APPPOOL\My-Backend-App] FROM WINDOWS ...
So all the names should be "My-Backend-App".
When adding this user to the logins, my backend application could access & create the DB, create tables, access data etc...
SIDENOTE: I've used the Windows Event logger to find out this was my issue. My application just crashed, said a "500.30" error but no real information given.
You can access the "Event Viewer" application from Windows Search. Then you can go to "Applications" and there are all application errors/crashes that occured on your machine, and in this case also the reason why. It said it couldn't find user "myUser$" while trying to login to SQL, but the Windows Authentication user was "myUser". So for some reason it added a "$"-sign and couldn't log in. My fix above fixes this issue and you can login etc.
I have deployed some reports and my users wish to do away with the logon prompt when getting to the reports manager homepage.
I have an account which is local to the server and I want to run all of the SSRS site under the context of that account. This account is a "browser" in the reports site.
Prior to 2008, when SSRS site was still listed in IIS you could disable anonymous authentication and provide an account. All requests to the reports site would go in under that account which was configured with readonly access. It worked quite well this way. The only downside was that it made publishing new reports or doing updates a bit more difficult.
How do I accomplish this same thing using reporting services configuration tool? The service account and the execution account don't provide this functionality when I configured them.
Individually setting up users for access to the reports site is a maintenance sinkhole and my server is on someone else's domain so I don't have access to info like usernames and being able to create groups.
Also, I tried the "anonymous access for 2012 reporting services" steps and while this takes care of the logon prompt issue for me it also makes it to where users can delete data sources and reports entirely.
If you are using Windows authentication then you will need two accounts on the local server to satisfy your needs. One would be a "ReportUser" account and one would be a "ReportAdmin" account.
If you can provision or use two existing windows accounts for those roles then use SSRS manager to set the "ReportUser" as a browser user and "ReportAdmin" as an admin user in SSRS manager. Always deploy using the "ReportAdmin" user. The "ReportAdmin" could be the admin account for that box. You could deploy with that account.
Since you did not link the article you used to configure anon access I have no idea how your "ReportUser" is connecting.
This particular customer wanted no login prompts at all and agreed to pay support costs for re-deploying any reports which their workers may delete by accident.
To comply with their request I used the steps outlined in the "Anonymous access for 2012 reporting services" article referenced above.
Generally I would set up two accounts in the exact manner as Irb described. This is actually the first time that someone has not wanted that setup 0.o
I have written application in which I have used SSRS and Lightswitch. Lighswitch application is used for data entry portion for the user. And SSRS is used for generating reports and graphs from the data entered through Lightswitch App.
I have configured basic authentication on SSRS side and Windows authentication on Lightswitch app. When a user hits the application SSRS reports comes by default. Since I have setup authentication on SSRS side it asks for the user credentials for the first time. Also when user switch to lightswitch app for data entry it again asks for user creds again. So basically user has to enter creds two times which is not good thing as per usability.
So I was wondering if there is any way user only has to login once at the start of the application? Please let me know if it is possible?
Thanks in advance
I would try to use Windows Authentication for SSRS and configure to meet the requirements so no user logins are required by either app. This is more secure, as well as more usable.
My supervisor at the office tells me that he saw a demonstration with a pre-release version of Microsoft "Geneva" (now Windows Identity Foundation) where a developer did the following:
He set up some sort of ASP.net web application where a user could log in using a customized log-on system. Behind the scenes, the web application logs the user in as a user in an Active Directory.
The user logs in.
Once the user is logged in, the the ASP.net web application thread runs as the logged in user for the duration of the user's session and can access resources on the network (such as running SQL queries on tables whose access is controlled Active Directory)
Steps 2) and 3) are exactly the same as using the "Integrated Windows Authentication" setting in the "Directory Security" tab of the web site settings in IIS. Step 1) is different because we are using a custom log-on system as opposed to the Kerberos authentication.
We want to set up one of our applications to operate exactly as described in 1), 2), and 3). However, all the documentation that I've seen regarding Windows Identify Foundation is about Cardspace and Federated Security. We have zero interest in using either of these technologies right now.
We just want to be able to log users in to Active Directory Accounts behind the scenes.
Yes, we've tried the ActiveDirectoryMembershipProvider with Forms Authentication, but it's a complete kludge to actually access resources on the network requiring impersonation on every page!
UPDATE Jan 7, 2010. Okay, I've been working at this for a while, and everything I've managed to come up falls short of what I want to achieve. Perhaps the functionality I want is not in the release version of WIF.
Here's where I'm at now. I've found some documentation on MSDN that indicates that there are three different identities used in ASP.net: the identity specified by HttpContext.Current.User, the identity specified by Thread.CurrentPrincipal, and finally the identity specified by WindowsIdentity.GetCurrent. link
In one example of where I want to use the process I'm looking to design, I want to perform a SQL query as the logged in user. In my debugger, I see that I easily set the HttpContext and Thread users to the logged in user. However, when I connect to the SQL server using Windows Authentication, it always always always connects as the WindowsIdentity.GetCurrent user and that user is always always always the identity of the ASP.net process unless I'm using Windows Authentication with impersonation. I absolutely cannot use Windows Authentication with my application because my users must log in by playing a magic flute song and Windows Authentication has no support for logging in with magic flute songs.
To clarify, there is no trouble with obtaining a WindowsIdentity representing the logged in user (who logged in with a magic flute song). The problem is that I cannot use that WindowsIdentity to perform SQL queries for my user.
WIF allows you to configure it so a claims based identity maps to an AD account, the claim may either be a federated identity claim, or delivered via an information card. c2WTS performs this function.
Even when it does map because of delegation you're always going to have to delegate if you want to use the AD identity IIS is impersonating - that's just how it works, unless you setup Kerberos delegation for IIS
You can achieve the same using Identity Impersonation in ASP.net. Also you need to enable windows integrated authentication for you web app. This will solve the purpose. If the logged in user does not have the required rights to access resources you will get security exceptions which you will have to handle.