Enabling SSRS in SharePoint Integrated mode using Kerberos
As with any production environment, the next exercise (after configuring SSRS in SharePoint Integrated mode using NTLM) was to get it configured using Kerberos.
Listed below are the steps required to accomplish SSRS configured for SharePoint integration mode to use Kerberos authentication.
Note: These instructions are specific to enabling Kerberos for SSRS integration only. It is assumed that Kerberos is already enabled for SharePoint farm. Also it is assumed that SSRS has SharePoint installed configured as a WFE. On exact steps to configuring Reporting Services for SharePoint integration please review http://technet.microsoft.com/en-us/library/bb326356.aspx link.
Server Farm Configuration used
- 2 WFE
- SSRS server
- Index server
- SQL Server Cluster
Listed below are the steps taken to accomplished enabling SSRS for Kerberos authentication.
- Create the listed below SPN
- Create SPN's
setspn.exe –A HTTP/FQDN_of_SSRS_Server domain\RS_Service_Login
setspn.exe –A HTTP/NetBios_Name_of_SSRS_Server domain\RS_Service_Login
- Enable Trust for Delegation
In addition to setting the SPNs for each of your service accounts, you also need to trust each of the computer accounts and some of the service accounts for delegation. Trusting for delegation means that the accounts are allowed to delegate on a user's behalf.
In order to trust for delegation you need to open Active Directory Users and Computers as a user with domain administration rights and follow these instructions
- Repeat for each of the following
- SSRS Application Pool: domain\RS_Service_Login
- Locate the account and click 'properties'
- Navigate to the 'Delegation' tab
- Choose 'Trust this user/computer for delegation to any service (Kerberos)'
- Within Central Admin, ensure that the SharePoint Central Administration site is set to use Kerberos authentication
- Ensure client browser is set for integrated windows authentication (http://technet.microsoft.com/en-us/library/cc779070.aspx)
- Ensure that on SSRS server the web site used for SSRS is set to enable to use Kerberos authentication. This can be verified using adsutil.vbs script. Note: For SSRS 2008, extra steps need to be performed as noted in http://msdn.microsoft.com/en-us/library/cc281253.aspx
- Within Central Admin, "Reporting Services" section, click on "Manage integration settings" and enter appropriate URL. Please ensure "Authentication Mode" is set to "Windows Authentication"
- Click on "Grant database access", enter appropriate information and click ok
- Click on "Set server defaults". This is the test. If everything is configured properly, then you will be taken to the next screen. If configuration is incorrect, you may encounter "Verify that the report server is available and configured for SharePoint integrated mode". If this is the case, go back and ensure all the steps listed above are executed correctly.
Note: once you implement Kerberos everyone looking at the reports has to be on the same or trusted domain'ed machine and no one will be able to switch users using the log in as function and still view reports. If this is the case then SSRS will give 401 in both cases.
For getting SSRS to work in NTLM, review below blog post on how to avoid using Kerberos with a multi machine setup of ssrs http://blogs.msdn.com/feldman/archive/2007/11/18/quick-guide-on-how-to-install-reporting-services-on-its-own-server-cluster-in-sharepoint-integration-mode-without-using-kerberos.aspx