Change service credentials for SQL Server Reporting Services

  • Article

Azure DevOps Server 2022 | Azure DevOps Server 2020 | Azure DevOps Server 2019

Azure DevOps Server acts in the security context of a service account when it retrieves project data from the data sources in SQL Server Reporting Services. You can help improve the security of Azure DevOps Server by changing the service account that it uses for the data sources for SQL Server Reporting Services or by changing the password that is used for that account.

Azure DevOps Server documentation refers to this service account by the placeholder TFSReports. The account name depends on your installation. You might need to change the password of that account, or designate a different account. For example, if the password of the underlying account expires, and you assign a new password, you must change the password of the TFSReports account in Azure DevOps Server to match.

Change the password or account used as the TFSReports account by using the TFSConfig command-line utility with the Accounts option.

The TFSConfig utility does not create a new account to use as the data sources account. It doesn't change the account password. Instead, the utility updates Azure DevOps Server to use a different set of credentials.

Important

The TFSConfig utility changes only those services that run under the old account.

You can use the same utility to assign a different account to be the TFSReports account, but you might need to do one or more of the following actions:

  • Before you assign an account to use as the TFSReports account, verify that it is a member of a workgroup or domain that is trusted by every computer in the deployment of Azure DevOps.

  • You must manually grant the account that you use as the TFSReports account the Allow log on locally permission. The TFSConfig utility does not grant this permission when it assigns the account.

    For more information about the Allow log on locally permission, see Allow log on locally.

  • TFSConfig grants Log on as a service permission to the account to use as the TFSReports account. You can optionally revoke this permission. TFSReports does not need this permission, but the TFSService account does. You shouldn't remove this permission if you use the same domain or workgroup account for both service accounts.

    For more information about the Log on as a service permission, see Add the Log on as a service right to an account.

For more information about required service accounts, see Service accounts and dependencies in Azure DevOps Server and also Accounts required for installation of Azure DevOps Server.

Prerequisites

To perform these procedures, you must be a member of the Administrators group on the server where TFSConfig is installed. You must also be a member of the sysadmin group on the server that hosts the configuration database. For more information about permissions, see Permission reference for Azure DevOps Server.

In addition to these permissions, you might need to address the following requirements:

  • To use a command-line procedure, you might need an elevated Command Prompt.
  • To access Report Manager, reports, or websites for SQL Server Reporting Services, you might need to add these sites to the list of trusted sites in Internet Explorer or start Internet Explorer as an administrator.

Use TFSConfig to update credentials

To change the password of the TFSReports account or to assign a different account, sign on to a server that hosts the application services for Azure DevOps and use the TfsConfig Accounts utility.

Note

Depending on your deployment configuration, you might need to restart Internet Information Services (IIS) after you complete this procedure for the changes to take effect.

To change the password using the TFSConfig utility:

  1. Open a Command Prompt window and change to the directory that contains the TFSConfig utility.

    By default, the utility is located in <Drive>:\Program Files\TFS 12.0\Tools>

  2. At the command line, enter this command:

    TFSConfig Accounts /UpdatePassword /accountType:ReportingDatasource /account: <AccountName> /password: <NewPassword>

    Replace <AccountName> with the name of the current TFSReports account. Replace <NewPassword> with the new password of the account.

To use the administration console to change the password:

  1. Open the administration console for Azure DevOps on the server that hosts the application tier.

    For more information, see Configure and manage Azure DevOps Server resources.

  2. In the console, expand the server name and select Application Tier.

  3. In the Application Tier pane, navigate to Reporting Services Summary and select Update Account Password.

    The Update Account Password window opens.

    Note

    If you used a system account as the service account, you'll see an error message when you select Update Account > Password. You don't need to change the password of that account. System accounts do not have user-managed passwords.

  4. Enter the new password in Password, and then select OK.

    The Change Report Reader Account window opens.

  5. Wait for all the status messages to complete in Status, and then select Close.

    Note

    This process might take a few minutes.

To assign a new Reporting Services service account to all Azure DevOps Server services using the TFSConfig utility:

  1. Open a Command Prompt window and change to the directory that contains the TFSConfig utility.

    By default, the utility is located in <Drive>:\Program Files\Microsoft Team Foundation Server 12.0\Tools.

  2. At the command line, run the following command:

    TFSConfig Accounts /change /accountType:ReportingDatasource /account: <NewAccountName> /password: <NewPassword>

    Replace <NewAccountName> with the name of the new TFSReports account. Replace <NewPassword> with the password of the account.

Use the administration console to update credentials

To use the administration console to change the account:

  1. Open the administration console for Azure DevOps on the server that hosts the application tier.

  2. In the console, expand the server name and select Application Tier.

  3. In the Application Tier pane, navigate to Reporting Services Summary, and then select Change Account.

    The Change Report Reader Account window opens.

  4. Choose one of the following steps:

    1. To use a system account, select Use a system account, and then select a system account from the dropdown list.

      Note

      System accounts do not have user-managed passwords. If you select to use a system account as TFSReports, you shouldn't enter a password in the password field.

    2. To use a domain or workgroup account, select Use a user account, enter the name of the account in Account Name, and then enter the password for that account in Password.

  5. Select OK.

    The Change Report Reader Account window opens.

  6. Wait for all the status messages to complete in Status, and then select Close.

    Note

    This process might take a few minutes.

Next steps

Get started with permissions, access, and security groups