Configuring Authentication for Reporting Services
New: 12 December 2006
In Reporting Services, authentication is handled by Internet Information Services (IIS). Reporting Services uses the authentication method that is set at the virtual directory level to authenticate user connections to the report server. In most cases, the authentication type is inherited from the parent Web site, but you can specify a different authentication type on the virtual directory.
Reporting Services works with the following authentication methods in IIS:
- Integrated Windows authentication.
- Basic authentication.
- Anonymous authentication, recommended only for forwarding a logon request to a third-party or custom forms-based authentication provider.
Digest and .NET Passport authentication are not supported in Reporting Services.
If you are developing applications that integrate with Reporting Services, you need to know how calls to the Report Server Web service are authenticated. For more information, see Web Service Authentication.
Default Authentication Settings
By default, the report server and Report Manager virtual directories are configured to use Integrated Windows authentication. Anonymous access is not enabled on the virtual directory. No other authentication methods are selected.
If you are using default security, each user who requires access to a report server must have a valid Windows user account or be a member of a Windows group account. You can include accounts from other domains as long as those domains are trusted. The accounts must have access to the Web server hosting the report server, and must be subsequently assigned to roles in order to gain access to specific report server operations.
The default settings work best if all client and server computers are in the same domain or in a trusted domain, the browser type supports Integrated Windows authentication, and the report server is deployed for intranet access behind a corporate firewall. If you support Internet access to a report server or if you are using Workgroup security, you will most likely need to customize the default settings.
Trusted and single domains are a requirement for passing Windows credentials. Credentials can be passed more than once only if you enable Kerberos version 5 protocol for your servers. If Kerberos is not enabled, credentials can be passed only once before they expire. For more information about configuring credentials for multiple computer connections, see Specifying Credential and Connection Information.
If the Web site that contains the report server virtual directory is configured for Kerberos authentication and you are using a domain user account on the application pool, you might need to create a Service Principal Name (SPN) for the account. For more information, see Configuring Constrained Delegation for Kerberos (IIS 6.0) on the Microsoft TechNet Web site.
Overview of Authentication Types
IIS authenticates a user connection to a report server and to Report Manager. The following list describes the IIS authentication options that you can use.
- Integrated Windows authentication with delegated or impersonated credentials
Connection to the report server uses encrypted domain credentials of the current user. Windows authentication (integrated security) is the default authentication method for the report server and Report Manager virtual directories. Reporting Services Configuration tool and Setup always configure directory security to use this method. If Kerberos authentication is enabled in the domain, the current security ticket can also be used to connect to external data sources that provide data to reports.
Connection to the report server using a previously assigned Windows account user name and password. With Basic authentication, the user name and password are transmitted in clear text. However, you can make the transmission more secure by using Secure Sockets Layer (SSL) to encrypt user account information before it is sent across the network.
SSL provides an encrypted channel for sending a connection request from the client to the report server over an HTTP TCP/IP connection. For more information, see Using SSL to Encrypt Confidential Data on the Microsoft TechNet Web site.
- Anonymous access
Connection to the report server for all users is made under the Windows user account for Anonymous access. In IIS, this is IUSR_<computername> account by default. Users are not prompted for a user name or password. Anonymous access should be used only if you are using a custom security extension. If you are not using custom authentication, avoid using Anonymous access on the report server virtual directory. You will not be able to vary role assignments in a meaningful way. All users will access the report server under the Anonymous user account, and no one will have permission to administer the report server through Report Manager.
Changing Authentication Settings
Reporting Services uses Integrated Windows authentication by default. If you want to use a different authentication provider, use IIS Manager to specify directory security properties.
- Open IIS Manager.
- Right-click the report server virtual directory and click Properties.
- Click Directory Security.
- In Authentication and access control, click Edit to open the Authentication Methods dialog box.
- (Optional) Clear the Integrated Windows authentication check box.
If the report server virtual directory is configured for both Integrated Windows authentication and Basic authentication, the report server will try Windows authentication first. If you want to use only Basic authentication, you must clear the Integrated Windows authentication check box.
- Select Basic authentication.
- Set the default domain or realm used to authenticate clients to the Web server.
Do not enable Anonymous access unless you are deploying a custom authentication extension or you are enabling access to Report Builder through a report server that is configured for Basic authentication. Do not enable Digest or Passport; they are not supported authentication options in Reporting Services.
When configuring an authentication method for a report server, be sure to use the same method for all components. Do not specify a different authentication type for Report Manager. If you do, users must provide different logon credentials for both Report Manager and report server operations. Similarly, the authentication type for Report Builder should be identical to the authentication provider used by the report server, except when you configure the report server to use Basic authentication. If you use Basic authentication, you must allow Anonymous access on the Report Builder folder to forward a connection request to the ClickOnce application launcher. For more information, see Configuring a Report Server for Report Builder Access.
For more information about enabling Basic authentication and selecting an authentication type in IIS, see Enabling Basic Authentication and Configuring the Realm Name and Selecting a Web Site Authentication Method on the Microsoft TechNet Web site.
Configuring Authentication for Extranet and Internet Access
Integrated Windows authentication is seldom practical for deployment models that require Internet or extranet access. If you are deploying Reporting Services on an Internet-facing Web server, you should replace Windows authentication with a custom authentication extension that gives you more control over how external users are granted access to the report server. Creating a custom authentication extension requires custom code and expertise in ASP.NET security. For more information, see Implementing a Security Extension.
If you do not want to code a custom authentication extension, you can use Microsoft Active Directory groups and accounts, but you should greatly reduce the scope of a report server deployment. The following guidelines describe how to support this scenario:
- Create a low-privileged domain user account with read-only permissions. The account must have access to the computer hosting the report server. Provide a custom Web form so that users can log on using the low-privileged domain account.
- Create role assignments that map the user account to specific items in the report server folder hierarchy. You can limit access to read-only operations by choosing as the role assignment the Browser predefined role.
- Configure reports to use stored credentials to get data for the report. This approach is useful if you want to query the external data source using an account that is different from the account that allows access to the report server. For more information about these options, see Specifying Credential and Connection Information.
Managing Permissions and Security for Reporting Services
Creating, Modifying, and Deleting Role Assignments
Specifying Credential and Connection Information
Connections and Accounts in a Reporting Services Deployment
Configuring a Report Server for Secure Sockets Layer (SSL) Connections
Configuring a Report Server for Report Builder Access