Connections and Accounts in a Reporting Services Deployment
This topic describes the accounts and connections that are used in a Reporting Services deployment. For more information about how to specify the Report Server Windows and Web service accounts, see Configuring Service Accounts and Passwords in Reporting Services.
The following diagram illustrates the accounts and connections in a default installation.
Connection 1: User connects to a report server
By default, users connect to the report server by using their own Windows domain credentials and integrated security. You can also configure a report server to use forms authentication if you create and deploy a custom authentication extension, or basic authentication if the report server is deployed in a Workgroup. If the report server uses custom forms authentication or basic authentication, the user connects to the report server through a login that is valid for that authentication provider.
After the user is authenticated, the report server checks for permissions that authorize access to report server content and operations. The permissions are defined in role assignments that describe which tasks a user can perform. Each user who connects to a report server must have role assignments defined on the account that he or she uses to connect to the report server. For more information, see Managing Permissions and Security for Reporting Services.
A user connection to a report server occurs whenever a user runs a report or a tool (such as Report Manager or SQL Server Management Studio) that connects to a report server. For more information about URLs used to connect to a report server, see Configuring Report Server Virtual Directories.
Connection 2: Report server connects to the report server database
A report server database provides internal storage to the report server. The report server connects to the report server database to store and retrieve content, server state, and metadata. Users and other applications do not connect to the report server database. Only the report server connects to the database.
Because the report server is implemented as a Web service and Microsoft Windows service, each service must be able to connect to the database. When configuring the connection to the report server database, you can choose from the following approaches:
- Use the service accounts. Each service runs under its own service account. You can use the service accounts to connect to the database.
- Use a domain account. Both services connect by using the single domain user account that you specify.
- Use a SQL server login. Both services connect by using the single database user account that you specify.
To configure the connection, use the Database Setup page in theReporting Services Configuration tool. The tool automatically creates the login and database permissions for the account you specify. For more information, see Configuring a Report Server Database Connection.
Connection 3: Report server connects to external data sources
To retrieve data used in a report, a report server must connect to other servers that host the external data sources. Connections to external data sources are initially defined in the report and then managed independently of the report after the report is published. At run time, these connections are made by the report server on behalf of the user who is running the report. The report server passes credentials to specific data sources. For any given report, the report server can get credentials in one of the following ways:
- Impersonate or use the delegated credentials of the user who is running the report. Configuring a report data source to use Windows authentication requires that the report server also be configured to use the default Windows security extension. If the report server uses forms authentication or basic authentication, you cannot configure report data sources to use impersonated or delegated credentials.
- Prompt the user to type credentials.
- Retrieve stored credentials from the report server database.
- Use no credentials. This option is enabled when you configure the unattended report processing account. You can choose this option if the data source does not use credentials (for example, if the data is in an XML document). To connect to the computer that hosts data source, the report server uses the unattended processing account. You can use the Reporting Services Configuration tool to configure the account. For more information, see Configuring an Account for Unattended Report Processing.
If you are using SQL Server 2005 Express Edition with Advanced Services, report data sources must be SQL Server relational data sources that run on the local SQL Server Express Database Engine instance. Remote data sources and other data source types are not supported.
Configuring Service Accounts and Passwords in Reporting Services
Administering the Report Server Web Service and Windows Service
Configuring a Report Server Database Connection
Configuring an Account for Unattended Report Processing
Connecting to a Data Source
Specifying Credential and Connection Information
Setting Data Source Properties in Reporting Services
Help and Information
12 December 2006
17 July 2006
14 April 2006