Configuring Service Accounts and Passwords in Reporting Services
Reporting Services uses a Windows service and Web service to support server operations. This topic describes the default accounts used to run the services, how the accounts are configured at first, and how to specify a different account or password. For more information about each service, see Administering the Report Server Web Service and Windows Service.
Default Accounts and Initial Configuration
The Report Server Windows service can run under a built-in account or domain user account. The Windows service account is always configured during Setup. SQL Server Setup provides options for selecting a domain user account or the built-in Local System account when you specify options in the Service Account page. You must select one of these account types for Setup to continue.
Setup does not provide options for specifying all possible service account choices. For example, it does not allow you to specify NetworkService. If you want to use NetworkService, you can use the Reporting Services Configuration tool to modify the service account properties after Setup is finished.
The Report Server Web service account is always the ASP.NET worker process identity. The account information for the Web service can be set during or after installation. It can be set during installation if you select the default configuration installation option. Otherwise, it is set after installation when you specify the report server virtual directory in the Reporting Services Configuration tool. Either way, the initial settings for the Report Server Web service are always the default values as determined by ASP.NET and the version of Microsoft Internet Information Services (IIS) that you are using:
- In IIS 7.0 on Windows Vista, Reporting Services runs as a legacy application. On IIS 7.0, report server applications cannot use the default security identity for ASP.NET (IWAM_<machinename>. Instead, you should create new application pools that run as NetworkService or as a least-privilege domain user account.
- In IIS 6.0 on Microsoft Windows Server 2003, the ASP.NET worker process runs under the security identity of the application pool that contains it. You can have multiple ASP.NET worker processes, where each one is contained in a separate application pool that has its own security identity. By default, the security identity is NetworkService. NetworkService is the security identity of the default application pool, which provides settings that are inherited by any new application pool you subsequently create. When a report server is configured, the Report Server Web service is assigned to a dedicated application pool that is created for it when you specify the report server virtual directory. Because this application pool inherits the security identity of the default application pool, the account used to run the Report Server Web service is typically NetworkService.
- In IIS 5.0 on Windows 2000 Server or IIS 5.01 on Windows XP, there is one ASP.NET worker process account for all ASP.NET applications that run on the computer. By default, ASP.NET runs under its own account as computername\ASPNET. To use a different account, you must configure ASP.NET to run under that account. There are no options in Reporting Services Configuration tool to set the ASP.NET account. You must modify the <processModel> element in the Machine.config file if you want to use a custom account for all ASP.NET applications that run on the server.
To view the account information for both services, use the Reporting Services Configuration tool. The tool includes the Web Service Identity page and the Windows Service Identity page that show service account information.
Changing the Service Accounts and Passwords for a SharePoint Integrated Report Server
If you are running a report server in SharePoint integrated mode, you must update the service account information that is stored in the SharePoint configuration database if either of the following conditions are true:
- Either of the Reporting Services service accounts is modified (for example, switching from NetworkService to a domain user account).
- A SharePoint farm is extended to include an additional SharePoint Web application. If the server farm is configured for report server integration and a newly added application is configured to run under a different user account than other applications in the farm, you must update the database access information.
After you reset the database access information, you should then restart the Windows SharePoint Services service to ensure that the old connection is no longer used.
To update credentials and restart the Windows SharePoint Services service
- In Administrative Tools, click SharePoint 3.0 Central Administration.
- Click Application Management.
- In the Reporting Services section, click Grant Database Access.
- Click OK. The Enter Credentials dialog box appears.
- Enter the credentials of a user who is a member of the Local Administrator's group on the computer that hosts the report server. The credentials will be used for a one-time connection to the report server computer for the purpose of retrieving service account information. The database login that is created for each service account will be updated in SharePoint databases.
- To restart the service, click Operations.
- In Topology and Services, click Services on Server.
- For Windows SharePoint Services Web Application, click Stop.
- Wait for the service stop.
- Click Start.
For more information, see How to: Configure the Report Server Integration Feature in SharePoint Central Administration.
Setting Application Pool Properties in IIS 7.0 on Windows Vista
If the ASP.NET process identity is set to IWAM_<machinename>, you will encounter errors when modifying the Web service identity in the Reporting Services Configuration tool.
In the Web Service Identity page, if you see that the ASP.NET service identity is set to IWAM_<machinename> and you select Classic .NET AppPool for the report server application pool, the following error will appear when you click Apply:
Setting Web Service Identity. There was an error setting the identity of the Web service. The previously set identity will still be used.
You can work around this error by revising the application pool settings.
To revise application pool settings
- Start the Reporting Services Configuration tool.
- On the Web Service Identity page, in Report Server, click the down arrow and create or select an application pool. Reporting Services requires that the application pool you select must have Managed Pipeline Mode set to Classic. To check for this requirement, use IIS Manager to view application pool properties.
- Click Apply. Notice that the error occurs.
- Repeat the same selection, and click Apply again. If the selection is valid, it will be accepted on the second attempt. If the selection is not valid, the error will continue to occur and you should either choose a different application pool or investigate why the error is occurring (for example, the account might be invalid).
- Reset IIS to detect the changed settings.
- Click Start, click All Programs, and then click Accessories.
- Right-click Command Prompt.
- Select Run as administrator. Click Continue.
- Type IISRESET, and press Enter.
Changing the Service Accounts and Passwords
You can modify the service accounts, passwords, or both. For instructions on how to specify an account after you have decided which one to use, see How to: Configure Service Accounts (Reporting Services Configuration).
When you choose a new account, a login and database permissions will be created for the new account. Specifically, the account will be added to the RSExecRole. Accounts that were added previously are not removed from this role; you will need to remove accounts that are no longer in use. For more information, see Administering a Report Server Database.
Choosing a Different Account
You can configure the Report Server Web service and Windows service accounts to run under non-default values. There is no single best approach for choosing an account type. Each account has advantages and disadvantages that you must consider. If you are deploying Reporting Services on a production server, best practices suggest that you configure the accounts to run under a user account that is used by a single service or application. The following guidelines and links in this section can help you decide on an approach that is best for your deployment.
Setting Up Windows Service Accounts in SQL Server Books Online.
Changing a Password before it Expires
To reset the password, use the Reporting Services Configuration tool and follow these instructions: How to: Configure Service Accounts (Reporting Services Configuration).
If the service account password for the Database Engine expires, the rsReportServerDatabaseUnavailable error occurs when you try to connect to the report server. Resetting the password resolves this error. To view the complete text of the error message, see Troubleshooting Server and Database Connection Problems.
Changing an Expired Password for the Report Server Windows Service
If the Report Server Windows service runs under a domain account and the password expires, the service will be unavailable until you specify a new password. To reset the password, click the Start menu, point to Control Panel, point to Administrator Tools, and click Services. Right-click SQL Server Reporting Services, select Properties, click Log On, and type the new password. After you update the password, start the Reporting Services Configuration tool and update the password in the Windows Service Identity page. This additional step is necessary to update the account information that is stored internally by the report server.
Dependencies on the Report Server Windows Service Identity
If you change the Report Server Windows service account, this can affect report server operations. For that reason, it is important to always use the Reporting Services Configuration tool when changing a service account. The Reporting Services Configuration tool performs the following additional steps to ensure the report server remains available:
Automatically updates the encryption key to include the profile information of the new account. Because encryption is performed only by the Report Server Windows service, the keys must be updated when you reset the Windows service.
If the report server is part of the scale-out deployment, only the report server that you are updating is affected. The encryption keys for other report servers in the deployment are unaffected by the service account change.
Automatically updates the login permissions on the SQL Server Database Engine instance used to host the report server database. If you are using the service accounts to connect to the database, Reporting Services granted SQL Server login permissions to the service accounts when you initially configured the connection. If you reset the Windows service account, the connection information must be updated.
Automatically adds the new accounts to the report server group created on the local computer. This group is specified in the access control lists (ACLs) that secure Reporting Services files.
Configuring Report Server Virtual Directories
Administering the Report Server Web Service and Windows Service
Connections and Accounts in a Reporting Services Deployment
Starting and Stopping the Report Server Windows Service
Changing Passwords and User Accounts
Web Service Identity - Windows Server 2003 (Reporting Services Configuration)
Windows Service Identity (Reporting Services Configuration)
Deploying Reporting Services
Setting Up Windows Service Accounts
Help and Information
15 September 2007
12 December 2006
14 April 2006