Web Service Identity - Windows Server 2003 (Reporting Services Configuration)
Use this page to view or modify the service account used by the Report Server Web service for a report server that runs on Microsoft Internet Information Services (IIS) 6.0.
The Report Server Web service account is configured automatically when you create the Report Server virtual directory. The Web service runs under the security identity that is configured for the application pool of the Web site that you select. However, you can run the Web service under a different account by selecting or creating an application pool that is configured for the account you want to use.
We recommend that you always use the Reporting Services Configuration tool instead of IIS Manager to set the application pool so that settings that are affected by the change can be updated automatically. Specifically, if you are using service accounts for the report server database connection, the tool grants the new account access to the report server database whenever you change the Web service identity and updates the encryption keys so that existing encrypted data is available to the new account. If you use other tools to create or configure an application pool, the report server configuration might be incomplete.
Using a Non-default Account for Application Pools
By default, application pools operate under Network Service, a least-privilege account with network credentials to support connections to remote servers. Depending on your deployment requirements, Network Service might not be the best choice if you want to use a domain account exclusively for report server operations. For guidance and recommendations on when to run ASP.NET applications under a domain account, see How to Create a Service on MSDN.
Note that if you use a domain service account and your domain is configured for Kerberos authentication, you might encounter HTTP 401 access denied errors if you did not create a Service Principal Name (SPN) that registers the domain account for the Web site. Be sure that the domain account that you register is the same one used for the application pool. For more information, see Configuring Constrained Delegation for Kerberos (IIS 6.0) on the Microsoft TechNet Web site.
Configuring an SPN is a global setting in IIS. If you configure an SPN, all application pools that are defined on the Web server must run under the identity of the SPN. You must be a domain administrator to set the SPN.
About Red X Indicators
Sometimes, a red X can appear next to Web Service Identity in the navigation pane after you upgrade Reporting Services. This can occur if settings from the previous installation are still in IIS or if you are running multiple report server instances on the same computer, and you are using the same application pool for all instances.
A red X indicates that there is a discrepancy between the actual Web service identity and the Web service identity information that is stored by the Reporting Services WMI provider. This discrepancy can occur if you modify the Web service identity settings in the configuration files. The Web Service Identity page shows the actual Web service identity in ASP.NET Service Account. In some cases, you can synchronize settings by clicking Apply.
If that does not resolve the issue, choose a different application pool or click New to create a new application pool for the report server. You must click Apply after you specify the new application pool to save your changes.
If ASP.NET Service Account is empty, there might be a problem with how the <configuration> element is specified in the report server Web.config file. If you used Visual Studio to edit the Web.config file, Visual Studio might have added a namespace to the <configuration> element. If the <configuration> element looks like <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">, remove the namespace so that it looks like this: <configuration>.
- Report Server
Specifies the application pool for the Report Server Web service.
- Report Manager
Specifies the application pool for Report Manager. By default, Report Manager uses the same application pool as the report server.
Create a new application pool and specify a built-in or domain user account for the security identity.
The report server and Report Manager can run in the same application pool, but you can choose different application pools if you want to isolate them.
Configuring Service Accounts and Passwords in Reporting Services
How to: Configure Service Accounts (Reporting Services Configuration)
Configuring a Report Server Database Connection
Configuring Report Server Virtual Directories
Introducing the Report Server Web Service
Administering the Report Server Web Service and Windows Service
Help and Information
12 December 2006
17 July 2006