Windows Service Identity (Reporting Services Configuration)
Use the Windows Service Identity page to specify the account under which the Report Server Windows service runs. This account is initially configured during Setup. You can modify it if you want to change the account or password.
If you see a red X next to Windows Service Identity when you start the Reporting Services Configuration tool, the initial service account settings might be in an invalid state after upgrading the edition (for example, Standard Edition to Enterprise Edition). To repair the settings, start the Reporting Services Configuration tool, click Windows Service Identity, re-select the account, and click Apply.
It is strongly recommended that you use the Reporting Services Configuration tool to update the service identity because other internal settings that depend on the service identity are automatically updated at the same time.
Choosing an Account
When choosing an account, it is helpful to know how the service is used. The Report Server Windows service is used to initialize a report server so that it can encrypt and store sensitive data, run scheduled report and subscription processing in the background, and maintain the report server database.
Account types that you can choose for the Windows service include a domain user account, a local user account, or a built-in account (such as Network Service, Local Service, or Local System). For most of the tasks that the Windows service must perform, the type of account you choose does not affect its ability to perform those tasks; the Report Server Windows service is fully functional no matter which account you choose.
Domain accounts and Network Service are recommended; both offer the same benefits in terms of access to network domain controllers, public file shares, and corporate e-mail servers. Both provide the Report Server Windows service with network logon permissions.
Local Windows accounts or built-in local accounts can be used successfully, but they introduce requirements or considerations for how you set other configuration settings, and on subscription creation and delivery:
- Running the service under a local account will limit your options later when you configure a connection to a remote report server database. Specifically, if you are using a remote report server database, you will need to configure the connection to use a domain user account or SQL Server database user that has permission to log on to the remote SQL Server instance.
- Running the service under a local account will introduce new requirements on subscription creation. The report server stores information about the user who creates the subscription. If the user creates the subscription while logged on under a domain account, the Report Server Windows service will try to connect to a domain controller to authenticate the user when the subscription is processed. If the Report Server Windows service runs under a local account, the authentication request will fail when the report server tries to send the request to a remote domain controller. To work around this limitation, you can use a custom forms-based authentication extension or have all users connect to a report server under a local user account.
- Running the service under a local account will introduce new requirements for subscription delivery. Some delivery extensions have user account information in the subscription definition. If you are sending reports to e-mail addresses that are based on domain user accounts and you run the Report Server Windows service under a local account, it cannot access a remote domain controller to resolve the target e-mail account.
Use the following guidelines when updating the Windows service identity:
Windows domain accounts are the default for SQL Server services.
Choose a domain account if the Report Server Windows service requires access to remote computers or you want to precisely configure the permissions on the service. Be sure to choose an account has minimal permissions.
Avoid domain accounts if you do not want to change the password or account due to expiration security policies used in your organization.
This is a built-in least-privilege account that has network logon permissions. It is the default account for running the Report Server Web service on Microsoft Windows Server 2003 and Windows XP Service Pack 2 (Network Service is not available on other Windows operating systems), but you can also use it to run the Windows service.
Choose Network Service if you want to avoid any down-time that might occur as a result of password expiration policies. Avoid Network Service if you do not want to run the report server under accounts that might also be used by other applications.
This is a built-in account that is similar to an authenticated user account. Services that run as the Local Service account access network resources as a null session with no credentials.
This account is not appropriate for intranet deployment scenarios. If user authentication is performed by a network domain controller or if you want to use the service account for a remote report server database connection, choose a different account.
Local Service is the default service account for a report server you install through SQL Server 2005 Express Edition with Advanced Services. That edition has built-in restrictions that prevent access to remote servers and subscription functionality, so the inability of the Windows service to access network resources is not an issue. For more information about report server features in the Express Edition, see Reporting Services in SQL Server 2005 Express Edition with Advanced Services.
Avoid this account for report server installations. Local System is a highly privileged account that is not necessary for running a report server. Choose a domain account, Network Service, or Local Service instead.
If you switch the account (for example, replacing one Windows account with another or replacing a built-in account with a Windows domain account), you will be prompted to create a backup copy of the symmetric key. The backup copy will be restored automatically once you select the new account.
The Reporting Services Configuration tool prompts you to back up and restore the encryption key whenever you modify the service account. These steps are necessary for ensuring that encrypted data remains accessible to the report server. For more information about these actions, see Encryption Keys (Reporting Services Configuration).
- Service Name
Specifies the Report Server Windows service account name (ReportServer).
- Service Account
Specifies the account the Windows service runs as. You can only select an existing account; you cannot create new accounts in Reporting Services Configuration.
- Built-in Account
Select this option to choose a built-in system account.
- Windows Account
Select this option to choose a domain or local user account.
- User Name
Specify a domain account in this format: <domain>\<user>. Specify a local Windows user account in this format: <computer name>\<user>.
Specify the password.
12 December 2006
17 July 2006
Configuring Service Accounts and Passwords in Reporting Services
How to: Configure Service Accounts (Reporting Services Configuration)
Starting and Stopping the Report Server Windows Service