为报表服务器注册服务主体名称 (SPN)Register a Service Principal Name (SPN) for a Report Server

如果要在使用 Kerberos 协议进行相互身份验证的网络中部署 Reporting ServicesReporting Services ,并且将报表服务器服务配置为以域用户帐户身份运行,则必须为报表服务器服务创建服务主体名称 (SPN)。If you are deploying Reporting ServicesReporting Services in a network that uses the Kerberos protocol for mutual authentication, you must create a Service Principal Name (SPN) for the Report Server service if you configure it to run as a domain user account.

关于 SPNAbout SPNs

SPN 是服务在使用 Kerberos 身份验证的网络上的唯一标识符。An SPN is a unique identifier for a service on a network that uses Kerberos authentication. 它包含一个服务类、一个主机名,有时也包含一个端口。It consists of a service class, a host name, and sometimes a port. HTTP SPN 不需要端口。HTTP SPNs do not require a port. 在使用 Kerberos 身份验证的网络中,必须在内置计算机帐户(如 NetworkService 或 LocalSystem)或用户帐户下为服务器注册 SPN。On a network that uses Kerberos authentication, an SPN for the server must be registered under either a built-in computer account (such as NetworkService or LocalSystem) or user account. 对于内置帐户,SPN 将自动进行注册。SPNs are registered for built-in accounts automatically. 但是,如果在域用户帐户下运行服务,则必须为要使用的帐户手动注册 SPN。However, when you run a service under a domain user account, you must manually register the SPN for the account you want to use.

若要创建 SPN,可以使用 SetSPN 命令行实用工具。To create an SPN, you can use the SetSPN command line utility. 有关详细信息,请参见以下内容:For more information, see the following:

您必须具有域管理员身份,才能在域控制器上运行该实用工具。You must be a domain administrator to run the utility on the domain controller.

语法Syntax

使用 SetSPN 实用工具为报表服务器创建 SPN 的命令语法类似如下所示:The command syntax for using SetSPN utility to create an SPN for the report server resembles the following:

Setspn -s http/<computername>.<domainname> <domain-user-account>  

SetSPN 随 Windows Server 一起提供。SetSPN is available with Windows Server. -s 参数在验证不存在重复项后添加一个 SPN。The -s argument adds a SPN after validating no duplicate exists. 注意:-s 从 Windows Server 2008 开始已在 Windows Server 中提供。NOTE:-s is available in Windows Server starting with Windows Server 2008.

HTTP 为服务类。HTTP is the service class. 报表服务器 Web 服务在 HTTP.SYS 中运行。The Report Server Web service runs in HTTP.SYS. 在为 HTTP 创建 SPN 时,将同时对在 HTTP.SYS(包括承载在 IIS 中的应用程序)中运行的位于同一台计算机上的所有 Web 应用程序授予基于该域用户帐户的票证。A by-product of creating an SPN for HTTP is that all Web applications on the same computer that run in HTTP.SYS (including applications hosted in IIS) will be granted tickets based on the domain user account. 如果这些服务在其他帐户下运行,则身份验证请求将失败。If those services run under a different account, the authentication requests will fail. 为避免此问题,请务必将所有 HTTP 应用程序配置为在同一帐户下运行,或考虑为每个应用程序创建主机头,然后为每个主机头单独创建一个 SPN。To avoid this problem, be sure to configure all HTTP applications to run under the same account, or consider creating host headers for each application and then creating separate SPNs for each host header. 配置主机标头时,无论 Reporting ServicesReporting Services 配置如何都必须更改 DNS。When you configure host headers, DNS changes are required regardless of the Reporting ServicesReporting Services configuration.

为 <computername> 和 <domainname> 指定的值可标识托管报表服务器的计算机的唯一网络地址 。The values that you specify for <computername> and <domainname> identify the unique network address of the computer that hosts the report server. 此地址可以是本地主机名,或者完全限定的域名 (FQDN)。This can be a local host name or a fully qualified domain name (FQDN). 如果只有一个域,可从命令行中省略 <domainname> 。If you only have one domain, you can omit <domainname> from your command line. <domain-user-account > 是报表服务器服务运行时所使用的用户帐户以及必须注册 SPN 的用户帐户。<domain-user-account> is the user account under which the Report Server service runs and for which the SPN must be registered.

为域用户帐户注册 SPNRegister an SPN for Domain User Account

为以域用户身份运行的报表服务器服务注册 SPNTo register an SPN for a Report Server service running as a domain user

  1. 安装 Reporting ServicesReporting Services 并将报表服务器服务配置为以域用户帐户身份运行。Install Reporting ServicesReporting Services and configure the Report Server service to run as a domain user account. 请注意,直到完成以下步骤之后,用户才能连接到报表服务器。Note that users will not be able to connect to the report server until you complete the following steps.

  2. 以域管理员的身份登录到域控制器。Log on to the domain controller as domain administrator.

  3. 打开命令提示符窗口。Open a Command Prompt window.

  4. 复制以下命令,并用适用于您的网络的实际值替换占位符值。Copy the following command, replacing placeholder values with actual values that are valid for your network:

    Setspn -s http/<computer-name>.<domain-name> <domain-user-account>  
    

    例如: Setspn -s http/MyReportServer.MyDomain.com MyDomainUserFor example: Setspn -s http/MyReportServer.MyDomain.com MyDomainUser

  5. 运行命令。Run the command.

  6. 打开 RsReportServer.config 文件并找到 <AuthenticationTypes> 部分。Open the RsReportServer.config file and locate the <AuthenticationTypes> section.

  7. 添加 <RSWindowsNegotiate/> 作为该部分的第一个项,以启用 Kerberos。Add <RSWindowsNegotiate/> as the first entry in this section to enable Kerberos.

另请参阅See Also

配置服务帐户(SSRS 配置管理器) Configure a Service Account (SSRS Configuration Manager)
配置报表服务器服务帐户(SSRS 配置管理器) Configure the Report Server Service Account (SSRS Configuration Manager)
管理 Reporting Services 本机模式报表服务器Manage a Reporting Services Native Mode Report Server