使用報表伺服器驗證Authentication with the Report Server

[SQL Server]SQL ServerReporting ServicesReporting Services (SSRS) 會提供多種可設定選項,便於針對報表伺服器進行使用者及用戶端應用程式的驗證。Reporting ServicesReporting Services (SSRS) offers several configurable options for authenticating users and client applications against the report server. 依預設,報表伺服器預設會使用 Windows 整合式驗證,以及假設用戶端及網路資源全都位於相同網域或信任網域的信任關係。By default, the report server uses Windows Integrated authentication and assumes trusted relationships where client and network resources are in the same domain or in a trusted domain. 視網路拓撲及組織需求而定,您可以自訂用於 Windows 整合式驗證的驗證通訊協定,以及使用基本驗證,或是使用所提供的表單型驗證延伸模組。Depending on your network topology and the needs of your organization, you can customize the authentication protocol that is used for Windows Integrated authentication, use Basic authentication, or use a custom forms-based authentication extension that you provide. 每一個驗證類型都可以個別開啟或關閉。Each of the authentication types can be turned on or off individually. 如果您希望報表伺服器接受多種類型的要求,可以啟用一種以上的驗證。You can enable more than one authentication type if you want the report server to accept requests of multiple types.

注意

在舊版的 Reporting ServicesReporting Services 中,IIS 支援所有的驗證類型。In previous versions of Reporting ServicesReporting Services, all authentication support was provided by IIS. SQL Server 2008SQL Server 2008 版本開始,不再使用 IIS。Starting with the SQL Server 2008SQL Server 2008 release, IIS is no longer used. Reporting ServicesReporting Services 會內部處理所有驗證要求。handles all authentication requests internally.

所有要求存取至報表伺服器內容或作業的使用者或應用程式都必須在允許存取前驗證完畢。All users or applications who request access to report server content or operations must be authenticated before access is allowed.

驗證類型Authentication Types

所有要求存取至報表伺服器內容或作業的使用者或應用程式都必須在允許存取前,使用報表伺服器上設定的驗證類型驗證完畢。All users or applications who request access to report server content or operations must be authenticated using the authentication type configured on the report server before access is allowed. 下表描述 Reporting ServicesReporting Services支援的驗證類型。The following table describes the authentication types supported by Reporting ServicesReporting Services.

AuthenticationType 名稱AuthenticationType Name HTTP 驗證層的值HTTP Authentication Layer value 預設使用Used by default 描述Description
RSWindowsNegotiateRSWindowsNegotiate 交涉Negotiate Yes 先嘗試使用 Windows 整合式驗證的 Kerberos 驗證,但是如果 Active Directory 無法將用戶端要求的票證授與報表伺服器,就會回到 NTLM。Attempts to use Kerberos for Windows Integrated authentication first, but falls back to NTLM if Active Directory cannot grant a ticket for the client request to the report server. 只有當票證無法使用時,Negotiate 才會回到 NTLM。Negotiate will only fall back to NTLM if the ticket is not available. 如果第一次嘗試所產生的錯誤並不是遺失票證,報表伺服器不會進行第二次的嘗試。If the first attempt results in an error rather than a missing ticket, the report server does not make a second attempt.
EnableAuthPersistanceRSWindowsNTLM NTLMNTLM Yes 使用 Windows 整合式驗證的 NTLM。Uses NTLM for Windows Integrated authentication.

將不會在其他要求上委派或模擬認證。The credentials will not be delegated or impersonated on other requests. 後續的要求將遵循新的挑戰-回應序列。Subsequent requests will follow a new challenge-response sequence. 根據網路安全性設定,系統可能會提示使用者輸入認證,否則將會以透明的方式處理驗證要求。Depending on network security settings, a user might be prompted for credentials or the authentication request will be handled transparently.
RSWindowsKerberosRSWindowsKerberos KerberosKerberos No 使用 Windows 整合式驗證的 Kerberos。Uses Kerberos for Windows Integrated authentication. 您必須藉由設定服務帳戶的安裝程式服務主要名稱 (SPN),才能設定 Kerberos,而這需要具有網域管理員權限。You must configure Kerberos by setting up setup service principle names (SPNs) for your service accounts, which requires domain administrator privileges. 如果您使用 Kerberos 設定識別委派,要求報表之使用者的 Token 也可以用於提供資料給報表之外部資料來源的其他連接。If you set up identity delegation with Kerberos, the token of the user who is requesting a report can also be used on an additional connection to the external data sources that provide data to reports.

在您指定 RSWindowsKerberos 之前,請確定您所使用的瀏覽器類型實際上可支援它。Before you specify RSWindowsKerberos, be sure that the browser type you are using actually supports it. 如果您使用 Internet Explorer,Kerberos 驗證只能透過 Negotiate 來支援。If you are using Internet Explorer, Kerberos authentication is only supported through Negotiate. Internet Explorer 將不會構成一個直接指定 Kerberos 的驗證要求。Internet Explorer will not formulate an authentication request that specifies Kerberos directly.
RSWindowsBasicRSWindowsBasic [基本]Basic No 基本驗證定義在 HTTP 通訊協定中,而且只能用於驗證報表伺服器的 HTTP 要求。Basic authentication is defined in the HTTP protocol and can only be used to authenticate HTTP requests to the report server.

認證會以 base64 編碼的形式傳入 HTTP 要求中。Credentials are passed in the HTTP request in base64 encoding. 如果您使用基本驗證,請利用安全通訊端層 (SSL) 來加密使用者帳戶資訊,然後再透過網路傳送這項資訊。If you use Basic authentication, use Secure Sockets Layer (SSL) to encrypt user account information before it is sent across the network. SSL 提供了透過 HTTP TCP/IP 連接將連接要求從用戶端傳送到報表伺服器的加密通道。SSL provides an encrypted channel for sending a connection request from the client to the report server over an HTTP TCP/IP connection. 如需詳細資訊,請參閱 TechNet 網站上的 使用 SSL 加密機密資料 MicrosoftMicrosoftFor more information, see Using SSL to Encrypt Confidential Data on the MicrosoftMicrosoft TechNet Web site.
自訂Custom (Anonymous)(Anonymous) No 匿名驗證會指引報表伺服器忽略 HTTP 要求中的驗證標頭。Anonymous authentication directs the report server to ignore authentication header in an HTTP request. 報表伺服器會接受所有的要求,但是會在您提供的自訂 ASP.NETASP.NET 表單驗證上呼叫來驗證使用者。The report server accepts all requests, but call on a custom ASP.NETASP.NET Forms authentication that you provide to authenticate the user.

只有當您部署自訂驗證模組來處理報表伺服器上的所有驗證要求時,才能指定 CustomSpecify Custom only if you are deploying a custom authentication module that handles all authentication requests on the report server. 您不能搭配預設 Windows 驗證延伸模組來使用 Custom 驗證類型。You cannot use the Custom authentication type with the default Windows Authentication extension.

支援的驗證方法Unsupported Authentication Methods

下列的驗證方法和要求不受到支援。The following authentication methods and requests are not supported.

驗證方法Authentication method 說明Explanation
匿名Anonymous 報表伺服器將不會接受來自匿名使用者的未驗證要求,但是包含自訂驗證延伸模組的部署除外。The report server will not accept unauthenticated requests from an anonymous user, except for those deployments that include a custom authentication extension.

如果您在有設定基本驗證的報表伺服器上啟用報表產生器的存取,報表產生器將會接受未經過驗證的要求。Report Builder will accept unauthenticated requests if you enable Report Builder access on a report server that is configured for Basic authentication.

在其他所有的情況下,當要求到達 ASP.NETASP.NET之前,匿名使用者都會遭到拒絕,並產生「HTTP 狀態 401」拒絕存取的錯誤。For all other cases, anonymous requests are rejected with an HTTP Status 401 Access Denied error before the request reaches ASP.NETASP.NET. 收到「401 拒絕存取」錯誤的用戶端必須使用有效的驗證類型來重新構成要求。Clients receiving 401 Access Denied must reformulate the request with a valid authentication type.
單一登入技術 (SSO)Single sign-on technologies (SSO) Reporting ServicesReporting Services中的單一登入技術並沒有原生支援。There is no native support for single sign-on technologies in Reporting ServicesReporting Services. 如果您想要使用單一登入技術,您必須建立自訂驗證延伸模組。If you want to use a single sign-on technology, you must create a custom authentication extension.

主控環境的報表伺服器不支援 ISAPI 篩選。The report server hosting environment does not support ISAPI filters. 如果您所使用的 SSO 技術實作為 ISAPI 篩選,請考慮針對 RSASecueID 或 RADIUS 通訊協定使用 ISA Server 內建支援。If the SSO technology you are using is implemented as an ISAPI filter, consider using the ISA Server built-in support for RSASecueID or the RADIUS protocol. 否則,您可以建立 ISA Server ISAPI 或 HTTPModule for RS,但是建議您直接使用 ISA Server。Otherwise, you can create an ISA Server ISAPI or an HTTPModule for RS, but it is recommended you use ISA Server directly.
PassportPassport SQL Server 2014SQL Server 2014不支援此項目。Not supported in SQL Server 2014SQL Server 2014.
DigestDigest SQL Server 2014SQL Server 2014不支援此項目。Not supported in SQL Server 2014SQL Server 2014.

設定驗證設定Configuration of Authentication Settings

當保留報表伺服器 URL 時,會將驗證設定設定為使用預設安全性。Authentication settings are configured for default security when the report server URL is reserved. 如果您錯誤地修改這些設定,報表伺服器將會針對無法驗證的 HTTP 要求傳回「HTTP 401 拒絕存取」錯誤。If you modify these settings incorrectly, the report server will return HTTP 401 Access Denied errors for HTTP requests that cannot be authenticated. 選擇驗證類型時,您必須已經知道您的網路支援 Windows 驗證的方式。Choosing an authentication type requires that you already know how Windows Authentication is supported in your network. 至少必須指定一個驗證類型。At least one authentication type must be specified. 可以針對 RSWindows 指定多個驗證類型。Multiple authentication types can be specified for RSWindows. RSWindows 驗證類型 (亦即RSWindowsBasicRSWindowsNTLMRSWindowsKerberos,以及RSWindowsNegotiate) 與 Custom 互斥。RSWindows authentication types (that is, RSWindowsBasic, RSWindowsNTLM, RSWindowsKerberos, and RSWindowsNegotiate) are mutually exclusive with Custom.

重要

Reporting Services 不會驗證您所指定的設定來判斷它們對於您的運算環境是否正確。Reporting Services does not validate the settings you specify to determine whether they are correct for your computing environment. 預設安全性無法在您的安裝中運作,或是您指定的組態設定對於安全性基礎結構無效,都是有可能發生的事情。It is possible that default security will not work for your installation, or that you will specify configuration settings that are not valid for your security infrastructure. 因此,您一定要先在受到控制的測試環境中仔細測試您的報表伺服器部署,然後才可以將它提供給較大的組織使用。For this reason, it is important that you carefully test your report server deployment in controlled test environment before making it available to your larger organization.

報表伺服器 Web 服務和報表管理員一定會使用相同的驗證類型。The Report Server Web service and Report Manager always use the same authentication type. 您無法針對報表伺服器服務的功能區來設定不同的驗證類型。You cannot configure different authentication types for the feature areas of the Report Server service. 如果您具有向外延展部署,請務必複製部署中所有節點的所有變更。If you have a scale-out deployment, be sure to duplicate all of your changes on all nodes in the deployment. 在相同的向外延展部署中,您不能設定不同的節點使用不同的驗證類型。You cannot configure different nodes in the same scale-out to use different authentication types.

背景處理不接受來自使用者的要求,但是它會驗證自動執行目的的所有要求。Background processing does not accept requests from end-users, however it does authenticate all requests for unattended execution purposes. 它一定會使用 Windows 驗證,然後使用報表伺服器服務或自動執行帳戶 (如果有設定的話) 來驗證要求。It always uses Windows Authentication and it authenticates requests using the Report Server service or the unattended execution account if it is configured.

本節內容In This Section

工作描述Task Descriptions 連結Links
設定 Windows 整合式驗證類型。Configure the Windows Integrated authentication type. 設定報表伺服器上的 Windows 驗證Configure Windows Authentication on the Report Server
設定基本驗證類型。Configure the Basic authentication type. 設定報表伺服器上的基本驗證Configure Basic Authentication on the Report Server
設定表單型驗證或是自訂驗證類型。Configure forms authentication or otherwise a Custom authentication type. 設定報表伺服器上的自訂或表單驗證Configure Custom or Forms Authentication on the Report Server
啟用報表管理員以處理自訂驗證狀況。Enable the report manager to handle the custom authentication scenario. 設定報表管理員傳遞自訂驗證 CookieConfigure Report Manager to Pass Custom Authentication Cookies

另請參閱See Also

在原生模式報表伺服器上授與權限 Granting Permissions on a Native Mode Report Server
RSReportServer 組態檔 RSReportServer Configuration File
(create-and-manage-role-assignments.md)(create-and-manage-role-assignments.md)
指定報表資料來源的認證及連線資訊Specify Credential and Connection Information for Report Data Sources
實作安全性延伸模組 Implementing a Security Extension
在原生模式報表伺服器上設定 SSL 連接 Configure SSL Connections on a Native Mode Report Server
設定報表產生器的存取 Configure Report Builder Access
安全性延伸模組概觀 Security Extensions Overview
Reporting Services 中的驗證 Authentication in Reporting Services
Reporting Services 中的授權Authorization in Reporting Services