Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««12345»»»

RS SOLUTION - Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E) Expand / Collapse
Author
Message
Posted Tuesday, April 15, 2008 7:35 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, March 9, 2011 3:56 PM
Points: 10, Visits: 64
Jacob, yes, i'm running RS on my PC and grabbing reports created here, but using data (in this case a SP running on a SQL Cluster (but both on the same Domain). now, (i've done a lot of internet searching) Yesterday afternoon i went into RS Config Mgr & under "Execution Account" i unchecked the box labelled: "Specify an Execution Account" and my reports started working. this is NOT the route i wish to travel. My feelings are that, yes, there is something blocking my request for the SP to run on the SQL Cluster Node when using the ReportExecution Account. i don't know where to go on the SQL server to enable that authority. i believe i have it correctly taken care of within SQL under Security/Logins, could it be that i need to do something with the MS-Server2003 permissions?
Russ

Jacob Luebbers (4/15/2008)
@rholt:

It sounds like you may be running into a Kerberos delegation issue. Are your RS server and the source DB server running on different boxes? If so you may not have your RS server setup to correctly delegate the users' credentials to the DB server, so that final "2nd hop" connection is coming through as anonymous. This has been discussed a few times in various threads, the latest I recall was in a linked server context here. aureolin posted a link partway through the thread (http://msdn2.microsoft.com/en-us/library/aa905162(SQL.80).aspx) that gives you the details on correctly configuring your servers.

Regards,

Jacob
Post #485010
Posted Tuesday, April 15, 2008 6:12 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Thursday, March 6, 2014 6:13 PM
Points: 318, Visits: 1,183
A quick quote from BOL (Specifying Credential and Connection Information):

BOL

When sending a connection request over the network, the report server will either impersonate a user account or the unattended execution account.


What type of auth are you using in your connection strings in the data source(s) for your reports? If you're using Integrated Security (aka Windows Authentication) your connection from your RS server to your DB server will be done with your users' Windows credentials or the unattended exec account. Unless you've got your RS server, DB server and their service accounts correctly configured for Kerberos delegation the "2nd hop" from RS server to DB server is going to come through as anonymous, and most likely fail unless you've granted anonymous permissions (eg "public") to your report procs/queries.

What credentials do you have setup on the RS server for the unattended execution account? Are they by any chance your own credentials (using your old, previous password)?

This is a non-issue if you are using SQL logins in your data source connection strings. It's also not an issue when you are running the reports on your own box in BIDS as they are executing on the local machine and only making one hop to the DB server. When your Kerberos config is setup incorrectly this works (crappy ASCII diagram alert):

local report running in BIDS ---[WindowsAuth]---> DB server

and this doesn't:

user's browser on their PC ---[WindowsAuth]---> your RS server ---[anonymous]---> DB server

This BOL page should also be useful: Configuring Authentication for Reporting Services

Regards,

Jacob
Post #485361
Posted Tuesday, April 15, 2008 6:37 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, October 25, 2010 10:10 AM
Points: 297, Visits: 267
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.

This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.

Hope this helps!



Cheers,

Ben Sullins
bensullins.com
Beer is my primary key...
Post #485366
Posted Wednesday, April 16, 2008 7:23 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Wednesday, March 9, 2011 3:56 PM
Points: 10, Visits: 64
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?
Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).

Jacob - this link didn't work: Configuring Authentication for Reporting Services

so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go. i had an Account Name:
ReportExecution
and on the SQL Server under Security/Login i created the login:
ReportExecution
with the same password i used on the RS Config Mgr under Execution Account.
should i NOW go into Active Directory & create a UserProfile named
ReportExecution
with that same password??????


Ben Sullins (4/15/2008)
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.

This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.

Hope this helps!
Post #485639
Posted Wednesday, April 16, 2008 9:13 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, October 25, 2010 10:10 AM
Points: 297, Visits: 267
If you setup the data source to use a domain account the execution account won't be used. The execution account is for unattended operations, such as sending an email via subscription, writing a file to a file share, etc...not used by the data source...


Cheers,

Ben Sullins
bensullins.com
Beer is my primary key...
Post #485736
Posted Wednesday, April 16, 2008 5:38 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Thursday, March 6, 2014 6:13 PM
Points: 318, Visits: 1,183
rholt (4/16/2008)
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?
Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).


That would be one hop, and therefore Kerberos delegation wouldn't be needed. I thought you were saying that it worked fine on your box with BIDS, but was failing once you deployed it to your RS server... or do I have it wrong?


Jacob - this link didn't work: Configuring Authentication for Reporting Services


Sorry - those two links only seem to work if you copy-and-paste them into a new browser window. They will open your local BOL. Here's an online version of them:
http://msdn2.microsoft.com/en-us/library/ms160330.aspx
http://msdn2.microsoft.com/en-us/library/bb283249.aspx.


so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go.


Not really - an execution account is not for that purpose. As Ben just mentioned it's only intended for things like subscription emails, external network access, etc. It will be used for your data source connections if you haven't provided valid credentials otherwise, but it's much better to use either passthrough Windows credentials from your users (and thus Keberos delegation is required), Windows credentials stored securely on the server or a native SQL login for your connection string in your data sources.

Regards,

Jacob
Post #486036
Posted Tuesday, July 8, 2008 7:56 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, November 22, 2010 6:13 PM
Points: 1, Visits: 13
Worked for me, too. I had a typo in my Execution Account user name. This tip showed me where to start looking. Cheers
Post #530449
Posted Friday, November 14, 2008 5:12 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 10, 2014 1:57 PM
Points: 1, Visits: 65
Thanks for this tip.

Bipin
Post #603166
Posted Tuesday, March 17, 2009 8:44 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, July 2, 2009 7:57 AM
Points: 1, Visits: 6
Wonderful solution.

This really worked.

Thanks.
Post #677530
Posted Thursday, April 23, 2009 5:12 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, June 17, 2009 2:35 AM
Points: 1, Visits: 4
Many Thanks - This worked :)
Post #703046
« Prev Topic | Next Topic »

Add to briefcase «««12345»»»

Permissions Expand / Collapse