December 14, 2016 at 7:57 am
Hello Guru's,
I need a little help with this one - I think I understand the problem and the solution, but I need some clarification.
Two domains in two forests. Users are in Domain A, SSRS is now the only thing left in Domain B. One way windows trust between the domains - B trusts A with a VPN between the two and all necessary ports open. The trust was created last night to solve many other issues which have been successfully fixed. Now, when users attempt to access SSRS reports on their Dmain A Machine browsers, they are being told they don't have access with their A domain creds. Well no, ofcourse they don't. All users all set up in the SSRS web page with B domain creds and now something idiotic is going on where the browser or SSRS is trying to use plumb in domain A creds to access content. Annoying. Ive added my Domain A creds to the report home page (i.e. DomainA\%username%) but i can't access with them. I can still access with my Domain B creds IF i put something in WIndows Credential manager, to effectively hard code their use into the auth for the page. Trying to access with Domain A creds being transparently SSO's through to the SSRS web server results in:
The permissions granted to user 'DOMAINA\%username%' are insufficient for performing this operation.
Makes complete sense. the SSRS server doesn't know to throw over Domain A creds to a Domain A DC and as far as its concerned, im just tryiong to SSO in with nonsense creds.
I get it.
I DON'T know how to fix it.
I suspect I need to edit the authenticationtypes values in the .config file, but i dont know which type of auth to use. I suspect RSWINDOWSBASIC but I would ideally like to have TWO domains in there that could be referenced for access - both DOMAIN A and DOMAIN B. Then - really ideally - I would JUST like to reference Domain A for Auth, so that when ive been through and manually changed all users logon details in the SSRS home page from DOMAINB\ to DOMAINA\ (sigh), they all get transparently SSO'd into their reports, based on their DOMAIN A creds and their DOMAIN A access.
this
https://msdn.microsoft.com/en-us/library/ms157273.aspx#bkmk_Authentication
is hurting my brain.
any assistance appreciated!
Cheers
Alastair
UPDATE - If I add
<LogonMethod>3</LogonMethod>
<Realm>site</Realm>
<DefaultDomain>DOMAINA.local</DefaultDomain>
</RSWindowsBasic>
I do get a challenge for a password and I CAN log in with my DOMAIN A Cred - I CAN'T log in with an incorrect password and I CAN'T log in with a nonexistent account on DOMAIN A , so I know that the DOMAIN A Dc is being queired for the auth...but I get the same error when i try to access the HOME page
The permissions granted to user 'DOMAINA\USER' are insufficient for performing this operation.
even though Im a systems admin...
Viewing 0 posts
You must be logged in to reply to this topic. Login to reply