SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


RS SOLUTION - Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)...


RS SOLUTION - Logon failure: unknown user name or bad password. (Exception from HRESULT: 0x8007052E)

Author
Message
Jacob Luebbers
Jacob Luebbers
Mr or Mrs. 500
Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)

Group: General Forum Members
Points: 576 Visits: 1215
A quick quote from BOL (Specifying Credential and Connection Information):

BOL

When sending a connection request over the network, the report server will either impersonate a user account or the unattended execution account.


What type of auth are you using in your connection strings in the data source(s) for your reports? If you're using Integrated Security (aka Windows Authentication) your connection from your RS server to your DB server will be done with your users' Windows credentials or the unattended exec account. Unless you've got your RS server, DB server and their service accounts correctly configured for Kerberos delegation the "2nd hop" from RS server to DB server is going to come through as anonymous, and most likely fail unless you've granted anonymous permissions (eg "public") to your report procs/queries.

What credentials do you have setup on the RS server for the unattended execution account? Are they by any chance your own credentials (using your old, previous password)?

This is a non-issue if you are using SQL logins in your data source connection strings. It's also not an issue when you are running the reports on your own box in BIDS as they are executing on the local machine and only making one hop to the DB server. When your Kerberos config is setup incorrectly this works (crappy ASCII diagram alert):

local report running in BIDS ---[WindowsAuth]---> DB server

and this doesn't:

user's browser on their PC ---[WindowsAuth]---> your RS server ---[anonymous]---> DB server

This BOL page should also be useful: Configuring Authentication for Reporting Services

Regards,

Jacob
Ben Sullins-437405
Ben Sullins-437405
SSC-Addicted
SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)

Group: General Forum Members
Points: 483 Visits: 267
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.

This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.

Hope this helps!


Cheers,

Ben Sullins
bensullins.com
Beer is my primary key...
rholt-710769
rholt-710769
Valued Member
Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)Valued Member (60 reputation)

Group: General Forum Members
Points: 60 Visits: 64
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?
Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).

Jacob - this link didn't work: Configuring Authentication for Reporting Services

so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go. i had an Account Name:
ReportExecution
and on the SQL Server under Security/Login i created the login:
ReportExecution
with the same password i used on the RS Config Mgr under Execution Account.
should i NOW go into Active Directory & create a UserProfile named
ReportExecution
with that same password??????


Ben Sullins (4/15/2008)
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.

This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.

Hope this helps!

Ben Sullins-437405
Ben Sullins-437405
SSC-Addicted
SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)SSC-Addicted (483 reputation)

Group: General Forum Members
Points: 483 Visits: 267
If you setup the data source to use a domain account the execution account won't be used. The execution account is for unattended operations, such as sending an email via subscription, writing a file to a file share, etc...not used by the data source...


Cheers,

Ben Sullins
bensullins.com
Beer is my primary key...
Jacob Luebbers
Jacob Luebbers
Mr or Mrs. 500
Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)Mr or Mrs. 500 (576 reputation)

Group: General Forum Members
Points: 576 Visits: 1215
rholt (4/16/2008)
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?
Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).


That would be one hop, and therefore Kerberos delegation wouldn't be needed. I thought you were saying that it worked fine on your box with BIDS, but was failing once you deployed it to your RS server... or do I have it wrong?


Jacob - this link didn't work: Configuring Authentication for Reporting Services


Sorry - those two links only seem to work if you copy-and-paste them into a new browser window. They will open your local BOL. Here's an online version of them:
http://msdn2.microsoft.com/en-us/library/ms160330.aspx
http://msdn2.microsoft.com/en-us/library/bb283249.aspx.


so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go.


Not really - an execution account is not for that purpose. As Ben just mentioned it's only intended for things like subscription emails, external network access, etc. It will be used for your data source connections if you haven't provided valid credentials otherwise, but it's much better to use either passthrough Windows credentials from your users (and thus Keberos delegation is required), Windows credentials stored securely on the server or a native SQL login for your connection string in your data sources.

Regards,

Jacob
tima-752971
tima-752971
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 13
Worked for me, too. I had a typo in my Execution Account user name. This tip showed me where to start looking. Cheers
bipindra
bipindra
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 65
Thanks for this tip.

Bipin
skumarv
skumarv
Forum Newbie
Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)Forum Newbie (7 reputation)

Group: General Forum Members
Points: 7 Visits: 6
Wonderful solution.

This really worked.

Thanks.
sarkar.sumanta
sarkar.sumanta
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 4
Many Thanks - This worked Smile :-)
Sanjay Rama Swamy
Sanjay Rama Swamy
Grasshopper
Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)Grasshopper (21 reputation)

Group: General Forum Members
Points: 21 Visits: 63
I had same problem .....if any one help me out .. it's appriciatable
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search