August 18, 2004 at 12:06 am
Good day. I would just like to ask if it is possible to transmit Windows credentials programmatically when accessing reports through URL. I used Reportviewer.dll and successfully displayed reports but if I were to access it on another computer, it prompts me of a user name and password which I would like to omit.
Thanks in advance.
August 18, 2004 at 9:41 pm
Not through the URL, no. Most of it happens behind the scenes. Here's what basically happens...
1) web client requests a web page
2) Web server send back a response saying authentication is required as well as the methods accepted.
3) If the web client supports one of the methods, it'll either send the credentials automatically (if it knows them) or it prompts the user (what you're experiencing) and then send the credentials
4) The web server receives the credentials and if they are valid it sends a response back to the web client with the page.
With Internet Explorer, you have the ability to set when you send your credentials. Most IE installs have it set where it'll automatically send credentials (meaning Windows credentials) whenever the server is in the intranet zone. You can check this by Tools | Internet Options | Security Tab | Custom button. Scroll down all the way to the bottom where you see User Authentication | Logon. That should tell you how Internet Explorer is set. If the web server is on your network (not across the internet) make sure to select "Automatic logon only in Intranet zone."
Now, the second thing to do is make sure the server is in your intranet zone. Click on the local intranet zone also on the Security tab. Click the Sites button. Click the Advanced button in the new dialog window. Add the web server to the zone. For instance, if reporting.webserver.org is my web server and I connect via HTTP, I'd add http://reporting.webserver.org. If I connect with SSL, I'd add https://reporting.webserver.org. If you need to use HTTP, make sure "Require server verification ( https: ) for all sites in this zone" is NOT checked.
K. Brian Kelley
@kbriankelley
August 19, 2004 at 3:23 am
August 19, 2004 at 5:39 am
Ok. What I am trying to come up is a solution wherein I could setup ReportServer the way that it used to (disallow anonymous access) but if intranet or internet users will access the ReportServer through my application, somehow, the credential part will be bypassed. I could do this with RS Web Service passing the credentials but the output is limited (no toolbars, no parameters etc.). Are there other ways of implementing this? I really do not like my users to provide credentials everytime they use my application nor the admin to configure ReportServer for every window accounts or roles.
Thanks for the help and its greatly appreciated.
August 19, 2004 at 6:55 am
Including the @password is no longer valid with Internet Explorer. It's not in the RFC for HTTP (it is for FTP) and attackers were actually using it to spoof what the web site you thought you were going to was. Patched versions of IE shouldn't allow this any longer.
As far as checking credentials, you have a front-end app connecting to Reporting Services?
K. Brian Kelley
@kbriankelley
August 19, 2004 at 6:15 pm
Yup. I have a front-end application that connects to RS. When I redirect my application to the reports located in ReportServer, it prompts for credentials. I wish to omit that whenever my front-end application accesses the reports in ReportServer.
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply