report server using managed service account or other without using password?

  • We are using SSRS 2019.  And we have some front end .net application that uses report viewer to call reports. So they have username and password embedded in the web configuration file. The password is spelled out. we condider to improve it. Any good options? SSRS server is running using a domain account created in active directory.

    How to make the password not showing in web config but still connect to SSRS server without problem?

    in the webconfig file, the part of username/password is like this:

    <add key="ReportServerUrl" value=" https://myserver.seattleschools.org/ReportServer" />

    <add key="ReportServerLogin" value="sys$myserviceaccount" />

    <add key="ReportServerLoginDomain" value="mydomain" />

    <add key="ReportServerPwd" value="!$myPassword$" />

    <add key="ReportPath" value="product" />

    Thanks

  • My approach would be if you ABSOLUTELY need to use your .NET app for this would be to encrypt the password using some certificate that is on the server running the .net app. If the app needs to run across multiple machines, I'd have the certificate be pushed out by a GPO to all machines that would be running it. Put the cert in the computer store (or the user store... whatever you prefer) and have your app pull the certificate out at runtime and use the cert to decrypt the password. If you want to keep it a little extra secure, do some "magic" on the password before or after decrypting it. For example, when you decrypt the password run a ROT13 algorithm on it then decrypt it with the certificate. ROT13 isn't super secure (not even mildly secure), but without knowledge of you doing that prior to decryption, it would make things harder to decrypt. Only downside is you would need to build up a quick and dirty app to encrypt your password string to store in the web config file for whenever your AD admin updates the password.

    If you want an even easier solution though - store the password inside the .NET app instead of in the web config file. Hard-code the password in. Not good advice mind you as hard-coded passwords are just asking for trouble down the road, especially if your AD admin changes the password.

    The above is all just my opinion on what you should do. 
    As with all advice you find on a random internet forum - you shouldn't blindly follow it.  Always test on a test server to see if there is negative side effects before making changes to live!
    I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.

  • Thank you, by hard coded in .net application, it still plain password, which does not reach the same purpose.

    I was wondering if SSRS can use managed service account which does not require password, but not sure if managed service account will work for SSRS?

    • This reply was modified 9 months, 1 week ago by  sqlfriend.
  • Quick check with google, SSRS supports managed service accounts:

    https://dba.stackexchange.com/questions/173792/ssrs-and-managed-service-account-impossible-to-configure#:~:text=Yes%20you%20can%20run%20SSRS%20with%20a%20Managed,need%20to%20install%20the%20MSA%20on%20the%20server.

    I personally have not set that up and used it with a .NET app nor with SSRS, but it appears that what you are asking about (MSA) is supported by SSRS.

    I'm not personally sure how you'd make your app work and authenticate without sending across a password...

    The above is all just my opinion on what you should do. 
    As with all advice you find on a random internet forum - you shouldn't blindly follow it.  Always test on a test server to see if there is negative side effects before making changes to live!
    I recommend you NEVER run "random code" you found online on any system you care about UNLESS you understand and can verify the code OR you don't care if the code trashes your system.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply