June 13, 2012 at 5:34 am
Hello.
I'm currently working on a project at work, which is getting into quite a bit of trouble by the choice of using Sql Server BI technologies. Well actually the problem is not completely on SQL Server side, and comes from the decisions taken by the management without consulting us, so we just have to deal with the problem as we can.
So basically to summarize quickly the situation, for some reasons which are of no interest here, they needed to produce reports on some data, and decided to have a contractor produce a proof odf ofcept to check if SQL Server Report Services would be able to achieve what they wanted, which was the case.
After sometime they decided we would need to develop a webportal for accessing the reports, the reason being quite simple the Report Services cannot be used for user authentification, and they wanted a much easier and faster way of handling rights of users.
So basically the idea was to build a quick and not too complicated portal that answers a few basics needs and some maybe a bit less, but that in the end result in sending a query to the Report Server, and giving it the needed arguments for the reports requested. That part is working.
The main reason for this is that there is not a shared and common directory for users, which comes from various part of the company and around the world, and that we won't be creating on our IT infrastructure because though it would be something that can be done it would request more work on our part to manage these accounts, which users could not change their password easily for example.
So well right know all the things we did is working, only we just discovered that doing it the was we did was working only because we are part of the domain that the server is installed within. So what I'm trying to achieve is to find a way to avoid this, and most importantly to not have users loging in a second time.
So I've searched quite a lot already and got to the point to see that first there is no anonymous access, which disappearted with the introduction of the 2008 version, well I found articles on how to do it but that's quite a logn shot, it is not something I wish to do, because I don't know exactly what this solution is doing.
My thought from reading was using HTTP protocol authentication but the problem is that with that enable it still requires a login and password for user outside our domain, or using another browser like Firefox, even when loading an url of the form : http://user:pass@server/... which was the reason I enabled RSWindowBasic Authentication mode but up to no avail.
So my questions are :
1/ Is it possible or I am searching the wrong way?
2/ I've read about Custom Authentication which I might be able to use but Can it be a way to get over this problem somehow? I've tried tosearch a bit this direction too but without finding any concrete samples on what can be done or not with it, and sample code or howtos. If you have any references I'd appreciate it.
Of course if you have any other kind of idea, don't hesiate I'll be glad to take any good idea, and if you need more information I'll provide as much as I can.
Cheers.
June 13, 2012 at 5:40 am
http://www.sqlservercentral.com/Forums/Topic805464-6-1.aspx
The above URL details how to setup annoymous authentication in SSRS 2008, other than that you will need to go down the custom authentication route and call the reportviewer.aspx control using some sort of impersonation.
June 13, 2012 at 7:15 am
Thanks for the answer but first I'm really looking to avoid this extreme way of doing thigs, It really has to be the last options.
As I don't know enough of the impact, and would it work exactly the same way with R2, as from what I see the all setup is meant for 2008, and 2008 R2 might have differences on the dll that has been created for example.
But really I'm more interested in avoiding this.
June 13, 2012 at 7:24 am
If you need authentication for users outside of your domain you have 4 options,
1 - grant each user outside your domain, their own individual domain account
2 - publish 1 generic domain user, to all external users and get them to login to SSRS using that domain account
3 - custom authentication, where you right your own authentication provider, probably using a DB for userid/pwd storage and match the user supplied with the DB, if match then load the reportviewer.aspx control by impersonating a domain user with access to SSRS
4 - annoymous authentication
Do you need to make the users come to SSRS to get the reports? Can you not send them the reports on a schedule via emails?
June 13, 2012 at 8:15 am
okay well.
1/ Our admin do not want of this solution for many reasons, but one of the main being those user would not have a mean to change their passwords, and it would cause more work.
2/ That's a possibility, and actually a bit what we're trying to do, only we don't want to have the user to have to enter login/password, but rather send this authentication directly to the ReportServer in some way.
3/ That's an idea, I'm not against it at all, only thing is to find documentation and samples that would give me the leads to, so I can get the information to begin with. As I've no idea where to start on this point.
4/ I'd like to avoid it, though I've tried going through the process of the link you attached just by curiosity, and I just could not get it work, I went through the process Server starts normally but do not respond at all through the browser.
Yes we need them to go to the SSRS, sending email would have been great, the only thing is that there will be reload of the data quite frequently, but nor regularly, there will be différent reports of use at diffferent time of the year, for some reports they choose an area before execution of the report, and most improtantly each user have different rights and so the reports are the same but with restriction given to the reports by the portal depending on the user rights.
June 13, 2012 at 8:18 am
I create an SQL Authentication user (something like reportUser) and use those credentials for the reports. The website controls which individual's logins get to view which reports, but all reports authenticate to SQL Server using the reportUser account. We use the reportviewer control and a class that authenticates to embed our reports in the web page.
Jared
CE - Microsoft
June 13, 2012 at 8:23 am
1 - could you just not set the accounts to never expire, that way the passwords never need changing?
2 - use something like impersonation where a user clicks the link on a web page and it opens the ssrs link under the context of the single domain account
3 - This might be a good place to start
You will need to build some custom logging to say personX can see reports1,2,3 and personY can see reports4,5,6 as due to impersonation you will be authenticating to the SSRS web services as 1 single user who has access to run all reports.
June 13, 2012 at 8:25 am
SQLKnowItAll (6/13/2012)
I create an SQL Authentication user (something like reportUser) and use those credentials for the reports. The website controls which individual's logins get to view which reports, but all reports authenticate to SQL Server using the reportUser account. We use the reportviewer control and a class that authenticates to embed our reports in the web page.
Let me add to this... So, SSRS itself authenticates to the databases using SQL Server Authentication. We also created a domain user that we added to SSRS for the reports. It is that domain user that is used when passing credentials from the web page to SSRS. It does not matter who logs into the web site, as it does not use their credentials. It ALWAYS uses the DOMAIN\ReportUser credentials when running reports.
Jared
CE - Microsoft
June 13, 2012 at 8:38 am
Well that's is what I've tried to achieve until know. I mean the Portal is running with a user that is actually using a specific domain account so that it can connect to the SQL Server database with that account. So this part is done, and that is a user we have added on the other side.
The only thing is I don't see how I can pass from the IIS/PHP side to the Report Server this impersonation so that it don't ask anything to the user indeed. As more or less there is a break when you shift from one side to the other, that's the gap that I need to fill in somehow.
So more or less how can I give these credentials from the "portal" side to the Report Server side.
June 13, 2012 at 8:53 am
So, I use C#. The report page uses this class:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class someClassName : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
ReportViewer1.ServerReport.ReportServerCredentials = new ReportServerCredentials("USERNAME", "PASSWORD", "DOMAIN");
}
ReportLabel.Text = ReportViewer1.ServerReport.DisplayName.ToString();
}
protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
{
ReportViewer1.ServerReport.ReportPath = GridView1.SelectedValue.ToString();
GridViewRow row = GridView1.SelectedRow;
ReportLabel.Text = row.Cells[1].Text;
}
}
The object ReportServerCredentials is this:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.Reporting.WebForms;
using System.Security.Principal;
using System.Net;
/// <summary>
/// Local implementation of IReportServerCredentials
/// </summary>
///
public class ReportServerCredentials : IReportServerCredentials
{
private string _userName;
private string _password;
private string _domain;
public ReportServerCredentials(string userName, string password, string domain)
{
_userName = userName;
_password = password;
_domain = domain;
}
public WindowsIdentity ImpersonationUser
{
get
{
// Use default identity.
return null;
}
}
public ICredentials NetworkCredentials
{
get
{
// Use default identity.
return new NetworkCredential(_userName, _password, _domain);
}
}
public bool GetFormsCredentials(out Cookie authCookie, out string user, out string password, out string authority)
{
// Do not use forms credentials to authenticate.
authCookie = null;
user = password = authority = null;
return false;
}
}
Jared
CE - Microsoft
Viewing 10 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply