Press "Enter" to skip to content

Month: January 2015

Dirty tricks in SSRS authentication

Configuring SSRS authentication to IIS can be a pain, here are some things I have done in a pinch, and almost all of them are terrible, but if you repeatedly get a 401 unauthorized with SSRS, these might be able to help.

SSRS native mode on one domain, IIS on another – DMZ

In this mode, you are normally advised to implement basic authentication, and just pass a username and password in… in some instances you may be unable to use basic, and are forced to use NTLM.

In this situation a simple method to bypass this is to create a local user on both boxes with the same password, and have that user be the one the report server grants access to, and which user is running the web server process.

Make sure this password is strong, and doesn’t change.

SSRS native mode, same domain, IIS running as local system

In some cases you may find that the system is configured to run the IIS process as local system (generally not recommended). If this is the case, you can actually grant the entire computer name in the report server permissions via its hostname and a dollar sign.

Example:

MachineHostname$

Additional Troubleshooting for Native Mode

  • Enable the HTTP log for the report server , it can help enormously to isolate what’s being accessed, where, when, and sometimes who.
  • Double check each report folder in the hierarchy’s permissions for your user, while you may think you have permission, its quite possible you don’t and that someone overrode the parent permissions.
  • If you get a FORBIDDEN message instead of an unauthorized, the user you are trying to run the report as may need escalated permissions on the SSRS application directory itself (on the SQL Server).
  • When all else fails you can grant Browser permission to “Everybody”, but be aware that means anyone can request information from your reports, and is a really really really bad idea. (If it doesn’t work, that means you are not even making the request from the same domain)