March 31, 2010 at 3:50 pm
How do I setup SSRS so prompt for credentials instead of automatically authenticating users via domain logins?
We have a hosted SQL server and (what will be) reporting server off of our domain and I'd like to be able to just add individual user accounts to access reports.
Do I need to set up the users as local Windows users on the server or can I just create specific user names and passwords?
Any information (links, etc...) will be appreciated.
Thanks,
John
April 1, 2010 at 8:42 am
I'll try and take this a bit at a time...
How do I setup SSRS so prompt for credentials instead of automatically authenticating users via domain logins?
While this can be an SSRS thing it's mostly an IIS thing coupled with IE settings. Check the IE security settings, depending on what zone the hosted server will be in will depend on which settings you'll need to set (this is on the client machines). The last one in the list is the one dealign with automagically passing the windows credentials. By default this should only be set for the intranet zone, so if your ssrs server is outside of your local intranet zone it won't automatically log on.
Alternatively, you can setup the Datasource to prompt for credentials prior to connecting to the database, but this limits your ability to do subscriptions and such.
We have a hosted SQL server and (what will be) reporting server off of our domain and I'd like to be able to just add individual user accounts to access reports.
Do I need to set up the users as local Windows users on the server or can I just create specific user names and passwords?
If you force the IIS virtual directory to ask for permission (stop allowing annonymous logins) you need to provide the server some way to authenticate the users prior to accessing the pages. This would either be local user accounts on the remote server, or some other method.
Additionally, you'll need to think about future maintenance as users turnover. One way might be a common userid/password that all users use, or all users of a certain type, so that you can segment certain reports from other ones by security. There is a security risk here as anyone who has left the company would still have access to the reports, unless they are locked down by IP ranges or the passwords changed after that person leaves (or both). But think about 5 people leaving within 2 weeks of each other on short notice? It could get problematic. I suppose a jump page from a webserver in the local intranet might work as you could change the passwords at will and force people to use the jump page. The links on the jump page would contain the appropriate credentials to log into SSRS when they are clicked, but not directly exposed to the users.
The most secure (IMO) way would be to create local users on that server and put them into local groups which are mapped to roles on your SSRS instance. You could theoretically setup some type of extract routine via LDAP or some other method which would allow you to extract the user accounts from your active directory and upload them to that server for processing as new accounts, though password resets then become a bit of an issue.
-Luke.
April 1, 2010 at 9:13 am
JohnnyDBA (3/31/2010)
How do I setup SSRS so prompt for credentials instead of automatically authenticating users via domain logins?We have a hosted SQL server and (what will be) reporting server off of our domain and I'd like to be able to just add individual user accounts to access reports.
Do I need to set up the users as local Windows users on the server or can I just create specific user names and passwords?
Any information (links, etc...) will be appreciated.
Thanks,
John
SSRS 2005 is IIS dependent which makes this easy to setup make sure anonymous authentication is disabled then create authorization section in IIS and add your users in it. IIS will use that list to resolve your users. Microsoft have covered most security configurations it is in the SSRS web.config in SSRS folder in Microsoft SQL Server folder. And you may still need the IE settings.
Kind regards,
Gift Peddie
April 1, 2010 at 11:10 am
Thanks for the helpful responses guys. I will look into all suggested solutions and see what I can do.
Much appreciated - John
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply