How to encrypt the passowrd for a user accessing the SSRS through a application?

Question

How to encrypt the passowrd for a user accessing the SSRS through a application?

rambilla4

SSCrazy Eights

Points: 8715
More actions
July 23, 2009 at 4:55 pm

#223881

Hi,
We have windows user called ABC\scott. In Report manager, I have added this user and gave the required permissions.
Now , in the web.config file of the application connecting to the report server, the developer has mentioned as below:
http://servername/reportserver
username = scott
password= xxxxx
Domain= ABC.
Now, we do not want to see the PASSWORD visible to everybody and we need to encypt this password.
How can acheive this? Do I need to do any encryption on SSRS side?
please advice

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

doug.williams Old Hand Points: 390 More actions · Answer 1

If I understand you correctly, The user, authenticated or not, can view your Web.config from the browser. In doing so the username and password is exposed. If this is the case, you should out of good practice, go to the Web Server and alter the properties of the Web.config file.

Under "File Security" edit the Authentication and Access method. Remove the "Anonymous" access and use something like "Integrated Windows Authentication".

This will produce an error if someone tries to access the file. You can also log such attempts for possible attacks.

😎

klnsuddu SSCertifiable Points: 5836 More actions · Answer 2

I'm also looking for the same...how can we encrypt the password in web.config file

doug.williams Old Hand Points: 390 More actions · Answer 3

To my knowledge you can not encrypt a password in the Web.config file. The question I have is why do you feel you need to? If the file is protected what is the concern? Who do you want to prevent from reading the file?

For clarity, I am referencing the Password in the Web.config file that would be used by your application to impersonate to run reports. This user/password would be granted "Browser" privileges on the reports via the RSM. The system level user account can be a domain or a local user account.

Greg Edwards-268690 SSC-Insane Points: 20680 More actions · Answer 4

I've used this in the past to encrypt sections of the web.config.

http://aspnet.4guysfromrolla.com/articles/021506-1.aspx

Be sure to test in development first.

We use Kerberos and AD groups, so IIS can impersonate the user. This avoids storing passwords.

Especially dangerous - the storing of a non-expiring password.

Note that if you encrypt the web.config, you will have to decrypt to modify or view the password. So if the password does change - most domains expire passwords via policy - you will have additional maintenance.

Greg E