How to encrypt the passowrd for a user accessing the SSRS through a application?

  • Hi,

    We have windows user called ABC\scott. In Report manager, I have added this user and gave the required permissions.

    Now , in the web.config file of the application connecting to the report server, the developer has mentioned as below:

    http://servername/reportserver

    username = scott

    password= xxxxx

    Domain= ABC.

    Now, we do not want to see the PASSWORD visible to everybody and we need to encypt this password.

    How can acheive this? Do I need to do any encryption on SSRS side?

    please advice

  • If I understand you correctly, The user, authenticated or not, can view your Web.config from the browser. In doing so the username and password is exposed. If this is the case, you should out of good practice, go to the Web Server and alter the properties of the Web.config file.

    Under "File Security" edit the Authentication and Access method. Remove the "Anonymous" access and use something like "Integrated Windows Authentication".

    This will produce an error if someone tries to access the file. You can also log such attempts for possible attacks.

    😎

  • I'm also looking for the same...how can we encrypt the password in web.config file

  • To my knowledge you can not encrypt a password in the Web.config file. The question I have is why do you feel you need to? If the file is protected what is the concern? Who do you want to prevent from reading the file?

    For clarity, I am referencing the Password in the Web.config file that would be used by your application to impersonate to run reports. This user/password would be granted "Browser" privileges on the reports via the RSM. The system level user account can be a domain or a local user account.

  • I've used this in the past to encrypt sections of the web.config.

    http://aspnet.4guysfromrolla.com/articles/021506-1.aspx

    Be sure to test in development first.

    We use Kerberos and AD groups, so IIS can impersonate the user. This avoids storing passwords.

    Especially dangerous - the storing of a non-expiring password.

    Note that if you encrypt the web.config, you will have to decrypt to modify or view the password. So if the password does change - most domains expire passwords via policy - you will have additional maintenance.

    Greg E

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply