July 8, 2008 at 9:39 pm
Hi there, I am wondering what sort of security measures do we take into concederation when implementing an ASP web application with a ReportViewer control that points to a SQL Server Reporting Services instance. Right now, the report generates fine even if the users are not in the security under ReportManager. Does the ReportViewer bypass any authentication? As I see it, the only authentication needed is in the DataSource.
I have not tested it in an internet environment yet but so far, anyone can access it within the domain regardless if they have permission or not under ReportManager.
What about considering who can run what report and who can't? Is it ok to implement this sort of logic in the stored procedure that the report calls using the parameters?
What is the standard practice of using the ReportViewer?
edit; I am using SSRS 2008 RC0 and IIS6 ASP.NET2.0 if anyone needs it
Any help is much appreciated
July 9, 2008 at 5:59 am
Report Manager security is just that - security for Report Manager. The Report Server web service does not take that security into account.
You "should" handle security in two layers. First, if you can use NT authentication on the data source, the user would need to have the ability to run any queries the report is based on. Depending on your configuration, this may require Kerberos delegation, but get used to configuring Kerberos - you will have no choice but to learn very soon.
The second layer would be in your application. Now, this could actually use the Report Manager security as you can actually call to the Report Manager web services and check if a user has access to a folder or a report. However, it does not need to use Report Manager security, you just have to implement access to your reports as part of whatever security model you are using in your application.
As far as handling security in your report stored procedure, this would fall into the first section above - don't let the user have execute permissions on the stored procedure and you are done. However, handling security in your application security layer would be much cleaner.
July 9, 2008 at 3:09 pm
Makes sense.. right now my datasource is connected via an SQL Authenticated account. I heard this is a better solution for a web application is that ok?
So basically.. regardless of the security in the Report Manager.. This means any one from the internet can access my report as long as they have access to the page where the ReportViewer is.. Therefore implementing security for the ReportViewer page will be loosely coupled with Reporting Services? (Other than the datasource). Its a matter of Accessing the page/reportviewer.. Right?
Thanks alot 😀
July 10, 2008 at 5:21 am
Yes, that is pretty much it.
If you can, use NT Authentication in your data sources if connecting to SQL Servers. Even if you allow anonymous access to your application in IIS, impersonate the NT login the web page is using and give this user access to the data. Ideally, you want to use the login from the original workstation - so if this is an intranet application, I would try to go that route. Set IIS to use windows authentication and impersonate the user.
People avoid this because unless your web server and SQL Server are on the same server, you will have to configure delegation on the web server. This will mean setting up a couple of SPN's so the web application can authenticate a user. It is a bit of work to figure out the first time you set it up, and you will need help from someone with admin permissions on your active directory, but it is the "correct" way to set things up and Windows Server 2008 is really going to require you learn these skills anyway. If you do this, you will be able to configure data access on a user-by-user bases (or ideally through user groups) and actually secure the data rather than just the access method - it's much safer.
July 26, 2008 at 12:07 am
Hi,
you can implement custom security in Report Server. It can be done by making a security extension and deploying that in report server. Then you can easily implement role-based security in Report server from a web client.
For more info visit my blog http://shawindersekhon.blogspot.com
August 1, 2008 at 10:51 am
This topic is making me wonder about a post I put in the Reporting Services forum about Integrated Security. I have no problem deploying reports that use a predefined userid and password, but I'm having problems with a report where the data source is configured for Integrated Security. I can run the report just fine from within Visual Studio, but once deployed, trying to run the report shows the following error:
An error has occurred during report processing.
Cannot create a connection to data source 'OnBaseCustom'.
For more information about this error navigate to the report server on the local server machine, or enable remote errors
The reporting server is NOT the same server as the data source, and my web searches seem to indicate this can be a problem and some kind of Kerberos issue is the problem. I'm not in a position to make changes, but if someone knows exactly what needs to be done, I can at least provide the info I receive to the powers that be and see if they can implement. Any assistance would be greatly appreciated. Thanks!
Steve
(aka smunson)
:):):)
Steve (aka sgmunson) 🙂 🙂 🙂
Rent Servers for Income (picks and shovels strategy)
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply