April 14, 2008 at 10:37 am
Yeah so if you're data set(s) read directly from the database then you need to make sure the account you're using has db_datareader on whatever DB's it is reading from. If you're calling a stored proc (recomended) then the user account must have execute privileges on the stored proc and must also be a db_datareader in the databases from which the stored proc calls.
Hope this helps!
Ben Sullins
bensullins.com
Beer is my primary key...
April 14, 2008 at 11:07 am
i did what you recommended... - I also went into the Props of the SP & added "reportexecution" to the list of execution users for the sp. still the same problem.
i went back to the Report Mgr and changed the Props of the Data Sources to use "Credentials supplied by the user running the report". Since i am a System Administrator so i SHOULD have permissions all over the place, i am the owner/creator of the SP, i can run the report in BIDS, yet i still get this 8007052E error.
i appreciate your patience here. this is my company's first foray into Reporting Services; I see the Potential of things that can be done over our present Crystal Reports and i just want to start moving along with this.
Ben Sullins (4/14/2008)
Yeah so if you're data set(s) read directly from the database then you need to make sure the account you're using has db_datareader on whatever DB's it is reading from. If you're calling a stored proc (recomended) then the user account must have execute privileges on the stored proc and must also be a db_datareader in the databases from which the stored proc calls.Hope this helps!
April 15, 2008 at 3:25 am
Ben Sullins (4/14/2008)
Yeah so if you're data set(s) read directly from the database then you need to make sure the account you're using has db_datareader on whatever DB's it is reading from. If you're calling a stored proc (recomended) then the user account must have execute privileges on the stored proc and must also be a db_datareader in the databases from which the stored proc calls.
Not to take away from what Ben is saying, but watch out with this. db_datareader grants select permissions to all tables and views in the database. For most environments this is not appropriate, especially if you are granting users access via their Windows logins. It's just asking for someone to steal your data - a least permissive model with only EXEC on reporting procs and minimal direct SELECT access to tables/views is generally better.
Regards,
Jacob
April 15, 2008 at 3:32 am
@rholt:
It sounds like you may be running into a Kerberos delegation issue. Are your RS server and the source DB server running on different boxes? If so you may not have your RS server setup to correctly delegate the users' credentials to the DB server, so that final "2nd hop" connection is coming through as anonymous. This has been discussed a few times in various threads, the latest I recall was in a linked server context here. aureolin posted a link partway through the thread (http://msdn2.microsoft.com/en-us/library/aa905162(SQL.80).aspx) that gives you the details on correctly configuring your servers.
Regards,
Jacob
April 15, 2008 at 7:24 am
Point well taken, Jacob. for now, i am the sole recipient of all reports run through RS, but i will close down what i need to before i allow others to run them.
Russ
Not to take away from what Ben is saying, but watch out with this. db_datareader grants select permissions to all tables and views in the database. For most environments this is not appropriate, especially if you are granting users access via their Windows logins. It's just asking for someone to steal your data - a least permissive model with only EXEC on reporting procs and minimal direct SELECT access to tables/views is generally better.
Regards,
Jacob[/quote]
April 15, 2008 at 7:35 am
Jacob, yes, i'm running RS on my PC and grabbing reports created here, but using data (in this case a SP running on a SQL Cluster (but both on the same Domain). now, (i've done a lot of internet searching) Yesterday afternoon i went into RS Config Mgr & under "Execution Account" i unchecked the box labelled: "Specify an Execution Account" and my reports started working. this is NOT the route i wish to travel. My feelings are that, yes, there is something blocking my request for the SP to run on the SQL Cluster Node when using the ReportExecution Account. i don't know where to go on the SQL server to enable that authority. i believe i have it correctly taken care of within SQL under Security/Logins, could it be that i need to do something with the MS-Server2003 permissions?
Russ
Jacob Luebbers (4/15/2008)
@rholt:It sounds like you may be running into a Kerberos delegation issue. Are your RS server and the source DB server running on different boxes? If so you may not have your RS server setup to correctly delegate the users' credentials to the DB server, so that final "2nd hop" connection is coming through as anonymous. This has been discussed a few times in various threads, the latest I recall was in a linked server context here. aureolin posted a link partway through the thread (http://msdn2.microsoft.com/en-us/library/aa905162(SQL.80).aspx) that gives you the details on correctly configuring your servers.
Regards,
Jacob
April 15, 2008 at 6:12 pm
A quick quote from BOL (Specifying Credential and Connection Information):
BOL
When sending a connection request over the network, the report server will either impersonate a user account or the unattended execution account.
What type of auth are you using in your connection strings in the data source(s) for your reports? If you're using Integrated Security (aka Windows Authentication) your connection from your RS server to your DB server will be done with your users' Windows credentials or the unattended exec account. Unless you've got your RS server, DB server and their service accounts correctly configured for Kerberos delegation the "2nd hop" from RS server to DB server is going to come through as anonymous, and most likely fail unless you've granted anonymous permissions (eg "public") to your report procs/queries.
What credentials do you have setup on the RS server for the unattended execution account? Are they by any chance your own credentials (using your old, previous password)?
This is a non-issue if you are using SQL logins in your data source connection strings. It's also not an issue when you are running the reports on your own box in BIDS as they are executing on the local machine and only making one hop to the DB server. When your Kerberos config is setup incorrectly this works (crappy ASCII diagram alert):
local report running in BIDS ---[WindowsAuth]---> DB server
and this doesn't:
user's browser on their PC ---[WindowsAuth]---> your RS server ---[anonymous]---> DB server
This BOL page should also be useful: Configuring Authentication for Reporting Services
Regards,
Jacob
April 15, 2008 at 6:37 pm
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.
This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.
Hope this helps!
Ben Sullins
bensullins.com
Beer is my primary key...
April 16, 2008 at 7:23 am
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?
Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).
Jacob - this link didn't work: Configuring Authentication for Reporting Services
so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go. i had an Account Name:
ReportExecution
and on the SQL Server under Security/Login i created the login:
ReportExecution
with the same password i used on the RS Config Mgr under Execution Account.
should i NOW go into Active Directory & create a UserProfile named
ReportExecution
with that same password??????
Ben Sullins (4/15/2008)
As I stated in an earlier post if you setup your data source so it uses the 'Credentials stored securely in the report server' option and you provide a domain account and the 'Use as Windows credentials when connecting to the data source' box checked you should be good. Assuming the permissions on the database are setup properly.This doesn't require the 2nd hop that Jacob is describing and is generally how I've always configured my shared data sources. If you're pointing to an isolated SQL instance you could also run profiler and see what kind of requests are coming in.
Hope this helps!
April 16, 2008 at 9:13 am
If you setup the data source to use a domain account the execution account won't be used. The execution account is for unattended operations, such as sending an email via subscription, writing a file to a file share, etc...not used by the data source...
Ben Sullins
bensullins.com
Beer is my primary key...
April 16, 2008 at 5:38 pm
rholt (4/16/2008)
ok - i'm sort of understanding this, but would the fact that I have RS loaded & running on my PC constitute a 2nd hop or just a single hop to the SQL Server?Everything except the SQL & SP (which are both on the SQL Server) is on my personal PC. (i will be moving it off to a Reports Server probably within the week).
That would be one hop, and therefore Kerberos delegation wouldn't be needed. I thought you were saying that it worked fine on your box with BIDS, but was failing once you deployed it to your RS server... or do I have it wrong?
Jacob - this link didn't work: Configuring Authentication for Reporting Services
Sorry - those two links only seem to work if you copy-and-paste them into a new browser window. They will open your local BOL. Here's an online version of them:
http://msdn2.microsoft.com/en-us/library/ms160330.aspx
http://msdn2.microsoft.com/en-us/library/bb283249.aspx.
so... i think we're in agreement that since i eventually want others to be able to run these reports, an "Execution Account" is the way to go.
Not really - an execution account is not for that purpose. As Ben just mentioned it's only intended for things like subscription emails, external network access, etc. It will be used for your data source connections if you haven't provided valid credentials otherwise, but it's much better to use either passthrough Windows credentials from your users (and thus Keberos delegation is required), Windows credentials stored securely on the server or a native SQL login for your connection string in your data sources.
Regards,
Jacob
July 8, 2008 at 7:56 pm
Worked for me, too. I had a typo in my Execution Account user name. This tip showed me where to start looking. Cheers
November 14, 2008 at 5:12 pm
Thanks for this tip.
Bipin
March 17, 2009 at 8:44 am
Wonderful solution.
This really worked.
Thanks.
April 23, 2009 at 5:12 am
Many Thanks - This worked 🙂 🙂
Viewing 15 posts - 16 through 30 (of 41 total)
You must be logged in to reply to this topic. Login to reply